DORA Regulation — Articles 5, 6, and 19
D3 Morpheus — The Accountable Autonomous SOC
Autonomous. Audited. Defensible.
4 hours
ICT initial notification to the competent authority — Article 19(4)(a)
72 hours
Intermediate report with progress and impact updates — Article 19(4)(b)
1 month
Final report with root-cause analysis — Article 19(4)(c)
1 trail
The same audit artifact produces evidence for all three obligations
Built for the regulated SOC that can’t hire its way out of the alert volume — and can’t accept AI it can’t defend. Morpheus automates L1 triage on every alert, automatically, and keeps going to L2 deep investigation. Up to 95% of alerts triaged and L2-investigated in under two minutes. Every decision traceable in one regulator-readable audit trail across all four autonomy levels. Built for SEC Item 1.05, NYDFS Part 500, HIPAA 45 CFR 164.312, NERC CIP-008-6, OCC 36-hour notification, NIS2, DORA, and BSI C5 evidence demands.
Morpheus does the L1 work — classification, enrichment, prioritization — and keeps going to L2 deep investigation. Attack Path Discovery, D3’s investigation engine, traces the attack across identities, endpoints, cloud, and email infrastructure. It reaches back 90 days of telemetry. It maps blast radius. It drafts the remediation. Morpheus does the legwork. Your analyst does the analysis.
Choose the level. Same engine, same audit format, no architectural fork: Level 1 — Deterministic. No AI in the chain. Level 2 — AI-Assisted. You approve every action. Level 3 — AI-Led. The Adaptive Tasking copilot drafts; you oversee each command-risk tier. Level 4 — Autonomous. End-to-end triage and remediation. Pick the mode that fits your environment, regulator, or MSSP customer. Morpheus arrives pre-trained, then self-learns from your team’s best practices, threat and vulnerability reports, your SOPs. Predictable annual subscription across all four autonomy levels.
A full package — AI SOC, SOAR, and case management — with one control panel for triage, investigation, vulnerability triage, trend reporting, and compliance. One audit trail per incident — every action, every decision, every task, system or human, fully auditable, nothing hidden. Not a black box. Not a fleet of agents to reconcile. The trail maps to SEC, NYDFS, HIPAA, NERC CIP, NIS2, DORA, BSI C5, and the EU AI Act. 800+ self-healing integrations that fix themselves when vendors push API changes. Trusted by Fortune 500 enterprises and the world’s largest MSSPs.
What DORA Requires
Articles 5, 6, and 19 — Governance, the Framework, and the Reporting Clock
Three articles do most of the operational work. Article 5 places accountability on the management body. Article 6 sets the framework. Article 19 sets the clock.
Article 5 — Governance and Organizational Arrangements
Article 5 places ultimate responsibility for ICT risk on the management body of the financial entity. The management body must define, approve, oversee, and be accountable for the implementation of the ICT risk-management framework. It allocates budget, sets the entity’s risk tolerance, approves the digital operational resilience strategy, reviews ICT-related policies, and ensures clear roles and responsibilities for ICT functions. Members of the management body are required to actively keep current knowledge and skills sufficient to understand and assess ICT risk and its impact on operations.
Morpheus produces evidence at that altitude. Every escalation, every approval, every remediation is recorded in plain language, suitable for a management body or ICT risk committee. The four-level autonomy model lets the management body bound where AI may act independently and where a human must approve. The audit trail records which mode was active at every step.
Article 6 — ICT Risk Management Framework
Article 6 requires a comprehensive, well-documented ICT risk-management framework integrated into the entity’s overall risk-management system. The framework must cover identification, protection and prevention, detection, response and recovery, learning and evolving, and communication. It must be reviewed at least annually, on the occurrence of major ICT-related incidents, and after supervisory instructions or conclusions from digital operational resilience testing.
Morpheus addresses detection, response, recovery, and the evidentiary side of the framework directly. Attack Path Discovery is the detection and investigation engine. The Cybersecurity Triage Reasoning Graph constrains every reasoning step. The deterministic SOAR runbook underneath produces the documentation a supervisor expects when the framework is reviewed: who saw the incident, when, at what autonomy level, with what evidence, and with what outcome.
Article 19 — Reporting of Major ICT-Related Incidents
Article 19 sets a three-stage clock for major ICT-related incidents. A 4-hour initial notification to the competent authority once the incident is classified as major (and no later than 24 hours after detection). A 72-hour intermediate report with progress on classification, impact, and remediation. A 1-month final report covering root-cause analysis, applied mitigations, and lessons learned. Financial entities may also voluntarily notify significant cyber threats. Where the incident materially affects clients, Article 19 requires the entity to communicate with those clients on actions taken.
The fields a competent authority expects at each stage come from the same continuous audit trail Morpheus produces during the investigation. The 4-hour initial notification, the 72-hour intermediate report, and the 1-month final report read from one source — not three reconstructions across separate tools.
4-Hour Initial Notification
Classification as major, initial impact estimate, suspicion of malicious cause, and cross-entity contagion view. Morpheus surfaces these from the L2 investigation that completed in under two minutes — not from a forensic effort that begins after the alarm.
72-Hour Intermediate Report
Progress on classification, refined impact, remediation status, and any client-facing communications. The Morpheus trail records the indicators of compromise Attack Path Discovery surfaced, the systems within blast radius, and the analyst approvals against each command-risk tier.
1-Month Final Report
Root-cause analysis, applied and ongoing mitigations, and lessons learned. The trail is the report’s spine. Morpheus exports it in a format the competent authority, the management body, and external counsel can all read.
