MICKAI
Compliance · Operational resilience without a critical cloud dependency

DORA

The Digital Operational Resilience Act holds financial entities in the EU accountable for the resilience, oversight and concentration risk of every information and communications technology system that supports their business, including third-party AI services. Mickai removes the critical third-party dependency at source: the sovereign brains run on hardware the firm owns, fully offline, so there is no cloud AI provider to designate, monitor, contract around or exit. Because the system, the data and the audit record all sit inside the firm's own perimeter, DORA's demands for ICT risk management, incident reporting, resilience testing and third-party oversight are satisfied by architecture and evidenced through a post-quantum Open Audit Record.

Why the cloud cannot satisfy this

DORA is built around a single insight: a financial entity's operational resilience is only as strong as the ICT it depends on, and a critical dependency on a third-party cloud provider is a concentration risk that must be controlled and, in many cases, be capable of being exited. When AI runs in a shared cloud, the firm inherits that provider's outage profile, its geographic concentration and its incident-response posture, none of which the firm controls, while still carrying the accountability. DORA's ICT risk-management duties, its incident classification and reporting deadlines, its digital operational resilience testing and its stringent oversight of critical third-party providers all become harder to satisfy the more the firm depends on infrastructure it neither owns nor can inspect. Mickai removes the dependency entirely by keeping the models, the data and the audit trail on hardware the firm owns, fully offline, so there is no critical cloud AI provider to designate or police and no external outage that can take the capability down. Resilience testing is conducted against systems the firm controls end to end, incidents are contained within its own perimeter, and every action is sealed to an immutable Open Audit Record that evidences resilience and accountability to a supervisor.

How Mickai meets it

The 6 obligations this framework imposes, each met by construction on hardware you own and mapped to the subsystem that enforces it.

Enforced by Air-gapped architectureRemoves Critical cloud ICT provider dependencies and exit-plan obligations

Removal of the Critical Third-Party Dependency

Because the sovereign brains run on hardware the firm owns, there is no third-party cloud AI provider to designate as critical, monitor, contract around or exit under DORA's oversight regime. The concentration risk that a shared provider creates is removed at source rather than managed through a resilience clause. The firm no longer inherits an external outage profile or geographic concentration it cannot control. Accountability and control are reunited on owned infrastructure.

Enforced by SentinelRemoves Cloud shared-responsibility risk models

ICT Risk Management Over Owned Systems

Mickai supports DORA's ICT risk-management framework by keeping the AI system, its data and its controls on hardware the firm owns, so risks are identified, protected against and monitored across systems the firm controls end to end. The controls and their outcomes are sealed to the Open Audit Record, giving supervisors a reproducible evidence base. There is no opaque vendor environment to factor into the risk picture. The firm holds a complete, first-hand view of its own resilience.

Enforced by Open Audit RecordRemoves Cloud provider incident disclosures and shared logging

Incident Detection, Classification and Reporting

Because the system runs inside the firm's own perimeter, ICT-related incidents are detected and contained locally rather than inside a vendor environment the firm cannot see into, which strengthens classification and the tight DORA reporting timelines. The sealed audit trail evidences exactly what occurred, when and with what effect, supporting accurate major-incident reporting. There is no dependency on a provider's incident disclosure. The firm reports from first-hand, tamper-evident evidence.

Enforced by NomosRemoves Cloud availability assurances and untestable vendor internals

Digital Operational Resilience Testing

Mickai supports DORA's resilience-testing programme because the AI capability runs on hardware the firm controls, so scenario testing, vulnerability assessment and continuity exercises are conducted against systems the firm can inspect and reproduce. Test results are sealed to the audit record for supervisory evidence. There is no vendor black box that testing cannot reach. The firm demonstrates resilience against its own, fully controlled infrastructure.

Enforced by Air-gapped architectureRemoves Cloud availability SLAs and failover dependencies

Continuity Under Loss of Connectivity

Because Mickai operates fully offline, the AI capability continues to function even when connectivity is lost entirely, which directly addresses DORA's business-continuity and availability expectations. An external outage cannot take the capability down, because there is no external dependency in the inference path. Continuity is a property of the architecture rather than a failover arrangement. The firm retains its AI function under conditions that would disable a cloud-dependent system.

