DORA Compliance API — Instant Answers With EUR-Lex Citations

Gibs is a REST API that answers DORA compliance questions with article-level EUR-Lex citations. It covers all 64 articles of the Digital Operational Resilience Act (Regulation 2022/2554) plus all 12 delegated acts — RTS and ITS on ICT risk management, incident reporting, contractual arrangements, and more. The corpus contains 641 indexed chunks and scores 90% accuracy on an expert-curated evaluation dataset.

The Problem

Financial entities have faced DORA compliance obligations since January 17, 2025. The regulation spans 64 articles organized across five pillars, supplemented by 12 delegated acts that specify detailed technical standards for ICT risk management, incident classification, incident reporting timelines, contractual arrangements with ICT third-party providers, subcontracting conditions, and threat-led penetration testing.

Most compliance tools are web-based questionnaires or static PDF checklists. None offer programmatic access. Developers building compliance checks into internal tools, onboarding flows, or audit pipelines have to manually search EUR-Lex, cross-reference delegated acts against parent articles, and parse legal text themselves. That workflow does not scale.

How Gibs Solves This

One API call returns structured JSON with article-level citations from the full DORA corpus — base regulation and delegated acts included.

Python:

import gibs

client = gibs.Client(api_key="sk-gibs-...")

result = client.check(
    question="What are the DORA incident reporting timelines?",
    regulations=["dora"]
)

print(result.answer)
# "Under DORA Article 19, financial entities must submit an initial
#  notification within 4 hours of classifying a major ICT-related
#  incident, an intermediate report within 72 hours, and a final
#  report within one month..."

print(result.sources)
# ["Article 19(4)(a)", "Article 19(4)(b)", "Article 19(4)(c)",
#  "RTS 2025/301 Article 2"]

TypeScript:

import { Gibs } from '@gibs-dev/sdk'

const gibs = new Gibs({ apiKey: 'sk-gibs-...' })

const result = await gibs.check({
  question: 'What contractual clauses does DORA require for ICT providers?',
  regulations: ['dora']
})
// result.sources: ["Article 30(2)", "Article 30(3)", "RTS 2024/1773"]

Gibs also provides a native MCP (Model Context Protocol) server at mcp.gibs.dev. AI coding assistants like Cursor, Claude Desktop, and Windsurf can call Gibs directly to answer regulatory questions within your development environment.

What DORA Covers

DORA is structured around five pillars:

| Pillar | Articles | Key Requirements | |--------|----------|-----------------| | ICT Risk Management | Articles 5-16 | Risk management framework, governance, protection, detection | | Incident Reporting | Articles 17-23 | Classification, 4h/72h/1mo timeline, notification to authorities | | Digital Operational Resilience Testing | Articles 24-27 | Vulnerability assessments, threat-led penetration testing (TLPT) | | Third-Party Risk | Articles 28-44 | Contractual requirements, register of information, oversight | | Information Sharing | Articles 45-49 | Voluntary sharing of cyber threat intelligence |

These articles are supplemented by 12 delegated acts (RTS and ITS) that provide detailed technical standards. For example, RTS 2024/1774 specifies ICT risk management framework requirements, RTS 2025/301 details incident reporting procedures, and RTS 2024/1773 defines mandatory contractual clauses for ICT third-party arrangements. Gibs indexes all of them and cites both the parent article and the specific delegated act provision in its responses.

Who This Is For

• Fintech compliance teams checking DORA obligations for ICT systems and processes
• Banks and insurers mapping third-party ICT provider contracts to Article 30 requirements
• Developers building compliance automation into internal tools, onboarding flows, or audit pipelines
• Compliance consultants researching DORA requirements for financial entity clients

Gibs is a programmatic compliance query engine. It returns structured answers with citations. It is not a GRC platform, audit tool, or consulting firm.

Try It Now

Free tier: 50 requests per month, no credit card required.

curl -X POST https://api.gibs.dev/v1/check \
  -H "Authorization: Bearer sk-gibs-..." \
  -H "Content-Type: application/json" \
  -d '{"question": "Does DORA apply to crypto-asset service providers?", "regulations": ["dora"]}'

Get your API key | Read the docs | Try the MCP server

FAQ

Does Gibs cover DORA delegated acts (RTS/ITS)?

Yes. Gibs indexes all 12 delegated acts adopted under DORA, including RTS on ICT risk management (2024/1774), incident classification (2024/1772), incident reporting (2025/301), contractual arrangements (2024/1773), subcontracting (2025/532), TLPT (2025/1190), and more. When you query about detailed requirements, Gibs cites both the parent DORA article and the specific delegated act provision.

What accuracy does Gibs achieve on DORA questions?

Gibs scores 90% overall accuracy on an expert-curated evaluation dataset of 30 DORA questions covering factual recall, cross-references, and adversarial edge cases. Abstention accuracy — correctly declining to answer out-of-scope questions — is 100%.

Can I query DORA and other regulations in the same request?

Yes. Gibs supports cross-regulation queries. A question like "How does DORA interact with GDPR for incident data?" returns cited answers from both regulations, with clear attribution of which obligation comes from which regulation. Gibs currently covers DORA, the EU AI Act, and GDPR.

How current is the DORA corpus?

The DORA corpus includes the base regulation (2022/2554) and all 12 delegated acts adopted through February 2026. Corpus versions are tracked and included in every API response so you always know which version was used to generate the answer.

Is there an MCP server for AI assistants?

Yes. Gibs provides a native MCP (Model Context Protocol) server at mcp.gibs.dev. AI coding assistants like Cursor, Claude Desktop, and Windsurf can call Gibs directly to answer regulatory questions within your development environment. See the MCP documentation for setup instructions.

What format does the API return?

JSON with structured fields: answer text, source citations (article numbers), confidence score, regulation version, and processing metadata. Every citation references a specific article — not just a recital or chapter heading.