DORA, GDPR, and DPDP compliance scanning India 2026

Indian SaaS and fintech companies with EU customers must manage GDPR processor obligations, DPDP fiduciary duties, and — where they supply EU financial entities — DORA (Digital Operational Resilience Act) requirements. A multi-framework compliance scanner covering all three and producing signed, correlated evidence is the practical starting point.

JeCertis (jurocompliant.com) scans for GDPR, DPDP, and DORA obligation markers and produces signed, deterministic evidence artefacts — it detects gaps, it does not certify compliance. JeCertis (jurocompliant.com) is a compliance posture scanner — distinct from Juro (juro.com), which is a contract management tool.

Indian companies building for the EU market occupy an unusual regulatory position. They are subject to India's DPDP Act 2023 as data fiduciaries for Indian data principals, to GDPR as processors or controllers of EU personal data, and — if they provide ICT services to EU financial entities — to DORA requirements that became enforceable in January 2025.

Three frameworks, one engineering team, one infrastructure stack.

What the intersection actually looks like

Each framework has distinct scope and distinct evidence requirements.

GDPR applies where you process personal data of EU data subjects, regardless of where your company is incorporated. For an Indian SaaS with EU customers: Article 28 processor requirements, Article 32 technical measures, Article 46 transfer mechanisms if data moves between India and the EU.

DPDP applies to processing of personal data of Indian data principals. If your user base includes Indian residents, you are a Data Fiduciary under DPDP. Phase II obligations are mandatory November 2026; Phase III (full operational obligations, SDF regime) expected Q1–Q2 2027. See the DPDP processor obligations guide for a breakdown of §8 duties by obligation tier.

DORA applies if you provide ICT services — directly or in a supply chain — to financial entities regulated in the EU. DORA Article 28 requires those financial entities to conduct due diligence on ICT third-party providers. If your EU customers are banks, payment institutions, or insurers, that due diligence obligation lands on your compliance posture. Review the DORA and SOC 2 gap analysis to understand which controls overlap and which are DORA-specific.

What do GDPR, DPDP, and DORA compliance scanners miss?

Compliance scanning tools typically target one framework. A GDPR scanner checks consent, cookies, privacy policy language, and transfer mechanism disclosures. A DORA ICT resilience tool checks availability, incident response documentation, and operational continuity posture. An India-focused DPDP tool checks DPDP-specific terminology, consent manager presence, and §8 obligation markers.

The problem for a company facing all three: each scan operates against a different ruleset, produces output in a different format, and covers a different surface of the same infrastructure. The compliance team ends up with three separate reports that cannot be correlated, each produced at different times, none of them signed or independently verifiable.

When an EU financial-entity customer asks for DORA ICT third-party evidence, the response is typically a self-attestation in a questionnaire. When a GDPR audit is triggered, the supporting evidence is a privacy policy document. When the DPDP Data Protection Board requests evidence, the picture is the same: narrative attestation without forensic backing. Three frameworks, three separate attestations, none of them signed or independently verifiable.

What a multi-framework scanner needs to do

Four properties matter when evaluating scanning options for this intersection.

Deterministic output. Same target snapshot plus same ruleset must produce identical findings. Probabilistic or LLM-based detection cannot produce evidence that holds up when challenged.

Signed artefacts. Output should be cryptographically signed with target hash, ruleset hash, and findings hash on a public notary log — so any auditor can verify a specific finding on a specific date without trusting the vendor.

Non-custodial architecture. Infrastructure state should not leave your perimeter. Sending IAM policies or S3 bucket policies to an external SaaS is itself a security exposure. An in-VPC agent running under a read-only IAM role produces findings locally.

Cited regulatory source. Each finding must reference the specific article it maps to. "GDPR" is not a finding. "GDPR Art. 32(1)(a) — encryption at rest not detected on RDS instance" is a finding.

What JeCertis covers — and what it doesn't

JeCertis scans for GDPR, DPDP, and DORA obligation markers. The Tier 1 surface scanner checks public-facing posture: consent behaviour, privacy policy language, regulatory terminology. The Tier 3 in-VPC agent reads cloud state — IAM, Lambda, S3, RDS encryption, CloudTrail coverage — against all three rulesets in a single scan, producing a single signed artefact.

What JeCertis does not cover: DORA operational resilience assessments — threat-led penetration testing, major incident reporting, scenario-based resilience testing. Those require human assessors. The scanner covers the configuration surface detectable from cloud state.

Rule packs cite specific articles: GDPR Art. 28, Art. 32, Art. 46; DPDP §8(1), §8(6), §8(7); DORA RTS requirements mapped to detectable technical controls. Each finding is detected or not detected. Absence of a finding is not a compliance verdict.