Beyond Compliance: How the Same Trail Serves Other Stakeholders
The audit trail Morpheus produces for DORA compliance is the same trail your financial entity can rely on outside the regulatory context.
Legal review. Litigation discovery, internal investigations, and external counsel review all need a defensible record of who did what, when, and why. The Morpheus trail surfaces every system action, every AI decision, every analyst approval — chronologically ordered, immutable, exportable.
Executive and board oversight. Audit committees, risk committees, and the C-suite increasingly want documented evidence of how cybersecurity decisions get made. The Morpheus trail produces the artifact: every escalation, every approval, every remediation — readable by a non-SOC stakeholder.
MSSP customer reporting. If your financial entity works with an MSSP partner running Morpheus across your tenant, the trail is the artifact your MSSP shares with you as proof-of-investigation. The same trail your competent authority reads is the trail you receive from your service provider.
The architecture is the same in every case. The audience changes; the artifact does not.
Further reading: Mythos & EU Regulatory Comparison whitepaper.
faqs
DORA — Common Questions
Eight questions from financial entities, ICT third-party providers, and counsel preparing for Article 19 reporting.
What is DORA and which financial entities does it apply to?
DORA (Regulation (EU) 2022/2554, the Digital Operational Resilience Act) sets a single EU-wide framework for ICT risk management and operational resilience across the financial sector. It applies from 17 January 2025 to banks, payment institutions, e-money institutions, investment firms, crypto-asset service providers, central counterparties, trading venues, trade repositories, insurance and reinsurance undertakings, crowdfunding service providers, credit rating agencies, securitisation repositories, asset managers, and the ICT third-party service providers that serve them. Critical ICT third-party providers fall under direct oversight by a designated Lead Overseer at the ESAs.
What does DORA Article 5 require?
Article 5 places ultimate responsibility for ICT risk on the management body. The management body must define, approve, oversee, and be accountable for the financial entity’s ICT risk-management framework. It must allocate budget, set the risk tolerance, approve the digital operational resilience strategy, review ICT-related policies, and ensure clear roles and responsibilities for ICT functions. Members of the management body must actively keep current knowledge and skills sufficient to understand and assess ICT risk and its impact on operations.
What does DORA Article 6 require for the ICT risk management framework?
Article 6 requires a comprehensive, well-documented ICT risk-management framework integrated into the entity’s overall risk-management system. The framework must include strategies, policies, procedures, ICT protocols, and tools needed to protect information and ICT assets — covering risk identification, protection and prevention, detection, response and recovery, learning and evolving, and communication. It must be reviewed at least annually, on the occurrence of major ICT-related incidents, and after supervisory instructions or conclusions from digital operational resilience testing.
What does DORA Article 19 require for incident reporting?
Article 19 sets a three-stage clock for major ICT-related incidents. An initial notification to the competent authority within 4 hours of classification as major (and no later than 24 hours after detection). An intermediate report within 72 hours of the initial notification with progress and impact updates. A final report within one month covering root-cause analysis, remediation, and lessons learned. Financial entities may also voluntarily notify significant cyber threats. Article 19 also obliges entities to communicate with affected clients when an incident has or could have a material impact on financial interests.
How does D3 Morpheus help meet the 4-hour DORA initial notification?
Morpheus triages every alert at L1 and keeps going to L2 deep investigation, with up to 95% of alerts triaged and L2-investigated in under two minutes. When the investigation indicates a major ICT-related incident under DORA, the same audit trail is the artifact your SOC, ICT risk officer, and counsel use to draft the 4-hour initial notification. Every system action, every AI decision, and every analyst approval is recorded in chronological order — the classification fields, impact estimate, and cross-entity contagion view populate from a single source.
How does Morpheus produce the audit trail DORA supervisors expect?
Morpheus runs bounded reasoning inside deterministic governance. The Cybersecurity Triage Reasoning Graph constrains every reasoning step, and the deterministic SOAR runbook underneath produces one continuous, signed audit trail per incident across all four autonomy levels. The trail is immutable, exportable, and readable by a non-SOC stakeholder. The same artifact produces evidence for the 4-hour, 72-hour, and 1-month obligations under Article 19 and supplies the evidentiary backbone for Article 5 management-body oversight and Article 6 framework documentation. See how the Agentic Task primitive bounds every reasoning step.
Does Morpheus replace our SIEM, or work beside it?
Morpheus runs beside any SIEM — Microsoft Sentinel, Splunk, IBM QRadar, Google Chronicle, Elastic, and others — through Self-Healing Integrations across 800+ vendor connections. Attack Path Discovery traces incidents East-West across the stack (identities, endpoints, cloud, and email infrastructure) and reaches back 90 days of telemetry. Your SIEM stays your SIEM; Morpheus is the investigation and response layer that produces the DORA trail on top of it.
How is Morpheus priced for financial entities scoped under DORA?
Morpheus is sold as an annual platform subscription sized to your SOC, with included AI investigation capacity designed for normal operations. The same trail format ships across all four autonomy levels and across MSSP multi-tenant deployments, so a financial entity’s artifact does not change as the SOC scales, as the autonomy level changes, or as an ICT third-party provider is brought into scope under Article 28. Your specific agreement will confirm the commercial terms that apply to your deployment.
See the DORA audit trail Morpheus produces — one artifact, three deadlines.
Walk through a live incident with one of our solution engineers. We will show the 4-hour, 72-hour, and 1-month fields, populated from one continuous trail.