This page explains how Coveo Solutions, Inc. and its affiliates (“Coveo”) support customers’ compliance efforts under the EU Digital Operational Resilience Act, Regulation (EU) 2022/2554 (“DORA”), and the Network and Information Security Directive (EU) 2022/2555 (“NIS2”) when using Coveo’s Hosted Services, as defined in Coveo’s customer agreement (“CA”).
What are DORA and NIS2?
DORA establishes rules to strengthen the digital operational resilience of financial entities in the European Union ("EU"). It aims to ensure that financial institutions can withstand, respond to, and recover from disruptions of information and communication technology (“ICT”).
NIS2 extends existing cybersecurity obligations to a wider range of sectors to achieve a common high level of cybersecurity across the EU, requiring “essential” and “important” entities to maintain robust technical and organizational measures.
Both frameworks reinforce security and resilience of digital operations and supply chains within the EU, improving cooperation between entities and regulators.
Does DORA or NIS2 apply to Coveo?
Coveo provides a cloud-based SaaS enterprise AI search and relevance platform.
Under DORA, Coveo qualifies as an ICT third-party service provider. However, Coveo’s Hosted Services are typically not intended to support “critical or important functions” (“CIF”) as defined under DORA. As such, Coveo is not mentioned on the list of designated critical ICT third-party service providers issued by the European Banking Authority on November 18, 2025.
Under NIS2, Coveo may qualify as an important entity providing digital services in the EU.
How does Coveo address DORA and NIS2 requirements?
Coveo’s security and privacy internal policies and practices align with both DORA and NIS2 principles of risk management, operational resilience, and incident preparedness.
Key measures include:
- Contractual transparency: Coveo’s CA, data processing addendum (“DPA”), and Security Exhibit (“SE”) describe the Hosted Services, service levels, incident management, data residency (the DPA further clarifies where customer data is processed, how it is protected, transferred and how customers can access or delete it), and customers audit rights.
- Security measures: Encryption at rest and in transit, access controls (role-based access management), system monitoring, vulnerability management, and annual independent penetration testing for the Hosted Services.
- Business continuity (“BC”) and disaster recovery (“DR”): Documented BC/DR plans tested annually, with defined recovery objectives.
- Incident management: A written security incident response plan supporting regulatory and customer notification obligations where applicable.
- Awareness and governance: Regular employee security training adapted to employees’ functions and continuous program improvement.
- Vendor management: Due diligence and contractual controls over subcontractors, including through dedicated DPA with specific notifications obligations.
- Certifications and assurance: SOC 2 Type II and ISO 27001, 27017, 27018, and 27701 certifications.
- Cooperation: Coveo supports customer compliance and regulatory engagement, including where cooperation with competent authorities is required.
Where can I find more information?
Customers can consult Coveo’s Trust Center and Legal Center for documentation on security, compliance, and data protection.
Additional details are also available in Coveo’s online documentation, under the Compliance and Security sections.
For more information or to request specific contractual terms related to DORA, please contact your Coveo account representative.
