DORA came into force in January 2025. Financial entities across the EU are supposed to be compliant. Most aren't — at least not fully — and many don't actually know where their gaps are.

The traditional answer is to hire a consultancy, spend 3-4 weeks, and pay somewhere between £20k and £60k for a gap analysis. The output is usually a spreadsheet and a PowerPoint. The data goes through the consultant's systems, probably via a cloud AI tool, and you hope for the best on the confidentiality front.

We took a different approach.

The setup

Adverse Trace runs on a cluster of NVIDIA GB10 DGX Spark nodes — sovereign inference hardware, on-premises, nothing leaves the network. The model running the analysis is Qwen3.5-397B, a 397 billion parameter model running locally at around 27 tokens per second.

No Azure. No OpenAI. No "your data won't be used for training" promises. The data physically does not leave the building.

30+
policy & SOP documents ingested
~2hrs
end-to-end assessment time
0
bytes left the network

How it works

The pipeline ingests the client's policy and procedure documentation, chunks it, and builds a local RAG store. It then iterates control by control through the DORA RTS/ITS framework — each call is 3-5k tokens, focused, with the relevant documentation retrieved and assessed against the specific requirement.

The output for each control includes a finding, the evidence cited, the source document, and a gap or recommendation where applicable. It doesn't hallucinate sources — if the evidence isn't in the documentation, it says so.

We also ran a comparison against the client's own self-assessment. 8 controls they rated compliant came back as gaps. 57 controls had no evidence either way — turns out their "full" self-assessment wasn't complete.

That delta — between what a company thinks its compliance posture is and what the documentation actually supports — is where the real value sits. It's also exactly what a regulator would find.

Why sovereign matters here

DORA is a financial sector regulation. The documents used for a gap analysis are operational policies, incident response procedures, third-party contracts, and ICT risk frameworks. Sensitive doesn't begin to cover it.

Most AI-assisted compliance tooling runs on hyperscaler infrastructure. "Secure" tenancy, contractual protections, data residency guarantees — all of which still require trusting a third party with your most sensitive operational documentation. For many firms that's a non-starter, and increasingly their regulators agree.

Sovereign inference isn't a nice-to-have for this use case. It's the only way to do it properly.

The question

We're exploring whether to offer this as a service — automated framework assessments (DORA, NIS2, ISO 27001, CIS 18) against client documentation, fully sovereign, with a structured output report.

If you work in financial services, legal, or compliance — what would your organisation pay for a DORA gap analysis delivered this way? And would sovereign infrastructure change the conversation with your legal or compliance team?