# DORA — Financial-Sector Customer Considerations Regulation (EU) 2022/2554 — the **Digital Operational Resilience Act**, or **DORA** — is the European Union's framework for the digital operational resilience of the financial sector. It has applied since **January 17, 2025**. Unlike a directive, DORA is a regulation and applies directly, without national transposition. This page explains how DORA relates to Flopsar. It is written primarily for **customers in the financial sector** who are subject to DORA and who operate, or plan to operate, Flopsar as part of their information and communication technology (ICT) estate. ## Scope and an important clarification DORA applies to two groups: **financial entities** — around twenty categories including credit institutions, payment institutions, insurance undertakings, investment firms, crypto-asset service providers, trading venues, and central counterparties — and **ICT third-party service providers**, to the extent that they provide ICT services to financial entities. The most systemically significant of those providers may be designated as **critical ICT third-party service providers** and placed under the direct oversight of the European Supervisory Authorities. Two clarifications determine everything else on this page: * **Flopsar Technology Sp. z o.o. is not a financial entity.** It is therefore not subject to DORA in that capacity. * **Flopsar Technology Sp. z o.o. is not, and is highly unlikely to be, a designated critical ICT third-party service provider.** That designation is reserved for providers whose failure would have a systemic impact on the Union's financial system — typically large cloud platforms and core banking systems. A monitoring tool for JVM applications does not meet the criticality criteria of Article 31 of the Regulation. Flopsar Technology Sp. z o.o. is therefore **not** under the direct oversight of the European Supervisory Authorities. What this page does is explain how DORA reaches Flopsar Technology Sp. z o.o. **indirectly**, through its financial-sector customers, and how the product and its documentation help those customers meet their own DORA obligations. {% hint style="info" %} Flopsar is a tool, not a guarantee of DORA compliance.\*\* Deploying Flopsar does not, by itself, make a financial entity DORA-compliant. DORA compliance is achieved through the financial entity's own ICT risk-management framework, of which a tool such as Flopsar may form one supporting part. {% endhint %} ## How DORA reaches Flopsar Technology Sp. z o.o. Although Flopsar Technology Sp. z o.o. is neither a financial entity nor a critical ICT third-party service provider, DORA still shapes the relationship between Flopsar Technology Sp. z o.o. and its financial-sector customers, because those customers must manage the risk arising from their ICT third-party service providers. Whether the licensing of Flopsar amounts to an "ICT service" within the meaning of Article 3(21) of the Regulation depends on the facts. A perpetual license to use on-premise software, on its own, sits at the edge of that definition. However, the ongoing provision of maintenance and security updates — described in Support & Maintenance Lifecycle — is an ongoing relationship that most financial entities will treat as bringing Flopsar Technology Sp. z o.o. within the contractual requirements of Articles 28 to 30 of the Regulation, as a **non-critical** ICT third-party service provider. Flopsar Technology Sp. z o.o. supports its financial-sector customers on that basis. The remainder of this page describes how. ## Support for ICT third-party risk management (Articles 28–30) Articles 28 to 30 of DORA require a financial entity to manage the risk arising from its ICT third-party service providers, including through specific contractual arrangements. Each obligation remains the financial entity's responsibility; the notes below describe how Flopsar and the documentation published by Flopsar Technology Sp. z o.o. **support** the customer in meeting it. **Assessment before contracting.** Before entering into a contractual arrangement, the financial entity must assess the provider and the ICT service. Flopsar Technology Sp. z o.o. supports this assessment with its openly published security and compliance documentation, in particular the Cyber Resilience Act compliance matrix, the EU Declaration of Conformity, the Third-party Components & SBOM, and the Security section. **Register of information.** The financial entity must maintain a register of all of its ICT third-party arrangements and report it to the competent authority. The information typically needed about Flopsar Technology Sp. z o.o. is consolidated in Section 5 of this page so that it can be entered into the register directly. **Contractual content (Article 30).