As a Singapore-based financial data provider, Twelve Data understands that certain clients, particularly those in regulated sectors within the European Union, may have questions about how the Digital Operational Resilience Act (DORA) relates to their use of our services.
This article explains why Twelve Data is outside the scope of DORA and clarifies our position regarding customer compliance requirements.
Our regulatory position
Twelve Data is a foreign company incorporated and operating under the laws of Singapore. As such:
DORA, an EU regulation, does not apply to Twelve Data.
The regulation applies only to financial entities regulated under EU law and ICT third-party service providers formally designated as critical by the European Supervisory Authorities (ESAs).
Twelve Data has not received such a designation, and no legal basis exists for DORA to extend to us under the regulation’s current framework.
What does “critical ICT third-party provider” mean?
Under DORA, an ICT provider is only considered “critical” if formally designated by the ESAs. That designation is based on a combination of risk-based criteria, including:
The potential systemic impact of a service disruption or failure.
The degree of market concentration or dominance in a specific ICT service.
The extent of dependency among multiple financial entities.
Whether the services are substitutable or highly interdependent.
Any broader risks to financial stability across the EU.
Twelve Data does not meet these thresholds and is not designated as a critical ICT provider by any EU regulatory authority.
Operational resilience and standards
While DORA does not apply to us, Twelve Data takes digital resilience and security seriously. We align with globally recognised industry standards and frameworks, including:
ISO/IEC 27001 for information security management.
NIST CSF and CIS Controls, as relevant to our infrastructure.
These controls are embedded in our operations to support high availability, business continuity, and risk mitigation across our platform.
Data privacy compliance
Twelve Data complies with relevant data protection regulations based on the jurisdictions of our users. This includes:
General Data Protection Regulation (GDPR) for EU-based data subjects.
Singapore’s Personal Data Protection Act (PDPA).
Additional privacy and security obligations may apply depending on the customer's location or service usage.
For clients referencing DORA in internal compliance
We appreciate that some clients may have internal compliance requirements referencing DORA or similar regulatory standards. While we respect these obligations, it is important to clarify:
Twelve Data is not in the scope of DORA.
We cannot sign DORA-specific compliance statements or enter into addenda related to a regulation that does not apply to us.
We believe this position supports regulatory clarity and avoids creating obligations without legal basis.
Additional resources
Users can evaluate our security and resilience controls using the resources listed below. These materials are designed to help compliance and risk teams assess our services appropriately and transparently. We invite customers to refer to:
🔐 Twelve Data Security Center: Learn more about our controls, standards, and compliance posture.
📈 Status Page: Monitor real-time platform health and incident history.
This article is provided for general information purposes and should not be considered regulatory or legal advice. Clients with questions about their compliance responsibilities should consult with their internal compliance or legal teams. If additional clarification is needed regarding how our services align with your risk framework, our support team is happy to assist.