The Digital Operational Resilience Act went into force on January 17, 2025. Every bank, insurer, investment firm and fintech operating in the EU is now required to prove that their ICT systems can withstand and recover from operational disruptions. Most compliance teams we talk to have focused their DORA efforts on cybersecurity controls, penetration testing and incident response playbooks. Good. Those things matter.
But here is what we keep seeing get missed: document verification. The PDFs flowing through onboarding pipelines, vendor due diligence, loan applications and insurance claims are ICT-dependent processes. And if a fraudster can slip a manipulated bank statement or a forged contract into one of those pipelines, your operational resilience has a hole in it, one that no firewall or pen-test will catch.
DORA’s five pillars and the document problem hiding inside them
For those unfamiliar, DORA is built around five pillars. Let’s walk through each one and show where document verification fits, because the connection is more direct than most compliance officers realize.
-
ICT risk management. Financial institutions must identify, classify and monitor all ICT systems and the risks they carry. Your document review pipeline, the system that receives, processes and stores PDFs from customers and vendors, is an ICT system. If that pipeline cannot detect a forged document, you have an unmanaged ICT risk. Full stop.
-
ICT incident reporting. When a major incident occurs, you must report it to your regulator. Imagine discovering that a batch of loan applications contained manipulated bank statements that went undetected for months. That is an ICT-related incident. Do you have the audit trail to reconstruct what happened? Do you know which documents were flagged and which were not?
-
Digital operational resilience testing. Regular testing of your systems is mandatory, vulnerability assessments, scenario simulations and for critical entities, threat-led penetration testing every three years. But what about testing your document intake process? Can you feed your onboarding pipeline a known fake document and verify it gets caught? If you have never tested this, you do not know if it works.
-
Third-party risk management. This is the pillar getting the most attention, and rightly so. DORA requires financial entities to conduct due diligence on all ICT third-party providers, maintain a Register of Information on vendor arrangements and ensure contractual protections are in place. Here is the catch: how do you verify the documents your vendors provide? Certificates of insurance, SOC 2 reports, financial statements, these are all PDFs. And they can all be faked. We have written about how sophisticated template-based forgeries have become.
-
Information sharing. Financial entities are encouraged to share cyber threat intelligence with each other. This includes patterns of document fraud. When VerifyPDF detects a new forgery template being used across multiple clients, that is exactly the kind of intelligence DORA envisions being shared across the sector.
The vendor documentation gap that auditors will find
Here is a scenario we have seen play out at multiple financial institutions, and it illustrates why DORA compliance document verification matters more than most teams realize.
A bank onboards a new software vendor. The procurement team collects the required documents: financial statements, proof of insurance, security certifications, a business continuity plan. Everything checks out. The contract gets signed.
Two years later, during an audit, someone discovers that the vendor’s financial statements were inflated, the PDF had been edited to show higher revenues than the company actually earned.
How did this happen? Because nobody checked whether the PDF itself had been tampered with. The numbers looked reasonable, the formatting was professional and the document passed a visual review. But a forensic analysis of the PDF’s content layers, metadata and font embeddings would have revealed signs of manipulation in seconds.
Under DORA, this is not just an embarrassing oversight. It is a compliance failure. Article 28 requires financial entities to assess the risks posed by third-party arrangements and that assessment is only as reliable as the documents it is based on.
At VerifyPDF, we process documents from over 90 countries. In our experience, vendor-provided PDFs are among the least scrutinized and most easily manipulated documents in any financial institution’s workflow.
As we discussed in our analysis of the rising threat of fake bank statements, 73% of fraudulent statements show signs of direct PDF content layer editing, the kind of manipulation that is invisible to the human eye but obvious to automated forensics.
What “document integrity” actually means in a DORA context
DORA does not use the phrase “document verification” explicitly. But the regulation’s requirements around data integrity, audit trails and information asset management all point in the same direction. Let’s break it down.
Tamper evidence. Every document entering your systems should be checked for signs of manipulation. This means analyzing the internal structure of PDFs, content layers, font consistency, metadata timestamps, producer signatures, not just reading what the document says on the surface.
A bank statement can say whatever a fraudster wants it to say. The question is whether the PDF itself is consistent with how a legitimate document from that institution would be structured.
Audit trails. DORA requires comprehensive records of incidents, including root cause analyses and remediation steps. For document-dependent processes, loan origination, customer onboarding, vendor assessment, this means you need to answer: when was this document received? What checks were performed? What was the result? Who reviewed it?
If you are processing documents manually and the answer to most of these questions is “we do not know,” you have a problem.