** DORA prescribes the provisions that must appear in the contract with an ICT third-party service provider. Flopsar Technology Sp. z o.o. addresses these in the commercial agreement with each customer, supported by the public documentation referenced throughout this page. The relevant areas include: * a clear description of the service and of the functions it supports; * the locations where data is processed — for an on-premise deployment, this is the customer's own infrastructure (see Section 4); * provisions on the security of data and on access, recovery, and return of data; * service-level descriptions and their updates; * assistance in the event of an ICT incident, on the terms of the applicable support agreement; * rights of access, inspection, and audit for the financial entity and for its competent authority; * termination rights and the customer's exit strategy (see Section 4); * the conditions for subcontracting, where applicable. **Right of access, inspection, and audit.** Financial entities require the ability to audit their ICT third-party service providers. Flopsar Technology Sp. z o.o. supports this both through the audit provisions of the commercial agreement and through documentation that reduces the need for on-site audits — including, on request and under the applicable agreement, summaries of external penetration tests and a description of the secure development lifecycle. **Incident assistance.** DORA requires ICT third-party service providers to assist financial entities in handling ICT-related incidents. Flopsar Technology Sp. z o.o. operates the vulnerability handling and advisory processes described in the Vulnerability Disclosure Policy and Security Advisories, and provides incident assistance on the terms of the applicable support agreement. ## Exit strategy and the advantage of an on-premise deployment DORA places particular weight on the ability of a financial entity to exit a contractual arrangement with an ICT third-party service provider without undue disruption — the **exit strategy**. The on-premise nature of Flopsar is a significant advantage here. * The product runs entirely within the customer's own infrastructure. There is no hosting, no remote-management channel, and no "phone home" telemetry. See Privacy & Data Handling. * The customer's monitored applications do not depend on Flopsar to function. If the customer chooses to stop using Flopsar, the agent can be removed from the JVM and the monitored applications continue to run unaffected. * There is no operational dependency on infrastructure operated by Flopsar Technology Sp. z o.o. The continued operation of a Flopsar deployment does not require any service from Flopsar Technology Sp. z o.o. beyond the security updates that the customer chooses to apply. These properties mean that the concentration risk and the exit risk that DORA is concerned with are materially lower for an on-premise product such as Flopsar than for a hosted or cloud-delivered service. The procedure for removing a Flopsar deployment is documented in Decommissioning & Secure Data Erasure. ## Information for the register of information The following information is provided to help a financial-sector customer populate its DORA register of information and its ICT third-party risk assessment. Customers should confirm each item against their own deployment and the applicable commercial agreement. * **Provider.** Flopsar Technology Sp. z o.o., established in Poland (European Union). Full identification details are on the Contact page. * **Service.** Licensing, maintenance, and security updates for Flopsar, a fault detection and diagnosis platform for JVM applications. * **Delivery model.** On-premise software, deployed and operated entirely within the customer's own infrastructure. * **Data access by the provider.** None during normal operation. Flopsar Technology Sp. z o.o. has no remote access to the deployment and does not receive operational data from it. * **Data location.** Determined solely by the customer, within the customer's own infrastructure. * **Subcontractors involved in service delivery.** None for the on-premise product itself. Third-party software components included in the product are inventoried in the Third-party Components & SBOM. * **Whether the service supports a critical or important function.** This is determined by the customer, based on how the customer uses Flopsar within its environment. Flopsar Technology Sp. z o.o. does not make this determination on the customer's behalf. * **Support period and security-update commitment.** As set out in Support & Maintenance Lifecycle. * **Conformity.** Cyber Resilience Act conformity as described in the EU Declaration of Conformity and the CRA compliance matrix. ## Relationship between DORA and NIS2 For a financial entity, DORA is **lex specialis** in relation to the NIS2 Directive for matters of ICT risk management: where DORA and NIS2 would otherwise both apply, the ICT risk-management and incident-reporting requirements of DORA take precedence (Article 1(2) of DORA and Article 4 of NIS2). In practice, this means that a customer in the financial sector will frame its requirements toward Flopsar Technology Sp. z o.o. in the language of DORA Articles 28 to 30, rather than in the language of NIS2 Article 21. Customers that are not financial entities should refer instead to NIS2 — Customer Operator Considerations. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.flopsar.com/7/regulatory-compliance/dora-financial-sector-customer-considerations.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.