DORA Compliance Stack Finale: Complete EU Financial Services Guide 2026
Post #5 in the sota.io EU DORA Compliance Tools Series
After four posts covering DORA's individual compliance pillars — ICT risk management, incident reporting, third-party risk management, and the operational resilience framework — this finale synthesizes the complete picture. If you're a CISO, CTO, or compliance officer at a bank, insurer, fintech, crypto-asset provider, or payment institution, this is the reference you hand to your board when they ask "what does DORA actually cost and what do we need to do?"
The answer is precise. The tools are ranked. The timeline is quarterly. And the fundamental architectural choice — EU-sovereign infrastructure or US-dependent cloud — determines your regulatory exposure for the next decade.
DORA at a Glance: Who It Applies To and What It Demands
The Digital Operational Resilience Act (EU 2022/2554) has been directly applicable since January 17, 2025. Unlike GDPR, there is no grace period. The Joint Supervisory Authorities (EBA, ESMA, EIOPA) are conducting their first wave of oversight assessments now.
Entities in scope under Article 2:
- Credit institutions (banks, savings banks, cooperative banks)
- Payment institutions and electronic money institutions
- Investment firms and market operators
- Central counterparties (CCPs) and central securities depositories
- Insurance and reinsurance undertakings (Solvency II scope)
- Crypto-asset service providers (MiCA Art. 3(1)(15))
- Critical third-party ICT providers (CTPPs — ESA-designated)
- Fund management companies (UCITS, AIFMs)
- Trade repositories and credit rating agencies
Entities out of scope (Article 2(3) exemptions):
- Microenterprises (< 10 FTE, < €2M turnover) — proportionality applies, simplified regime
- Small institutions (< 3 entities in group, balance sheet < €5B) — lighter obligations
- Non-financial third parties providing ICT services (but they face contractual obligations from Article 30)
The proportionality principle (Article 4) is real but limited. Simplified regime covers microenterprises but is not a full exemption. All in-scope entities must implement the five DORA pillars — the depth of implementation scales with systemic importance.
The Five DORA Pillars: What's Required
DORA structures operational resilience requirements across five interconnected pillars:
Pillar 1: ICT Risk Management (Articles 5-16)
The ICT risk management framework is the foundation. Articles 5-16 require:
- ICT risk management framework documented at board level (Art. 5)
- Digital operational resilience strategy with three-year roadmap (Art. 6)
- ICT asset registry with classification by criticality (Art. 8)
- Business impact analysis for all ICT-supported business functions (Art. 9)
- ICT continuity and recovery plans with RTO/RPO defined per function (Art. 11)
- Learning and evolution — post-incident lessons integrated into framework (Art. 13)
The ICT risk management framework must be reviewed annually and after major incidents. For SaaS providers classified as CTPPs, the ESAs publish a standardized framework template — but supervised entities must adapt it to their specific risk profile.
The RTO problem: DORA does not prescribe specific RTO values, but supervisors expect them to be consistent with the institution's systemic importance. For a clearing member of a CCP, "4-hour RTO" is the floor. Community banks may get 24 hours. The key is documented justification tied to business impact analysis.
Pillar 2: ICT-Related Incident Reporting (Articles 17-23)
DORA's incident reporting regime replaces the fragmented NIS2/EBA/EIOPA frameworks with a single process. Articles 17-23 require:
Classification by severity:
- Major incidents → mandatory reporting to competent authority
- Significant cyber threats → voluntary notification encouraged
- Minor incidents → internal logging only
Reporting timeline for major incidents:
- Initial notification (Early Warning): within 4 hours of classification
- Intermediate report: within 72 hours
- Final report: within 1 month of incident closure
The classification criteria (EBA/ESMA/EIOPA RTS, finalized Q4 2024) use quantitative thresholds: % of customers affected, duration of service disruption, financial impact thresholds, geographic scope. A service outage affecting >10% of retail customers for >30 minutes typically triggers major incident classification for a retail bank.
The DORA Hub: The ESAs are building a centralized incident reporting hub. The current interim solution uses national competent authority portals. Integration with the DORA Hub (expected 2026) will require API-based reporting — structured XML/JSON, not PDF uploads.