Enforced by Open Audit RecordRemoves Expanded third-party ICT registers and vendor oversight tooling

Third-Party Oversight Evidence

By running the AI capability in-house, Mickai shrinks the population of critical ICT third parties the firm must register, assess and oversee under DORA, and evidences control of what remains through the sealed audit trail. Where any residual dependency exists, its interactions are recorded to the Open Audit Record for reproducible oversight. The firm presents supervisors with a smaller, better-evidenced third-party surface. Oversight is grounded in tamper-evident records rather than vendor assurances.

The sovereign advantages

The advantages hold across every framework, and they are architectural, not promotional. The third-party cloud-exposure vector is removed; your own physical, insider and compliance controls remain yours.

Zero-trust data privacy

The data never leaves your hardware, so no third party and no cloud-provider employee ever sees it. What happens in the server room stays in the server room.

No vendor lock-in or outage exposure

You own the compute and the capability, so the system runs independent of the internet and of any cloud vendor's pricing, terms, or availability.

Data residency by default

The data never crosses a geographical or digital border because it never leaves the building, which removes the cross-border-transfer and third-party-processing friction of UK GDPR, Schrems II, and the sector rules. You keep your own obligations.

Proprietary advantage stays private

Fine-tune and run retrieval on your deepest archives to build a hyper-customised co-pilot, with no risk of your proprietary edge training a public model or leaking.

Predictable total cost of ownership

After the hardware and licence, queries cost essentially electricity. A capital asset you own and depreciate, instead of volatile per-token cloud bills.

The zero-espionage trust vault

There is no third-party cloud path, so no competitor and no vendor insider can scrape, intercept, or subpoena your prompts or your fine-tuned weights from the internet. The trust vault is closed by architecture.

Immunity to regulatory drift

You own the software snapshot on your own hardware, so a change to a cloud vendor's terms, a model deprecation, or an outage cannot reach you. The system stays predictable and auditable on-premise as the rules evolve.

Questions
How does on-premise AI help a financial firm meet DORA?

Mickai removes the critical third-party dependency at source: the sovereign brains run on hardware the firm owns, fully offline, so there is no cloud AI provider to designate, monitor, contract around or exit. The system, the data and the audit record all sit inside the firm's own perimeter, so DORA's demands for ICT risk management, incident reporting, resilience testing and third-party oversight are satisfied by architecture and evidenced through a post-quantum Open Audit Record.

Does running AI on-premise remove DORA concentration risk?

Yes. Because there is no third-party cloud AI provider in the inference path, the concentration risk that DORA treats as a critical exposure is removed at source rather than managed through a resilience clause. The firm no longer inherits an external outage profile or geographic concentration it cannot control, and accountability and control are reunited on owned infrastructure.

How does Mickai support DORA incident reporting?

Because the system runs inside the firm's own perimeter, incidents are detected and contained locally rather than inside a vendor environment the firm cannot see into, which strengthens classification and the tight reporting timelines. The sealed audit trail evidences exactly what occurred, when and with what effect, so the firm reports major incidents from first-hand, tamper-evident evidence rather than a provider's disclosure.

Can the AI capability keep running during an outage?

Yes. Mickai operates fully offline, so the AI capability continues to function even when connectivity is lost entirely, which directly addresses DORA's business-continuity and availability expectations. An external outage cannot take the capability down, because there is no external dependency in the inference path. Continuity is a property of the architecture rather than a failover arrangement.

How does Mickai reduce the DORA third-party oversight burden?

By running the AI capability in-house, Mickai shrinks the population of critical ICT third parties the firm must register, assess and oversee, and evidences control of what remains through the sealed audit trail. The firm presents supervisors with a smaller, better-evidenced third-party surface, and oversight is grounded in tamper-evident records rather than vendor assurances.

Is Mickai a cloud service subject to DORA oversight itself?

No. Mickai is a Sovereign Intelligence Operating System acquired as an owned asset that runs on the firm's own hardware, not a cloud service the firm depends on. Because there is no external provider running the workload, there is no critical ICT third party to bring within the oversight regime. The public cloud remains useful for non-regulated work; Mickai is the answer for the resilient, regulated-data boundary.

Lawful B2B engagement

Bring DORA in-house.

Briefings are for organisations weighing a sovereign, on-premise deployment. Tell us about your estate and we will walk the obligations, the regulatory crosswalk and the deployment that fits.

Other frameworks
Regulated markets this bites hardest in