Is the classification deterministic and auditable?

Yes. The verdict is a pure function of the graph it traverses, stamped with a rule version and a content hash, with no language model in the decision path — so the same inputs always yield the same answer and the same lineage.

Where is our data hosted?

In the EU / on-premise. The substrate is non-US-controlled — which is what makes the sovereignty claim hold against the CLOUD Act, not just data-center location.

Do you generate the DORA Register of Information?

We generate the criticality-driven dependency context that seeds it; the certified CSSF/EBA-formatted Register export is on our roadmap, not a claim we make today.

DORA · regulated finance · EU-sovereign

Which systems are DORA-critical — and why.

Get a deterministic, auditable lineage for every critical application and ICT third party — the exact chain of evidence behind each verdict. Not a list. Not a black box. EU-hosted by design.

Book a 30-min DORA demo See how it works

What you get

The why, not just a list

Each application is classified Critical / Relevant / Not-in-scope with the traced chain of typed graph edges that justifies it — reproducible, with no LLM in the decision.

Concentration risk, surfaced

See which ICT third-party provider single-handedly supports several critical functions — the dependency the regulator asks about.

EU-sovereign by design

Hosted in the EU / on-premise. The constraint regulators care about is corporate jurisdiction, not server location — a line US-controlled vendors cannot honestly cross.

Days, not a 6-month project

Import your application and dependency data, and see your DORA criticality map light up — without a heavyweight consulting engagement.

Why not the alternatives

LeanIX / Ardoq: a filtered list of 'critical' apps

A deterministic verdict with the exact lineage proof behind it

HOPEX / Bizzdesign: heavy, slow, opaque pricing

Light, fast, EU-native, built for regulated mid-market

Big-4 consultants: a 6-month slide deck

A living, queryable criticality map you keep

US-cloud platforms: residency, not sovereignty

EU-hosted, non-US-controlled substrate

What this is — and what it isn't (we sell to people who know DORA)

ArchiLU produces the DORA criticality classification and dependency lineage that underpin your Article 8 identification and feed the context of your Register of Information. It is a decision-support and evidence aid — it does not file the certified Register on your behalf, run resilience testing (TLPT), or replace your DORA framework or legal compliance.

Frequently asked

Is the classification deterministic and auditable?: Yes. The verdict is a pure function of the graph it traverses, stamped with a rule version and a content hash, with no language model in the decision path — so the same inputs always yield the same answer and the same lineage.
Where is our data hosted?: In the EU / on-premise. The substrate is non-US-controlled — which is what makes the sovereignty claim hold against the CLOUD Act, not just data-center location.
Do you generate the DORA Register of Information?: We generate the criticality-driven dependency context that seeds it; the certified CSSF/EBA-formatted Register export is on our roadmap, not a claim we make today.

Show me which systems are DORA-critical — on our data.

30 minutes. Bring an export of your application landscape; leave with your criticality map and lineage.

Book a 30-min DORA demo