Pillar 3: Digital Operational Resilience Testing (Articles 24-27)
DORA mandates a threat-led penetration testing (TLPT) program that goes significantly beyond conventional penetration testing:
Basic testing (all entities):
- Annual vulnerability assessments
- Penetration tests every three years minimum
- Network security assessments
- Gap analysis against ICT risk framework
Advanced testing — TLPT (systemically important entities):
- Red team exercises based on threat intelligence
- Must be conducted by qualified testers (ESA-published criteria)
- Three-year cycle minimum; supervisors can require more frequently
- Results shared with competent authority
- For CTPPs: results shared with supervised financial entities using their services
TLPT is expensive. The 2024 market rate for a financial-sector TLPT engagement is €150,000-€500,000 depending on scope. For most mid-size banks, this is a 24-36 month procurement and execution cycle. Planning must start now for entities not yet in the process.
Pillar 4: Third-Party Risk Management (Articles 28-44)
The most operationally complex pillar. DORA requires:
Registry of Information: A structured registry of all ICT third-party arrangements with 130+ mandatory data fields per arrangement (EBA ITS on outsourcing register format). This is not a contract list — it's a data model.
Mandatory contractual provisions (Article 30): Every ICT service agreement supporting critical functions must include:
- Termination rights without penalty for regulatory non-compliance
- Full audit rights including sub-processors
- Data location specificity to member state level
- Business continuity obligations for the provider
- Exit assistance requirements (minimum 12 months)
Concentration risk: Financial entities must monitor and report concentration risk at sector level. The EBA expects analysis of: (a) dependence on single providers for critical functions, (b) geographic concentration of ICT operations, (c) currency/liquidity risks in provider relationships.
Critical Third-Party Providers (CTPPs): ESA-designated CTPPs (major cloud providers, systemically important SaaS) face direct supervisory oversight — on-site inspections, information requests, fees. The first CTPP list was expected Q3 2025.
Pillar 5: Information Sharing (Article 45)
DORA encourages (but does not mandate) participation in information sharing arrangements for cyber threat intelligence. Voluntary frameworks (ISACs, FS-ISAC, EuroISAC) provide safe harbor for sharing threat indicators. In practice, most competent authorities expect participation in at least one recognized sharing arrangement as a marker of mature threat intelligence practice.
The Complete EU-Sovereign DORA Compliance Stack
Based on our four-part tool series, here is the recommended EU-sovereign stack organized by DORA pillar:
Pillar 1: ICT Risk Management
| Need | EU-Sovereign Choice | Score | Note |
|---|---|---|---|
| GRC Platform | IBM OpenPages (Frankfurt DC) | 21/25 | Full DORA framework mapping, CTPP registry |
| Risk Assessment | ERAMBA (Swiss) | 18/25 | Open-source, no vendor lock-in, DORA templates |
| Business Continuity | IBM Resiliency (EU) | 19/25 | Automated BIA, RTO/RPO modeling |
| Asset Management | ServiceNow (GovCloud DE) | 19/25 | CMDB with criticality tagging, DORA asset registry |
| Audit Trail | OpenPages + IBM Cloud Log | 18/25 | Immutable audit chain, 7-year retention |
Avoid: ServiceNow standard cloud (US data center), Archer (RSA — US jurisdiction), LogicGate (Chicago, no EU entity).
Pillar 2: Incident Reporting
| Need | EU-Sovereign Choice | Score | Note |
|---|---|---|---|
| SIEM/Detection | IBM QRadar (EU) | 22/25 | DORA major incident classification rules built-in |
| Incident Management | ServiceNow ITSM (GovCloud DE) | 21/25 | DORA reporting timelines as SLA |
| Threat Detection | Wazuh (self-hosted, ES) | 20/25 | No jurisdiction risk, full data control |
| Reporting Portal | Custom + EBA API | — | Current interim: national CA portals |
| Communication | Mattermost (self-hosted) | 18/25 | EU sovereign, encrypted, DORA audit-ready |
The 4-hour notification requirement makes automated detection-to-classification-to-notification pipelines mandatory. Manual processes cannot reliably meet this SLA.
