The DORA regulation in the financial sector: mandatory compliance

Against a backdrop of increasing computer incidents, IT security problems and cyber-attacks, the European Union adopted the DORA regulation in December 2022.

DORA stands for Digital Operational Resilience Act. This regulation aims to strengthen the cybersecurity and IT resilience of the entire European financial sector. It is an essential pillar of the European Union's digital strategy, and marks a decisive step towards harmonizing the management of risks linked to information and communication technologies (ICT).

DORA not only establishes recommendations, it also imposes legal obligations in terms of IT risk management and business continuity for financial entities operating in the European Union. The regulation came into force on January 17, 2025.

It should be noted that a regulation is applicable as soon as it is published in the Official Journal, unlike a directive (e.g. NIS2), which requires transposition into the national law of the country concerned.

In fact, DORA is a lex specialis vis-à-vis NIS2: this principle means that regulations specific to the financial sector take precedence over the general directive. In practice, the entities concerned will therefore apply DORA rules to manage their risks and report incidents, instead of NIS2 requirements.

Who is affected by the DORA regulation?

DORA's scope of application is particularly broad. It applies to a multitude of entities in the financial sector, including :

• banks,

• insurance and reinsurance companies,

• investment companies,

• payment and electronic money institutions,

• market infrastructures (clearing houses, central depositories, trading platforms),

• asset management companies,

• crowdfunding service providers,

• credit rating agencies,

• and above all: third-party providers of critical ICT services (such as cloud or software service providers)

The scope of DORA is deliberately broad to cover the entire digital value chain. This includes not only traditional players, but also new players such as crypto-asset service providers, participatory finance platforms and payment institutions.
A major novelty is the direct inclusion of third-party providers of ICT (information and communication technology) services, such as cloud or data center providers, within the scope of regulation.

This demonstrates the EU's determination to establish a uniform regulatory framework covering the entire digital value chain in the financial sector.

However, the regulation applies a principle of proportionality. Requirements are adapted to the size and risk profile of the entity. Microenterprises (fewer than 10 employees, sales < €2m) and certain small entities benefit from a simplified risk management framework.

The pillars of DORA

The DORA regulation is based on five fundamental pillars:

1. ICT (Information and Communication Technology) risk management

Cyber risk management is no longer just an IT issue. The responsibility now lies with the management body. Digital risk is becoming a strategic risk, managed at the highest corporate level.

Entities need to put in place robust governance frameworks to identify, protect, detect, respond to and recover from ICT incidents. This includes maintaining systems, internal controls and oversight arrangements for digital technology security.

• Identify: An exhaustive and up-to-date mapping of business functions, information assets and third-party dependencies is required. The entity must continuously identify its sources of risk and assess the criticality of its assets (Article 8).

• Protect: Implement proactive defense strategies including data encryption, rigorous identity and access management (IAM), as well as vulnerability management and patching policies to guarantee system availability, integrity and confidentiality (Article 9).

• Detect: Deployment of continuous monitoring mechanisms capable of rapidly identifying abnormal activities, performance incidents and single points of failure, with defined alert thresholds to trigger an immediate response (Article 10).

• Respond and restore: Establishment of regularly tested business continuity plans (BCP) and incident response plans. The aim is to contain incidents, limit damage and ensure rapid resumption of critical functions via documented crisis management procedures (Article 11).

• Backup: Definition of proven backup policies and restoration procedures. Backup systems must be physically and logically isolated ("sanctuarized") from source systems to guarantee uncompromised data recovery (Article 12).

• Learn: Continuous improvement of the security system based on post-incident analysis ("RETEX"), monitoring of cyberthreats and mandatory training of staff and management to adapt the resilience strategy to technological developments (Article 13).

This framework has many similarities with the ISO 27001 standard, particularly with regard to the risk-based approach and continuous improvement, which is advantageous for entities that are already certified.

2. ICT incident management

Major IT incidents must no longer be dealt with in silos. They must be identified, recorded, classified and, where necessary, reported to the appropriate authorities according to a strict formalism.
Entities must establish a comprehensive management framework built around three axes:

• The incident management process: Entities must define robust procedures for detecting, managing and reporting incidents (Article 17). This process must include early warning indicators, clear assignment of roles and responsibilities, and communication plans for stakeholders (internal, customers, regulators). A crucial point required by DORA is Root Cause Analysis for each incident, to avoid recurrence.

• Classification criteria: To determine whether an incident is "major" and therefore subject to a reporting obligation, the entity must evaluate it according to precise criteria (Article 18). These criteria include the number of customers or counterparties affected, the duration of the incident, its geographical distribution, the loss of data (integrity, confidentiality, availability), the criticality of the services affected, and the direct and indirect economic impact.

• Notification obligations and deadlines: Article 19 of the Regulation, supplemented by Article 5 of Delegated Regulation (EU) 2025/301, imposes an extremely strict reporting timetable for major incidents:

• Initial notification: This must be submitted as soon as possible, and no later than 4 hours after the incident has been classified as major (with an absolute limit of 24 hours after the incident has been reported).

