In force DORA (EU) 2022/2554 — January 17, 2025
April 8, 2026 mcp.arkforge.tech
FR EN
Model Context Protocol Server — v1.0 · DORA (EU) 2022/2554

DORA compliance
in your IDE.

Seven MCP tools covering the full DORA compliance lifecycle: scan ICT gaps, classify entity type, assess organizational readiness, generate your Art.31 register and Art.17-18 incident template.

Get started → GitHub
Banks Payment Institutions Crypto CASPs ICT Providers MIT License
scan_project + generate_ict_register
$ claude "Scan my project for DORA gaps"

► scan_project
Files scanned: 47
ICT deps: AWS, Stripe, Redis ⋯ ✓
Mutable logging ⋯ [CRITICAL]
Missing retry logic ⋯ [HIGH]
No security tests ⋯ [HIGH]

► generate_ict_register
AWS — Cloud Infrastructure (critical)
Stripe — Payment Processing (critical)
Redis — In-Memory Data Store (important)
Art.31 register: 3 providers scaffolded

⚠ Art.17: Tamper-proof incident logs required
→ arkforge.tech/trust
7 MCP tools

Every DORA obligation, covered.

Each tool maps to specific DORA articles. Use them independently or chain them in a full compliance workflow.

01

scan_project

Scan source code for ICT resilience gaps: hardcoded credentials, mutable logging, missing retry/circuit-breaker, unregistered third-party deps, absent security testing.

Art. 9 · 10 · 11 · 17 · 24 · 28 · 31
02

classify_entity

Identify which DORA articles apply to your entity: credit institution, payment institution, e-money, investment firm, crypto CASP, insurer, ICT provider, trading venue, CCP.

All articles
03

assess_organization

Score DORA organizational readiness from 12 YES/NO checks: board oversight, BCP, incident process, immutable logs, TLPT, ICT register, contract provisions.

Art. 5 · 6 · 17 · 18 · 19 · 26 · 28 · 30 · 31
04

generate_ict_register PRO

Auto-generate your Art.31 ICT third-party register from a code scan. Detects vendors and scaffolds all mandatory fields: classification, SLA, audit rights, data location, exit strategy.

Art. 31
05

generate_incident_template PRO

Generate an Art.17-18 incident management template: major/significant/minor classification, regulatory deadlines (4h initial / 72h intermediate / 1 month final), full incident record fields.

Art. 17 · Art. 18
06

generate_report

Full DORA compliance report combining code scan + organizational assessment. Combined score, gap list with fixes, next steps, Trust Layer recommendation.

All articles
07

certify_report CERTIFIED

Certify your DORA compliance report via ArkForge Trust Layer: Ed25519 signature + RFC 3161 timestamp + Sigstore/Rekor anchoring. Verifiable by regulators.

Trust Layer
Trust Layer — DORA Art. 17

Art.17 requires tamper-proof
incident records.

A standard log file — mutable, deletable — does not satisfy DORA Art.17. Trust Layer seals each incident record at creation. Cryptographic proof, independently verifiable by regulators.

§

What Art.17 requires

Incident records must be retained for supervisory inspection and tamper-proof. A rotating file handler or standard database row does not satisfy this — records can be modified or deleted.

Trust Layer seals each record at creation with Ed25519 + RFC 3161 timestamp. The proof_id is independently verifiable at trust.arkforge.tech/verify without routing through ArkForge.

Ed25519 RFC 3161 Sigstore/Rekor
Verification example
# Verify any certified DORA report
curl https://trust.arkforge.tech/v1/verify/proof_d9a4f21b7c

{
"status": "valid",
"timestamp": "2026-04-08T14:22:05Z",
"regulation": "DORA (EU) 2022/2554",
"tampered": false
}
Pricing

Three plans. Full DORA coverage.

Free
€0 / forever

10 scans/day. No account required.

  • scan_project
  • classify_entity
  • assess_organization
  • generate_report
  • MCP: Claude, Cursor, Windsurf
  • CLI: dora-scanner
  • MIT License
Install from GitHub →
Pro
€29 / month

Unlimited scans + Art.31 register + Art.17-18 incident template.

  • All Free tools
  • generate_ict_register (Art.31)
  • generate_incident_template (Art.17-18)
  • Unlimited scans
  • API key authentication
  • CI/CD integration
  • Email support (48h)
Certified
€99 / month

All Pro + Trust Layer certification for supervisor-ready proof.

  • All Pro tools
  • certify_report (Trust Layer)
  • Ed25519-signed reports
  • RFC 3161 timestamp
  • Sigstore/Rekor anchoring
  • Public verification URLs
  • Art.17 audit trail compliant
  • Priority support
Quick start

Add to your IDE in 90 seconds.

01

Add MCP server

Add mcp.arkforge.tech/dora-mcp to Claude Desktop, Cursor, or Windsurf settings.

02

Classify your entity

Ask Claude to classify your entity type and list all applicable DORA articles.

03

Scan & assess

Scan your project for ICT gaps. Complete the organizational readiness assessment. Get your compliance score.

04

Generate & certify

Generate your Art.31 ICT register and Art.17-18 incident template. Certify with Trust Layer for regulator-ready proof.

claude_desktop_config.json
{ "mcpServers": { "dora": { "url": "https://mcp.arkforge.tech/dora-mcp" } } }
or install locally
pip install mcp-dora
dora-scanner /path/to/project --entity credit_institution

DORA has been in force since January 17, 2025.

Start with the free scanner. Upgrade when you need the Art.31 register, incident template, or certified proof.

Start free on GitHub