<img height="1" width="1" style="display: none" alt="" src="https://px.ads.linkedin.com/collect/?pid=1098858&amp;fmt=gif">
DORA EVIDENCE PACK

Prove your DORA exit strategy works, before your regulator asks.

DORA Article 28 wants exit strategies for critical ICT providers stress-tested — a written policy won’t cut it. Codekeeper gives you the working version: your provider’s software rebuilt, verified, and certified in an evidence pack you hand to your auditor.

Tested recovery — not a policy on file.
Codekeeper's DORA Evidence Pack proves that your protection holds: we rebuild and test your deposits, then document the results as Article 28 evidence.
solutions_badge_dora DORA
badge-nis2 NIS2
badge-iso-27001-v2 ISO 27001
badge-soc2 SOC 2
solutions-ffiec FFIEC
One pack, recognized by every framework that asks whether your critical software can be recovered.
The old way

Your current tools belong to a pre-DORA world.

Exit planning used to be an admin task. You name the provider, describe how you’d recover, file the plan, and tick the box at the annual review.
That won’t satisfy DORA’s demand to prove it works. If nobody rebuilds the system to confirm your data is really recoverable, you’ll be liable for any DORA penalty.
The exit plan on file
ICT exit strategy PDF
Signed · 14 Mar 2024
Not tested
Filed once, never rebuilt — so no one knows if it actually recovers.
A team reviewing recovery and continuity plans together at a desk
Why we built it

We built the DORA Evidence Pack because proving your resilience to regulators shouldn't be this hard.

10+
years managing escrow
3 500+
companies protected
ISO 27001
certified
24 hrs
to go live

A look inside your DORA Evidence Pack

Six capabilities that take your exit strategy from filed to audit-ready.

Your provider’s software, rebuilt

Codekeeper takes the escrowed deposit and rebuilds it into a running system.

A certificate the supervisor accepts

The rebuild produces a signed Software Resilience Certificate recording what was tested and confirming it passed.

Annual recovery testing on the clock

DORA wants critical apps tested yearly at the very least. The add-on schedules and records the test results for each deadline.

Maps to your register entry

The escrow arrangement and its evidence align with the Register of Information entry for that provider.

Insolvency-ready access terms

If a provider fails, your escrow agreement already guarantees you can retrieve critical code and data. Checked against Article 30.

Stretches across frameworks

The same evidence answers NIS2, ISO 27001, and SOC 2 continuity questions, not just DORA.

How it works

Three steps to a tested exit. You only handle one.

In review
AC
Acme Corp Depositor
BL
Beneficiary Ltd Beneficiary
AgreementTripartite escrow
Last deposit2 days ago
Active
NV
Northwind Depositor
FB
FinBank Beneficiary
AgreementSaaS escrow
Last depositToday

1. Point us at the provider you need to cover.

Connect the repository, or name a deposit you already hold with us.

Deposits
3 active · last verified today
Software Resilience Certificate
Software Resilience
Certificate
Passed

2. We run the exit test.

We pull the deposit, build it, and confirm it runs — on a schedule that keeps the result current.

Certified tier seal
Codekeeper Software Resilience Certificate
ProviderAcme Cloud Ltd
TierCertified
Recovery testPassed · 14 Jun 2026
Valid to14 Jun 2027
Authorized · Codekeeper
Verified

3. The evidence lands in your dashboard.

The signed certificate and test results — dated and ready for review. Your Article 28 obligation now rests on a proven plan.

Set up in a day. From there, the pack stays current on its own.

Book a demo

These companies’ systems are protected, compliant, and resilient.