Pillar 3: Resilience Testing (TLPT)
| Need | EU-Sovereign Choice | Score | Note |
|---|---|---|---|
| Pen Testing Partner | Intigriti (Antwerp, BE) | 22/25 | EU HQ, TIBER-EU methodology, financial sector expertise |
| TLPT Provider | YesWeHack (Paris, FR) | 19/25 | EU jurisdiction, bug bounty + managed red team |
| Vulnerability Management | Wazuh + OpenVAS | 18/25 | Self-hosted, no data egress |
| Threat Intelligence Feed | EclecticIQ (Amsterdam, NL) | 21/25 | EU-native CTI, DORA threat scenarios |
| Red Team Tooling | Self-managed (Kali, MITRE) | — | BYOT with qualified TLPT partner |
US tool note: HackerOne (SF, CA — 11/25 for DORA), Bugcrowd (SF, CA — 8/25). Primary disqualifier: incident data and vulnerability findings stored in US jurisdiction, accessible to US authorities under CLOUD Act.
Pillar 4: Third-Party Risk Management
| Need | EU-Sovereign Choice | Score | Note |
|---|---|---|---|
| VRM Platform | IBM OpenPages (Frankfurt DC) | 21/25 | Registry of Information, 130+ fields, CTPP tracking |
| Vendor Assessment | Riskonnect EU (Frankfurt entity) | 19/25 | EU data processing, DORA Art. 30 templates |
| Contract Management | ERAMBA + custom | 16/25 | Art. 30 clause library, exit assistance tracking |
| Subcontractor Monitoring | IBM OpenPages (supply chain) | 20/25 | N-tier visibility, CTPP sub-designations |
| Concentration Risk | Custom analytics (EU-hosted) | — | No off-the-shelf EU-sovereign tool exists |
The concentration risk gap: No EU-sovereign tool currently provides sector-level concentration risk analysis as required by DORA. This is a bespoke analytics requirement — most large banks build this in-house on EU-sovereign data platforms (Databricks on Azure Frankfurt, Snowflake EU-central).
Cross-Pillar: Infrastructure Layer
| Component | Recommendation | Rationale |
|---|---|---|
| Cloud Platform | Hetzner Cloud / OVHcloud | Full EU sovereignty, no US entity data access |
| Container Orchestration | Self-managed K8s (Hetzner) or OVHcloud Managed K8s | EU data residency guaranteed |
| Secrets Management | HashiCorp Vault (self-hosted) | DORA key management requirements |
| Log Aggregation | Wazuh / OpenSearch (self-hosted) | 7-year retention, no external data transfer |
| Identity & Access | Keycloak (self-hosted) | EU sovereign, DORA access control requirements |
| Backup & Recovery | Borgbackup + Hetzner Storage | EU jurisdiction, DORA RTO/RPO capable |
ROI Calculation: Compliance Stack Cost vs. Non-Compliance Risk
DORA Non-Compliance Exposure
The penalty framework under DORA (Article 50) and national transposition acts:
| Violation Category | Maximum Fine |
|---|---|
| Failure to implement ICT risk management framework | Up to 2% of total annual worldwide turnover |
| Major incident non-reporting (missed 4-hour window) | Up to €5,000,000 (natural persons: €1,000,000) |
| Failure to conduct TLPT (systemically important) | Up to €10,000,000 or 10% annual turnover |
| CTPP contractual non-compliance (Art. 30) | Up to €5,000,000 per arrangement |
| Registry of Information deficiency | Up to €500,000 per material gap |
For a mid-size bank with €500M annual turnover, a systemic ICT risk framework failure could result in a €10M fine. A missed 4-hour incident notification carries €5M exposure per incident. The cumulative risk across a year of non-compliance easily exceeds €50M for a supervised institution.
Beyond fines: regulatory action can include suspension of specific services, public disclosure (reputational damage), and — for CTPPs — removal from the authorized provider list affecting all client relationships.
EU-Sovereign DORA Stack Annual Cost
| Component | Annual Cost (EUR) |
|---|---|
| IBM OpenPages (GRC + VRM) | €120,000-€280,000 (100-500 users) |
| ServiceNow GovCloud DE (ITSM) | €80,000-€200,000 |
| Riskonnect EU (vendor risk) | €60,000-€150,000 |
| Wazuh (SIEM, self-hosted) | €40,000-€80,000 (infrastructure + staffing) |
| EclecticIQ (threat intelligence) | €50,000-€120,000 |
| Intigriti/YesWeHack (TLPT, 3-year amortized) | €50,000-€170,000/year |
| EU-sovereign cloud infrastructure | €80,000-€200,000 |
| Implementation + integration (Year 1 only) | €200,000-€500,000 |
| Total Year 1 | €680,000-€1,700,000 |
| Total Year 2+ (steady-state) | €480,000-€1,200,000 |
ROI calculation: For a bank with €50M+ annual turnover, the steady-state DORA compliance stack (€480K-€1.2M/year) represents <2% of non-compliance exposure. The expected-value case for investment is overwhelming.