Provenance tracking. Where did this document come from? Was it uploaded directly by the customer, forwarded by an intermediary or pulled from a third-party system? The chain of custody matters because document fraud often enters the pipeline through the weakest link. If a mortgage broker submits a payslip on behalf of a customer, you should be verifying that payslip with the same rigor as if the customer submitted it directly.
This is why automated document verification is not just a nice-to-have for fraud prevention. It is infrastructure for DORA compliance.
Why manual document reviews fail the DORA test
If your compliance team is still relying on human reviewers to catch fake documents, you have two problems under DORA.
First, it does not scale. A mid-sized bank processing thousands of loan applications per month cannot manually verify every payslip, bank statement and employment contract. Corners get cut. Reviewers get fatigued. And as we have covered in our comparison of AI fraud detection vs manual checks, the human eye simply cannot detect the kind of subtle PDF manipulations that modern fraudsters use.
Second, it does not produce an audit trail. When a human reviewer looks at a document and decides it seems fine, what gets recorded? Usually nothing or at best, a checkbox in a spreadsheet. That is not the kind of documentation DORA demands. You need systematic, repeatable checks with timestamped results that can be reviewed during an audit.
And here is the uncomfortable truth: regulators know this. The European Supervisory Authorities (ESAs) are already collecting Registers of Information from financial entities, the first submission deadline was April 30, 2025.
By late 2025, the ESAs designated critical ICT third-party providers subject to direct oversight. Auditors are now looking at how well your ICT risk management framework actually works in practice, not just on paper.
How to build DORA-ready document verification controls
If you are a compliance officer at a bank or fintech reading this and thinking “we need to address this,” here is a practical starting point.
Map your document-dependent processes. Identify every workflow where PDFs enter your systems: customer onboarding, loan origination, insurance claims, vendor procurement, KYC/AML checks. For each one, document what verification (if any) is currently performed.
Assess your current detection capabilities. Take a sample of documents that passed your review process and run them through automated forensic analysis. You might be surprised at what you find. At VerifyPDF, we regularly see clients discover that 3-5% of their previously accepted documents show signs of manipulation.
Implement automated verification at intake. The most effective approach is to verify documents at the point of entry, before they flow into downstream decision-making processes. VerifyPDF checks a document in less than 5 seconds and returns a risk rating, “Trusted”, “Low risk”, “Needs attention” or “High risk”, along with detailed forensic findings. That is the kind of systematic, auditable process DORA requires.
Build your audit trail. Every document verification should produce a record: what was checked, what was found, what risk rating was assigned and what action was taken. This record should be retrievable during regulatory audits. If you are using automated verification, this happens by default. If you are relying on manual reviews, you need to build this infrastructure yourself.
Include document verification in your resilience testing. As part of your annual testing program, feed known fake documents into your pipelines and verify they get caught. If they do not, you have identified a vulnerability and DORA requires you to remediate it.
Integrate with your Register of Information. DORA requires financial entities to maintain a detailed register of all ICT third-party arrangements. The documents supporting those arrangements, contracts, certificates, compliance attestations, should be verified and version-controlled.
When a vendor renews a certificate or submits updated financials, the new document should be checked automatically, not just filed away. As we explored in our post on why ID verification alone is not enough, checking one type of document while ignoring others leaves gaps that fraudsters exploit.
The penalties are real, and personal
DORA is not a paper tiger. Article 50 gives national regulators the power to impose administrative penalties and remedial measures. Under DORA’s penalty framework, fines can reach €500,000 for inadequate third-party risk management. Senior management can face personal fines of up to €1 million.
Article 52 goes further, allowing Member States to impose criminal penalties for severe violations.
But honestly, the fines are not even the biggest risk. The bigger risk is an operational failure that traces back to a fraudulent document you should have caught.
A forged bank statement that led to a bad loan. A manipulated certificate of insurance from a vendor that turned out to be insolvent. These are the scenarios that damage reputations and trigger regulatory investigations, and they are entirely preventable with the right document controls.
DORA compliance is not just a cybersecurity problem
Most DORA conversations in the industry focus on network security, cloud infrastructure and incident response. Those are important. But DORA’s ambition is broader: it aims to ensure that financial institutions can maintain operational resilience across all their ICT-dependent processes.
Document processing, the PDFs that flow through every lending decision, every insurance claim, every vendor assessment, is one of the most ICT-dependent processes in financial services.
If you are only thinking about DORA in terms of firewalls and penetration tests, you are missing the document integrity layer. And in our experience, that is exactly where fraudsters find their way in.
At VerifyPDF, we help banks, fintechs and insurers verify the documents that their business decisions depend on. If you want to see how your current document pipeline holds up, request a demo or try our free PDF checker to test a document right now. Because when the auditors come knocking, “we looked at it and it seemed fine” is not going to be good enough.