How Didit Meets DORA: ICT Third-Party Risk for Identity
DORA makes financial entities accountable for the ICT third parties they rely on — including identity providers. Here is how Didit's ISO 27001 certification, SOC 2 Type 1 attestation, and audit-trail posture support a DORA-ready v
The Digital Operational Resilience Act (DORA) changed what it means to outsource. From January 2025, financial entities across the EU are directly accountable for the operational resilience of the information and communication technology (ICT) third parties they depend on — and an identity verification provider sitting in the onboarding flow of a bank, an electronic money institution, or a crypto-asset service provider is exactly that kind of ICT third party.
That puts a new question on every procurement call: can you prove your provider is resilient, and can you document that proof for your regulator? This guide explains what DORA requires of ICT third parties, and shows exactly how Didit's certifications, controls, and audit trail support a DORA-ready vendor file.
Key takeaways
- DORA makes the financial entity accountable for the ICT third parties it uses — identity and fraud providers included. You cannot outsource the responsibility, only the work.
- Didit is ISO/IEC 27001:2022 certified (Bureau Veritas, ENAC-accredited, certificate nº ES144068, valid until 2027-06-03) — an internationally recognised information security management system that maps directly onto DORA's ICT risk-management expectations.
- Didit holds a SOC 2 Type 1 attestation (ATOM, as of 2026-04-09) across the Security, Availability, and Confidentiality trust criteria, with a Type 2 examination planned.
- Every verification leaves an immutable audit trail — statuses, decisions, and webhook events your team can replay for incident reporting and the ICT register.
- The full identity-and-fraud lifecycle runs on one unified
/v3/API, so resilience, monitoring, and reporting are concentrated with one accountable provider instead of scattered across many.
What DORA requires
DORA is the EU's framework for digital operational resilience in the financial sector. Rather than treating cybersecurity as a side concern, it builds five pillars into a single regulation:
- ICT risk management — a documented framework to identify, protect against, detect, respond to, and recover from ICT-related incidents.
- ICT incident reporting — classify and report major incidents to competent authorities within set deadlines.
- Digital operational resilience testing — regular testing of ICT systems, up to threat-led penetration testing for significant entities.
- ICT third-party risk management — the pillar that reaches providers like Didit: due diligence, contractual safeguards, a register of information on every ICT arrangement, and the ability to monitor and exit.
- Information sharing — voluntary exchange of cyber-threat intelligence.
The fourth pillar is the one a vendor must answer. DORA expects the financial entity to maintain a register of information describing each ICT third-party arrangement, to perform due diligence before contracting, to secure specific contractual rights (audit, access, sub-outsourcing transparency, exit), and to assess concentration risk. The provider's job is to make all of that easy to evidence.
Why it matters
Identity verification is rarely a peripheral system. It sits on the critical path of customer onboarding — and increasingly of ongoing monitoring through transaction screening. If that function degrades, onboarding stops and revenue stops with it. DORA treats exactly this kind of dependency as something the regulator can ask about.
The practical consequence: when a financial entity adds an identity provider to its ICT register, it needs documented assurance about that provider's security controls, availability commitments, and incident posture. A provider that can hand over recognised certifications and a clean audit trail shortens due diligence from months to days. A provider that cannot becomes a finding.
How Didit helps
Didit's compliance posture is built to slot into a DORA vendor file with evidence, not promises.
ISO/IEC 27001:2022 certification. Didit operates a certified Information Security Management System (ISMS). The certificate — Bureau Veritas Certification, ENAC-accredited, cert nº ES144068, originally certified 2026-04-07 and valid until 2027-06-03, issued to DIDIT IDENTITY SPAIN S.L. — covers the development, operation, and technical support of the Didit digital identity solution. ISO 27001 is the international baseline for ICT risk management: it requires a documented framework, defined controls, risk assessment, and continual improvement — the same disciplines DORA's first pillar expects of the entities relying on Didit. The certificate is distributable, so it can go straight into the register file.
