{
  "type": "ZkVmReceipt",
  "system": "risc0",
  "receiptFormat": "groth16-bn254",
  "imageId": "sha256:a1a0bc89b5b1febaeda3519f6dbade0fa5ac16beeb143c4e1b01689573567bc6",
  "seal": "CpZcQt84ZJZLz8QRaWWQEFIdjhxBKZQfTSYioT6ge/wcXtWoBRTPzQcLZh5pebhivtTBHilG+K701J/GBFmuGhe+j+HB5noWw7ThHgKTnG/cQyH4Se9rbbIqDt+T+kRvEBZeNZ7W/aVNSbgQt3EiWg96LHIjZ9oQVVUZgOUK1QcJzbaFYFBPk9lrFAgKnqXzDhimbC0FJVtn0IERt2kRIR7sioRx3muUtjFPGTJMYIDPMgK12o+iyv+FVSDWir4kEJBbtzwAQQPxZWPiAU1CRvqryMLaK/1oX/c6ZGIJGQEmf35KucKsgWFL31xyxSkMLf2wpCsdxExXP7SY8tYhrg==",
  "journal": {
    "chaingraph_version": "0.4.0",
    "kernel_digest": "sha256:2fc2a970c1e7b9f554cbc414c18f307b5b950e11931a9861c342ced9253b8f71",
    "output": {
      "all_answered": false,
      "applicable_deadline_note": "DORA in force January 2025 — ~22,000 in-scope entities across the EU",
      "domain_scores": [
        {
          "articles": "Art. 5–16",
          "grade": "F",
          "label": "ICT Risk Management",
          "pct": 0
        },
        {
          "articles": "Art. 17–23",
          "grade": "F",
          "label": "Incident Classification & Reporting",
          "pct": 0
        },
        {
          "articles": "Art. 24–27",
          "grade": "F",
          "label": "Resilience Testing",
          "pct": 0
        },
        {
          "articles": "Art. 28–30",
          "grade": "F",
          "label": "Third-Party Risk",
          "pct": 0
        }
      ],
      "gaps": [
        {
          "articles": "Art. 5–16",
          "domain": "ICT Risk Management",
          "question": "Is there a board-approved ICT risk framework mapped to DORA Articles 5–16?",
          "severity": "no"
        },
        {
          "articles": "Art. 5–16",
          "domain": "ICT Risk Management",
          "question": "Are critical or important functions (CIFs) formally identified and documented?",
          "severity": "no"
        },
        {
          "articles": "Art. 5–16",
          "domain": "ICT Risk Management",
          "question": "Has proportionality been assessed and documented for your entity class?",
          "severity": "no"
        },
        {
          "articles": "Art. 17–23",
          "domain": "Incident Classification & Reporting",
          "question": "Can you classify a major ICT incident against the DORA criteria within the reporting clock?",
          "severity": "no"
        },
        {
          "articles": "Art. 17–23",
          "domain": "Incident Classification & Reporting",
          "question": "Are NCA submission templates and deadlines tracked end-to-end?",
          "severity": "no"
        },
        {
          "articles": "Art. 17–23",
          "domain": "Incident Classification & Reporting",
          "question": "Is there a tested escalation runbook from detection to initial notification?",
          "severity": "no"
        },
        {
          "articles": "Art. 24–27",
          "domain": "Resilience Testing",
          "question": "Is there a risk-based digital operational resilience testing programme (not just annual pen tests)?",
          "severity": "no"
        },
        {
          "articles": "Art. 24–27",
          "domain": "Resilience Testing",
          "question": "If in scope, is TLPT (threat-led penetration testing) scoped and scheduled?",
          "severity": "no"
        },
        {
          "articles": "Art. 24–27",
          "domain": "Resilience Testing",
          "question": "Are test findings tracked to closure with board visibility?",
          "severity": "no"
        },
        {
          "articles": "Art. 28–30",
          "domain": "Third-Party Risk",
          "question": "Is the register of information for all ICT third-party arrangements complete and current?",
          "severity": "no"
        },
        {
          "articles": "Art. 28–30",
          "domain": "Third-Party Risk",
          "question": "Do critical ICT contracts contain the DORA-mandated provisions (audit, exit, sub-outsourcing)?",
          "severity": "no"
        },
        {
          "articles": "Art. 28–30",
          "domain": "Third-Party Risk",
          "question": "Is ICT concentration risk measured and reported (single-provider dependencies)?",
          "severity": "no"
        }
      ],
      "gaps_count": 12,
      "grade": "F",
      "grade_title": "Stop",
      "immediate_action_required": true,
      "incident_route_recommended": true,
      "regulatory_framework": "DORA (EU) 2022/2554 · EBA/ESMA/EIOPA RTS on ICT risk management · JC 2023 83",
      "score_pct": 0,
      "supervisory_exposure": true
    }
  }
}