The less-obvious cost driver: the Registry of Information implementation. Building the 130+ field data model, integrating it with contract management, and keeping it current requires 2-4 FTE data stewards or an equivalent automated pipeline. Budget €200K-€400K/year for this function alone at a mid-size bank.
US Tool Alternative: The Hidden Cost
Using US-jurisdiction tools (ServiceNow US, Archer RSA, LogicGate) creates regulatory exposure beyond the tool cost:
- Data transfer restrictions: Sending incident data or Registry of Information fields to US servers creates potential GDPR Art. 46 compliance gaps requiring additional SCCs and transfer impact assessments.
- CLOUD Act subpoena risk: US authorities can compel US-incorporated tool vendors to produce data from EU customers without notification. For financial sector incident data and vendor assessments, this is material information sharing risk.
- CTPP contractual friction: ICT service contracts with non-EU jurisdiction tools complicate the Art. 30 audit right and data location requirements.
- Supervisor perception: EBA supervisors conducting DORA oversight increasingly flag US-primary tool stacks as inadequate for sovereignty requirements. Documented migration plans are requested.
Quarterly Implementation Roadmap 2025-2027
For entities that have not yet completed DORA implementation, here is a realistic quarterly roadmap:
Q1 2026 (January-March) — Foundation
Priority: ICT Risk Framework + Asset Registry
- Appoint DORA lead (CRO or designated ICT risk officer)
- Conduct gap analysis against DORA Articles 5-16
- Initiate ICT asset classification (all assets, criticality tagging)
- Select GRC platform (recommend: IBM OpenPages Frankfurt or ERAMBA)
- Draft ICT risk management framework policy (board approval)
- Map business functions to supporting ICT assets (BIA foundation)
Q1 Milestone: Board-approved ICT risk framework + 80% asset registry populated
Q2 2026 (April-June) — Incident Reporting
Priority: Detection + Reporting Pipeline
- Deploy SIEM with DORA major incident classification rules (IBM QRadar or Wazuh)
- Build incident classification workflow (automated scoring against EBA RTS criteria)
- Establish 4-hour early warning notification process (who, to whom, how)
- Register for national competent authority reporting portal
- Conduct tabletop exercise: simulate major incident, test 4-hour timeline
- Train incident response team on DORA classification criteria
Q2 Milestone: At least one simulated major incident reported within 4 hours. Process documented.
Q3 2026 (July-September) — Third-Party Risk
Priority: Vendor Registry + Contract Remediation
- Implement Registry of Information data model (all critical function vendors)
- Audit top 20 ICT service contracts against Art. 30 requirements
- Issue contract amendment letters to non-compliant vendors
- Deploy VRM platform (IBM OpenPages or Riskonnect EU)
- Conduct concentration risk analysis (provider dependency mapping)
- Flag CTPP candidates in registry for ESA designation monitoring
Q3 Milestone: Registry of Information 100% populated for critical vendors. Top 20 contracts in remediation.
Q4 2026 (October-December) — Resilience Testing
Priority: TLPT Planning + Basic Testing Completion
- Complete annual vulnerability assessments for all critical systems
- Conduct penetration tests for high-criticality systems (if >12 months since last)
- Issue TLPT RFP (if entity meets systemically important threshold)
- Select qualified TLPT provider (Intigriti, YesWeHack, or other ESA-qualified)
- Subscribe to threat intelligence feed (EclecticIQ or equivalent EU-sovereign)
- Join FS-ISAC or EuroISAC for information sharing (Art. 45)
Q4 Milestone: Basic resilience testing program complete. TLPT provider selected/contracted.