SOC 2 Type 1 attestation. Didit holds a SOC 2 Type 1 report from ATOM (an independent service auditor under the AICPA SOC for Service Organizations framework), attesting to the design of controls across Security, Availability, and Confidentiality as of 2026-04-09. Availability is the criterion DORA cares about most for a critical onboarding dependency. A Type 2 examination — which tests operating effectiveness over a period — is planned. The full SOC 2 report is restricted-use under AICPA rules and is shared with prospects and customers under NDA; Didit references it here rather than publishing its contents.
Audit trail and incident evidence. Every verification, every transaction-monitoring decision, and every status change is recorded and exposed through the unified /v3/ API and webhooks (session.status.updated, transaction.status.updated, and related events). That gives a financial entity a replayable, timestamped record it can fold into its own incident-reporting and resilience-testing obligations — and a clear data flow to document in the register.
One accountable provider. Because identity, business verification, AML screening, transaction monitoring, and wallet screening all run on the same /v3/ API, a financial entity concentrates a critical function with a single, certified ICT third party rather than wiring together several. Fewer arrangements in the register, one contractual relationship to govern, one set of certifications to maintain.
Deep dive: building the ICT register entry for Didit
A DORA register of information entry for an identity provider typically needs to capture the function provided, its criticality, the contractual safeguards, and the assurance evidence. With Didit, that maps cleanly:
| DORA register element | What Didit supplies |
|---|---|
| ICT service description | Identity verification (KYC), business verification (KYB), AML screening, transaction monitoring, wallet screening — unified /v3/ API |
| Criticality / function supported | Customer onboarding and ongoing monitoring — typically a critical or important function |
| Security assurance | ISO/IEC 27001:2022 certificate nº ES144068 (distributable) |
| Operational assurance | SOC 2 Type 1 (Security, Availability, Confidentiality), as of 2026-04-09 (under NDA) |
| Data location / processing | Documented in the data processing agreement; EU entity DIDIT IDENTITY SPAIN S.L. |
| Audit / access rights | Contractual audit rights; full API audit trail and webhook event log |
| Exit / portability | Standard API export of session and transaction records |
The certifications do the heavy lifting on the assurance rows. Didit's documentation and security hub at didit.me/security-compliance is the single place to collect the artifacts your due-diligence team needs.
Use cases
- EU banks and EMIs adding remote onboarding without expanding their ICT register footprint — one certified provider, one arrangement.
- Crypto-asset service providers under MiCA, which also fall under DORA, needing both onboarding and transaction monitoring from a resilient third party.
- Payments institutions that must evidence the availability and security of an onboarding dependency to a competent authority on request.
- Compliance and procurement teams that want certifications and audit evidence handed over up front, not chased during an examination.
Frequently asked questions
Does DORA apply to identity verification providers directly?
DORA's obligations fall on the financial entity, but they reach ICT third parties like identity providers through the third-party risk-management pillar. The financial entity must perform due diligence, secure contractual rights, and register the arrangement — which means the provider must be able to evidence its resilience.
Is Didit ISO 27001 certified?
Yes. Didit holds an ISO/IEC 27001:2022 certificate (Bureau Veritas, ENAC-accredited), cert nº ES144068, valid until 2027-06-03, issued to DIDIT IDENTITY SPAIN S.L. The certificate is distributable for your vendor file.
Is Didit SOC 2 certified?
Didit holds a SOC 2 Type 1 attestation (ATOM) across Security, Availability, and Confidentiality, as of 2026-04-09. A SOC 2 Type 2 examination is planned. The full report is shared under NDA.
Can I get an audit trail for DORA incident reporting?
Yes. Every verification and transaction-monitoring event is recorded and exposed via the /v3/ API and webhooks, giving you a replayable, timestamped record for incident reporting and resilience documentation.
Where do I get the certification documents?
Start at the Didit security and compliance hub at didit.me/security-compliance. The ISO 27001 certificate is distributable; the SOC 2 Type 1 report is shared under NDA.
Ready to get started?
See Didit's full attestation stack on the security and compliance hub, explore how identity verification fits an EU onboarding flow on the ID Verification product page, and review transparent per-check pricing on the pricing page. When you're ready, start free — 500 free KYC checks every month, on the same unified /v3/ API your DORA register will document.