Skip to main content
rogueai
Home / Portfolio / DORAComply
Compliance

DORAComply

DORA compliance for firms without a compliance team

Built by Rogue AI · DORA Register of Information + regulator obligation tracking, self-hosted · Early-stage

Built solo as a scaffold-stage RegTech project in a self-hosted lab; the DORA Register of Information XBRL-CSV export is the first piece that validates clean, with the incident workflow still in progress.

DORAComply, DORA compliance for firms without a compliance team

The problem

Small investment firms and crypto-asset service providers fall under DORA but rarely have a compliance engineering team. They still owe a DORA Register of Information on their ICT third parties, ICT-incident reporting against fixed regulatory clocks, and a way to keep track of what their securities regulator publishes and what currently applies to them. The Register has to be filed as an EBA-format XBRL-CSV package, easy to get subtly wrong by hand, and a heavyweight enterprise GRC suite is overkill for a firm of this size.

What I built

A self-hosted compliance cockpit covering the parts of DORA and securities-regulator oversight a small firm actually touches: a Register of Information that exports to an EBA-validated XBRL-CSV package, an ICT-incident view with the DORA reporting clock, a regulator circular/obligation tracker, and an AI copilot that answers 'what applies to me' questions grounded in the indexed circulars rather than from the model's own memory.

Architecture

Data-driven XBRL-CSV generator
The DORA Register of Information export is generated from verified EBA code maps and validated column templates, not hand-assembled. It produces a zipped package that validates clean against the EBA reporting taxonomy and logs each run as a submission record.
Prisma 7 + PostgreSQL domain model
A typed schema for firms, ICT third-party providers and contracts, incidents, obligations, designations and submission history, the structured source the Register and the copilot both read from. Prisma 7 runs through its PostgreSQL adapter.
RAG copilot over regulator circulars
Circulars are ingested and indexed, then the copilot answers obligation questions by retrieving the relevant source passages first and generating a grounded answer, so responses stay anchored to the document text a firm can actually be held to.
Local-first LLM with a routing switch
Generation defaults to a local Ollama model so nothing leaves the box. A provider switch can route the same calls through a self-hosted Claude bridge when a stronger model is wanted; retrieval always goes through the bridge's RAG endpoints so collection naming and embeddings stay consistent.
Custom JWT auth with abuse controls
Session is a short-lived HS256 JWT in an httpOnly cookie with bcrypt password hashing, Origin-header CSRF checks on mutations, a Redis sliding-window rate limiter, and per-email account lockout after repeated failed logins.
Hardened self-hosted Docker stack
Three containers, app, PostgreSQL, Redis, on an isolated network with all ports bound to loopback, all capabilities dropped, no-new-privileges, a read-only root filesystem with tmpfs scratch space, a least-privilege database role, and digest-pinned images.

Tech stack

Next.js 16Prisma 7PostgreSQLOllamaClaude bridge

What broke first

  • The DORA Register of Information XBRL-CSV export follows the EBA reporting taxonomy, which is EU-wide and identical across every national competent authority. There is no jurisdiction-specific file format to own, so the file format is never the moat, the workflow that produces a clean package is.

  • Validating against a published taxonomy is unforgiving in a useful way: the export either passes the official validator or it does not. Building the generator data-driven from verified code maps and validated column templates made it deterministic to test, rather than a pile of hand-tuned strings.

  • Grounding an AI copilot in the actual regulator circulars via retrieval beats letting a general model answer obligation questions from memory. Retrieval keeps answers anchored to the source text a small firm can be held to, and makes a wrong answer traceable to a real document.

Outcome

A working scaffold that proves the hard part end to end: a DORA Register of Information that exports to an EBA-valid XBRL-CSV package, plus a retrieval-grounded copilot over the regulator's own circulars. It is honest about its stage, no users, incident automation still to come, and the deliberate position that the value is the workflow and local distribution, not a proprietary file format.

Honest limits

Early-stage and candid about it. This is a scaffold-stage RegTech project built solo and run self-hosted in a local lab (the old VPS has been retired). The DORA Register of Information XBRL-CSV export is built and validates clean against the EBA taxonomy; the read views, dashboard counts, copilot and obligation tracker work; the ICT incident-clock automation and full submission workflow are still v1 work. The XBRL-CSV format follows the EBA standard, it is shared EU-wide, not a unique advantage. No paying users, no production-since claims, no invented metrics.

Related reading

← Back to portfolio