DORA

1. Regulatory goals: strengthen the operational resilience of financial entities

DORA aims to strengthen the resilience of the European financial sector in the face of increasing cyber threats and technological incidents. Unlike previous regulations, it is not limited to cybersecurity, but takes a comprehensive approach by integrating information and communication technology (ICT) risk management as well as the continuity of financial services in the event of an incident.

DORA thus establishes a single framework applicable to all financial entities and their service providers, guaranteeing harmonized, coherent and strengthened regulation within the EU.

In addition to this harmonization, the directive aims to improve the ability of businesses to prevent and manage technological incidents. Financial sector stability is increasingly based on reliable digital infrastructures, and IT disruptions can have major economic and operational consequences. By imposing strict requirements, DORA seeks to limit the impact of these incidents and to ensure the continuity of financial services in all circumstances.

This regulation marks a strategic evolution by integrating digital resilience as an essential pillar of financial stability in Europe. It requires companies in the sector to adopt a proactive approach to risks, thus guaranteeing better protection for economic actors and consumers.

2. Date of entry into application of DORA? Until what date can we comply?

The DORA Regulation came into force on 17 January 2025, 24 months after its publication in the Official Journal of the EU. Businesses must be compliant as soon as it comes into force.

To consult the official text of the regulations, you can access this link to the Official Journal of the EU.

To note : although the regulation is directly applicable, its transposition into French law (in particular via the ACPR and the AMF) is still being finalized, which may involve some operational adjustments.

3. Sectors concerned

The DORA regulation applies to all players in the financial sector as well as to their ICT service providers. The objective is to ensure homogeneous digital resilience within the European financial ecosystem, by covering both traditional institutions and new technological players.

The main entities concerned by DORA are:

• Traditional financial institutions
  → Banks, insurance companies, investment firms and financial market infrastructures. These actors are on the front line in the face of cyber threats and must guarantee the continuity of their services.

• Fintechs and neo-banks
  → These innovative businesses, which rely heavily on digital technologies, must also comply with DORA to secure their operations and protect customer data.

• Critical ICT service providers
  cloud providers, payment services and data hosting providers will have to put in place robust measures to ensure the resilience and robustness of their services (intrusion tests, restoration tests, etc.)

However, a key challenge lies in identifying these providers: each institution must define for itself which ones are critical in terms of their impact on business continuity, involving increased obligations and rigorous management of digital risks.

‍

4. The 5 pillars of DORA:

These pillars aim to ensure a homogeneous and proactive resilience in the face of cyber threats, guaranteeing the stability of the European financial sector.

5. What controls and risks in the event of non-compliance with DORA?

In the event of non-compliance with DORA requirements, supervisory authorities, such as the ACPR and the AMF, may impose significant financial sanctions. These fines can reach up to 10 million euros or represent 5% of the company's annual turnover. In addition, non-compliant businesses are exposed to reinforced controls and regular audits. In the most serious cases, a temporary suspension of activity may also be decided.

In addition to sanctions, non-compliance with digital resilience obligations increases the vulnerability of businesses to cyber threats, which can lead to attacks and service interruptions, with a negative impact on their reputation.

It is important to note that the legislation is still being validated by the French Parliament, which leaves room for adjustments before its final implementation.

6. How does DORA impact companies in the financial sector?

The entry into force of DORA requires companies in the financial sector to strengthen the governance of their risks related to information and communication technologies (ICT). They must now integrate cybersecurity into the heart of their business processes, conduct regular resilience tests, and improve the monitoring of their third-party providers. The objective is to test their ability to deal with major incidents and to ensure the safety of their external ecosystem. These adaptations aim to increase resilience in the face of cyber threats and to ensure the continuity of financial services.

Main actions to be implemented:

• Assess the maturity level in digital resilience and define an appropriate roadmap.

• Train management and operational teams in the challenges of digital resilience.

• Formalize policies and procedures relating to the management of ICT risks.

• Set up regular test campaigns and TLPT (Threat-Led Penetration Testing) type audits.

The most impacting and the most complex aspect to implement concerns the management of ICT suppliers. DORA imposes a rigorous Third Party Risk Management (TPRM) approach:

To be set up:

• Identification of critical suppliers for business continuity.

• Systematic assessment of supplier risks, with each new contract.

• Integration of specific contractual clauses for cybersecurity and compliance.

• Continuous monitoring of the performance and compliance of service providers.

How to proceed:

• Maintenance of a register of service providers, to be transmitted to the supervisory authority in accordance with DORA requirements.

• Deployment of TPRM tools to assess cyber score, monitor compliance, and analyze vendor security action plans.

• Reorganization of the management of contracts and service providers: getting out of working in silos, strengthening collaboration between businesses, the IT department, purchasing and legal departments.

• Active fight against shadow IT.

Organizational impacts

Compliance with DORA marks the end of silo work: cooperation is becoming essential, especially with procurement departments, which are becoming key players in resilience. This regulation is no longer just about DSI, CISO or compliance, but involves the entire organization.

DORA is profoundly transforming IT risk management by unifying cybersecurity, business continuity and procurement processes around common frameworks (in particular the concept of criticality). It also imposes strengthened supervision of third parties to limit supply chain risks and encourages the conduct of resilience exercises involving multiple stakeholders. Finally, DORA focuses on sharing information to improve responsiveness to incidents.

Thus, DORA is initiating a more proactive and resilient digital governance, guaranteeing better risk preparation and increased business continuity in the financial sector.

7. How DORA impacts ICT suppliers

The entry into force of DORA is transforming the expectations and obligations of ICT provider providers working with the financial sector. They are becoming essential links in the resilience chain, and their role in digital risk management is considerably strengthened.

New obligations for ICT providers, they will have to:

• Actively participate in resilience and recovery tests organized with their financial sector clients, in order to demonstrate their ability to respond to major incidents.

• Collaborate in crisis management and business continuity during simulations and exercises imposed by DORA.

How to adapt to DORA?

To meet DORA requirements, ICT providers need to adjust their organization and practices. Here are the main areas to take into account:

• Determine whether the company is considered a critical supplier by its financial customers and, if necessary, adapt contractual management by signing specific DORA amendments validated by the legal department.

• Integrate DORA requirements into the internal standards already in place (for example ISO 27001, NIS2) or create a unified framework to centralize all relevant regulatory obligations.

• Designate a dedicated contact person to manage DORA compliance and organize coordination between the various businesses, projects and management, in order to ensure the follow-up of actions (risk analysis, management of subcontractors, organization of resilience tests, etc.).

• Use law firms or cybersecurity consulting firms to secure the compliance process and ensure compliance with regulatory requirements.

Organizational impacts:

The application of DORA leads to profound changes in the organization and practices of ICT providers. The main impacts are:

• The customer-supplier relationship is evolving, with suppliers becoming true partners involved in the risk management strategy and the resilience of their customers' financial systems.

• Governance and processes are strengthened, with the need to professionalize compliance management, to involve new internal actors (legal, management, business) and to structure the monitoring of DORA obligations.

• Teams must increase their skills, by training in DORA requirements, good cybersecurity practices and crisis management.

8. DORA: beyond constraints, benefits

While DORA imposes strict requirements, it is also a real driver of growth for companies in the financial sector.

This regulation should not be seen only as a regulatory constraint, but as a strategic opportunity. It makes it possible to strengthen the management of risks and incidents, to improve competitiveness, to strengthen customer confidence and to anticipate current and emerging threats more effectively.

By better structuring cybersecurity processes, by professionalizing the management of critical suppliers, and by encouraging a culture of resilience, DORA becomes a catalyst for innovation and organizational maturity.

‍