They made the decision. They built their resilience. They have peace of mind. You can too.
icon-google
icon-g2
“We’ve had a great experience with CodeKeeper. The setup process was smooth, and the team made everything very straightforward. Knowing our critical software assets are securely protected gives us real peace of mind. Their support has been responsive and professional, and the overall service has been reliable and easy to work with. Highly recommended.”
testimonial-circle-j

Jordan Adler

“We worked with Codekeeper as our escrow provider for major enterprise deployments and found them to be extremely professional, responsive, and flexible throughout.
I'd highly recommend Codekeeper. They clearly understand the realities of working with growing tech businesses and enterprise customers alike.”
testimonial-circle-r

Ross Kilshaw

I found Codekeeper's solution excellent for what I need. I scheduled a demo to better understand the possibilities. Very easy! It was a clear and straightforward meeting, focused exactly on what I needed. Excellent service!
testimonial-circle-t

Thiago Mendes

Airbus partner logo in muted style
Bayer partner logo in muted style
EU Parliament partner logo in muted style
General Motors partner logo in muted style
Intuit partner logo in muted style
Nestle partner logo in muted style
Pepsico partner logo in muted style
Pfizer partner logo in muted style
Framework mapping

One exit evidence pack, mapped to every framework you answer to.

Test once, document once. The same pack carries evidence for  DORA, NIS2, ISO 27001, SOC 2, and FFIEC.
solutions-dora
DORA — Art. 28 / Arts. 24–25 Documented and tested exit strategy for critical ICT providers
badge-nis2
NIS2 Art. 21(2)(c) Business continuity and backup for supply-chain dependencies
badge-iso-27001-v2
ISO 27001 A.5.30 Network & Information Security Directive
badge-soc2
SOC 2 — CC9 Subservice organization continuity evidence for vendor risk.
solutions-ffiec
FFIEC — NIST CSF 2.0 Evidence for the Recover function across US-supervised institutions.
What's at stake

Everything on the line when your regulator comes knocking.

Without it

  • If your exit test fails during a supervisor’s review, you’ll be found non-compliant.
  • Fines vary by member state — but your management is held personally liable, and the decision can be made public.
1% of daily worldwide turnover — the separate penalty designated critical ICT providers face

With the evidence pack

  • Exit tested, certificate signed, file ready before anyone asks.
  • Compliant with Article 28 — and peace of mind the recovery holds if a provider fails.
  • One pack also answers NIS2, ISO 27001, and SOC 2.
Sample pack

Download a real DORA Evidence Pack, free.

The redacted sample lays out the certificate, recovery-test result, and supplier-resilience summary, exactly as your auditor would see them.
Recovery test · summary
Article 28 mapping
Certified tier seal
Codekeeper Software Resilience Certificate
ProviderAcme Cloud Ltd
TierCertified
Recovery testPassed · 14 Jun 2026
Valid to14 Jun 2027
Authorized · Codekeeper
Verified
Get the sample DORA Evidence Pack

We’ll email the sample exit-evidence pack to you.

The deadline has passed. The inspection hasn’t.

DORA has been in full effect since January 2025, so your exit strategy was due long ago. What’s still ahead is the day a supervisor asks you to prove it works. Get your evidence in place before that day catches you off guard.

Frequently asked questions

What is a DORA exit strategy?
Under DORA Article 28, a financial entity needs an exit plan for moving on when a critical ICT provider fails or the relationship ends. For services that support critical functions, the plan has to be tested, with evidence the recovery works.
How often does the exit test need to be redone?
DORA expects exit and recovery arrangements for critical functions tested at least annually, and a test only proves recovery as of its date. Codekeeper can rerun the build-and-run test on a schedule tied to your review deadlines. We also keep the deposit current with daily syncs, so the evidence is dated and current when a supervisor asks, not a result from a year ago that no longer matches the live system.
How is this different from writing an exit plan ourselves?
A written plan describes the exit. This shows it works. Codekeeper rebuilds your deposit, confirms it’s buildable, and issues a signed certificate — which is what turns a plan into evidence.
Which regulations does this cover?
This pack is built around DORA, covering the Article 28 exit strategy and the testing requirements under Articles 24–25. The same evidence also supports NIS2 business continuity, ISO 27001 A.5.30, SOC 2 CC9, and third-party continuity expectations under CPS 230 and FFIEC.
Does this work if our critical provider is a SaaS vendor, not on-premises software?
Yes. SaaS escrow covers the full environment — code, data, configuration, and dependencies — so the exit evidence applies to cloud providers too.
How fast can we have evidence in place?
Implementation goes live within 24 hours; the first recovery test follows from there.