Q1-Q2 2027 — Maturity + Continuous Improvement
- TLPT execution (if applicable)
- Registry of Information API integration (DORA Hub when live)
- Automated incident classification and reporting pipeline
- Annual DORA framework review and board attestation
- Supplier relationship management — CTPP renegotiation where required
- Regulatory examination readiness — mock supervisor interview
Master Tool Matrix: DORA Tool Series Ratings (Posts #1318-#1322)
ICT Risk & GRC (from Post #1319)
| Tool | HQ | Jurisdiction | DORA Score |
|---|---|---|---|
| IBM OpenPages | Frankfurt DC | EU | 21/25 |
| ERAMBA | Switzerland | CH (near-EU) | 18/25 |
| ServiceNow GRC (GovCloud DE) | US/DE | DE DC | 19/25 |
| Riskonnect EU | Frankfurt entity | EU | 19/25 |
| Diligent | New York, NY | US | 16/25 |
| OneTrust | Atlanta, GA | US | 9/25 |
| Archer (RSA) | Bedford, MA | US | 12/25 |
Incident Detection & Reporting (from Post #1320)
| Tool | HQ | Jurisdiction | DORA Score |
|---|---|---|---|
| IBM QRadar | EU DC available | EU-capable | 22/25 |
| Wazuh | Madrid, ES | EU (open source) | 20/25 |
| ServiceNow ITSM (GovCloud DE) | US/DE | DE DC | 21/25 |
| IBM Resilience | EU entity | EU | 19/25 |
| PagerDuty | San Francisco, CA | US | 7/25 |
| Splunk | San Jose, CA | US | 8/25 |
| Atlassian Jira | Sydney, AU/US | US | 6/25 |
Vendor Risk Management (from Post #1321)
| Tool | HQ | Jurisdiction | DORA Score |
|---|---|---|---|
| IBM OpenPages (VRM module) | Frankfurt DC | EU | 21/25 |
| Riskonnect EU | Frankfurt entity | EU | 19/25 |
| ERAMBA | Switzerland | CH | 18/25 |
| Diligent | New York, NY | US | 16/25 |
| Archer | Bedford, MA | US | 12/25 |
| OneTrust | Atlanta, GA | US | 9/25 |
| ServiceNow VRM | US/DE (GovCloud) | DE DC | 11/25 |
| Vanta | San Francisco, CA | US | 5/25 |
| Prevalent | London/US | US | 8/25 |
TLPT & Security Testing
| Tool/Provider | HQ | Jurisdiction | DORA Suitability |
|---|---|---|---|
| Intigriti | Antwerp, BE | EU | High (22/25) |
| YesWeHack | Paris, FR | EU | High (19/25) |
| EclecticIQ (CTI) | Amsterdam, NL | EU | High (21/25) |
| HackerOne | San Francisco, CA | US | Low (11/25) |
| Bugcrowd | San Francisco, CA | US | Low (8/25) |
| Synack | Redwood City, CA | US | Low (9/25) |
| Cobalt.io | San Francisco, CA | US | Low (12/25) |
Scoring methodology: 25-point DORA-specific rubric: data residency (5), CTPP contractual compliance (5), audit rights (5), incident reporting integration (5), Art. 30 contractual clauses (5). Full methodology in Post #1319.
Critical Architectural Decision: EU-Sovereign or CLOUD Act Exposed?
Every DORA pillar ultimately traces back to a fundamental architectural question: where does your ICT operational data live, and who can legally access it?
The CLOUD Act exposure problem:
The US Clarifying Lawful Overseas Use of Data Act (18 U.S.C. § 2713) compels US-incorporated companies to produce data from their overseas operations in response to US law enforcement requests — regardless of where the data is stored and often without notification to the data subject.
For DORA compliance, the operational data at risk includes:
- ICT incident logs (major incident details, attacker TTPs)
- Registry of Information (vendor relationships, contractual terms)
- TLPT vulnerability findings (exploitable weaknesses in critical systems)
- Threat intelligence (indicators of compromise, attack attribution)
If a US-incorporated tool vendor processes this data — even in an EU data center — a US subpoena or FISA warrant can access it without triggering GDPR notification obligations and potentially without the financial entity's knowledge.
Why this matters for DORA specifically:
-
Supervisory confidentiality: Competent authorities expect DORA-related operational data to remain within supervisory reach. Data accessible to foreign intelligence services creates a confidentiality breach that supervisors view as a governance failure.
-
Incident data weaponization: Major incident details reported to regulators and stored in US-tool infrastructure create a theoretical intelligence risk. For financial infrastructure operators, this is not paranoia — it is risk management.
-
Vendor concentration in CTPP context: If a US-incorporated tool is designated a CTPP, the data governance implications multiply. The ESA oversight team conducting a CTPP inspection will scrutinize data access controls, and US jurisdiction creates a structural gap that is difficult to remediate.
The EU-sovereign stack eliminates this exposure by design. Tools incorporated and operating within EU jurisdictions, subject to EU law, with no US parent entity relationship, cannot be compelled under CLOUD Act. This is not a legal opinion — it is the straightforward application of personal jurisdiction principles.
DORA Management Checklist for Board Reporting
Board members and senior management are personally accountable under DORA's governance requirements (Article 5). This checklist provides the minimum attestation framework:
ICT Risk Management Framework
- Board has approved documented ICT risk management framework
- Digital operational resilience strategy reviewed in last 12 months
- ICT risk appetite statement defined and aligned with overall risk appetite
- Designated ICT risk function or officer with board reporting line
- Business continuity plans tested with documented results
Incident Reporting
- Major incident classification criteria documented and trained
- 4-hour early warning notification process tested
- Incident log maintained for all classified incidents (12 months minimum)
- Post-incident review process in place (lessons learned integrated)
Third-Party Risk
- Registry of Information complete for all critical function vendors
- Art. 30 contractual review completed or in progress for critical contracts
- Concentration risk analysis conducted and documented
- CTPP designation monitoring process in place
Resilience Testing
- Annual vulnerability assessments completed
- Penetration testing schedule current (last test < 3 years)
- TLPT scope determination documented (subject to advanced testing?)
- Threat intelligence sources identified and subscribed
Information Sharing
- Membership in at least one recognized information sharing arrangement (FS-ISAC, EuroISAC)
- Process for sharing threat indicators with peers (per Art. 45)
Governance
- Senior management remuneration policy includes ICT risk metrics
- Competent authority supervisory contact identified
- DORA regulatory update monitoring process in place
- ICT service provider exit strategy documented for critical vendors
The sota.io Advantage: EU-Sovereign Infrastructure for the Full Stack
For financial institutions deploying the DORA compliance toolstack described in this post, the underlying infrastructure layer is as important as the individual tools. Running IBM OpenPages on AWS US-East creates the same CLOUD Act exposure as running a US-native tool. The EU-sovereign stack only delivers full protection when deployed on EU-sovereign infrastructure.
sota.io provides European-hosted deployment infrastructure that enables DORA-compliant operations:
- EU data residency guaranteed: No transatlantic data flows for operational data
- GDPR-native: All processing within EU jurisdiction by default
- Audit trail: Immutable deployment logs for DORA evidence requirements
- SLA-backed uptime: Aligned with DORA RTO/RPO requirements for critical functions
- No US parent entity: No CLOUD Act exposure by design
For CTPPs building EU-sovereign offerings, sota.io provides the deployment layer that allows demonstrating EU data sovereignty to financial entity clients — a requirement becoming explicit in DORA Art. 30 renegotiations across the sector.
Conclusion: DORA Is a Design Constraint, Not a Checkbox
The most important insight from this five-part series is that DORA is not a compliance project with an end date. It is a permanent operational constraint on how EU financial institutions manage their ICT estate — similar to how Solvency II permanently shaped insurance capital management.
The tools in this guide represent the current best-in-class EU-sovereign options for each DORA pillar. The landscape will evolve: new ESA guidance, new tool certifications, and inevitably new vulnerabilities in the compliance programs of early adopters. The financial institutions that treat DORA as infrastructure rather than a project will adapt; those that treat it as a one-time checkbox will face repeated remediation cycles.
The timeline is already running. The first ESA oversight assessments are underway. The Registry of Information submissions are expected. The 4-hour notification clock has been ticking since January 2025.
Build the stack. Test it. Prove it works.
EU DORA Compliance Tools Series (Posts #1318-#1322):
- Post #1: DORA Complete SaaS & ICT Provider Guide 2026
- Post #2: DORA ICT Risk Management Tools
- Post #3: DORA Incident Reporting Requirements & Automation
- Post #4: DORA Third-Party Risk Management & CTPP
- Post #5: DORA Compliance Stack Finale (this post)
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.