• Interim report: Expected within 72 hours following initial notification, or as soon as a significant update on the situation is available.

• Final report: Must be sent no later than one month after the interim report (or after resolution and analysis of causes).

• Please note: For essential entities, these times apply including weekends and public holidays.
  
  

3. Digital operational resilience testing

Entities must establish a comprehensive, risk-based testing program to assess their ability to prevent, detect and respond to incidents. The DORA regulation distinguishes between two levels of requirement:

• Regular and diversified testing: All financial entities (except micro-enterprises under the simplified regime) must test their critical systems at least once a year. Article 25 of the regulation does not limit itself to simple penetration tests; it calls for a range of methodologies, including vulnerability assessments, security tests and security audits. network security analyses, gap analysis, source code reviews, as well as compatibility and performance tests. The aim is to cover the entire potential attack surface.

• Advanced testing (TLPT): For financial entities of significant importance, DORA requires threat-based penetration testing every three years (for more information, please see our article on DORA and Threat-Led Penetration Testing). These are Red Teaming high-intensity tests, carried out on systems in production environments, simulating the tactics, techniques and procedures (TTPs) of real attackers. These tests are based on technical standards inspired by the TIBER-EU frame (Threat Intelligence-based Ethical Red Teaming).
  A critical point in this requirement is the extension of the scope: if a critical function is outsourced, the third-party ICT provider must be included in the test.
  
  

4. Managing third-party ICT suppliers

The DORA regulation represents a major paradigm shift: third-party risk management is no longer a mere administrative formality, but a critical component of resilience strategy. The fundamental principle laid down by Article 28 is that of the full responsibility of the financial entity. Outsourcing a function, even a critical one, never transfers regulatory responsibility to the service provider.

To operationalize this principle, DORA imposes four major axes:

• An Information Register: Entities must maintain a comprehensive register of all contractual agreements with ICT third parties. This document, which distinguishes between critical and non-critical functions, must be made available to the competent authorities and communicated to them annually (Article 28). It forms the basis for the regulator's analysis of concentration risk.

• Reinforced contractual requirements (Article 30): The regulation imposes a strict contractual formalism. All contracts must specify data location, service levels (SLAs) and security measures to guarantee data availability, integrity and confidentiality.
  For critical functions, the requirements go even further: the contract must provide for unlimited access, inspection and audit rights for the financial entity and its regulators. In addition, clauses must guarantee the full recovery and restitution of data in the event of the service provider's insolvency or cessation of activity.

• Exit and continuity strategies: In order to avoid any technological lock-in (vendor lock-in), the entity must define and test exit strategies for its critical service providers. These plans must ensure that it is possible to terminate the contract without disrupting operations, by migrating services to another third party or reintegrating them internally, while ensuring operational continuity during the transition phase.

• Monitoring of Critical Third Parties: Service providers deemed critical at European level (e.g. cloud giants) will be subject to direct monitoring by the European Supervisory Authorities (ESAs), financed by fees. Non-EU critical service providers will have to set up a subsidiary in the EU within 12 months in order to continue operating.
  
  

5. Information and cooperation

Entities need to share relevant cyber threat intelligence with other industry players, and cooperate closely with supervisory authorities for more effective analysis of systemic risks.

Fines for non-compliance

Failure to comply with the regulation can have significant legal and financial consequences. National regulatory authorities may impose fines of up to several million euros, depending on the seriousness of the violations.

The DORA regulations also provide for administrative sanctions, such as :

• injunctions to comply ;

• activity restrictions;

• revocation of approval for certain functions or entities ;

Critical third-party ICT service providers will be subject to specific supervision by designated supervisory authorities, and may also be sanctioned in the event of repeated breaches.

The link between DORA regulations and ISO 27001

The ISO/IEC 27001 standard is an international benchmark for information security management. It provides a recognized framework for implementing, maintaining and continuously improving information security within an organization.

Although DORA is a legally binding regulation and ISO 27001 is a voluntary standard, both share many principles:

• Risk-based approach (DORA article 5 => ISO 27001:2022 §5.1 / A5.31 / A5.34 / A5.35 / A5.36 / A6.3 )

• Setting up safety controls

• Supplier management

• Incident response

• Continuous improvement in safety

For example, a company that is already ISO 27001 certified is generally well positioned to meet DORA requirements - subject to the addition of aspects specific to European regulations, such as reporting incidents to the authorities and structuring the relationship with external service providers from a regulatory angle.

Conclusion

The DORA regulation represents a structuring transformation for the European financial sector. It imposes new measures in digital risk management and strengthens corporate responsibility in the face of growing technology-related threats. By integrating DORA's principles into their cyber resilience strategy, organizations are not just meeting a regulatory obligation: they are preparing for a safer, more stable and more resilient digital environment. Investing in DORA today means anticipating tomorrow's challenges.

In short: DORA is not just a regulatory constraint, it's an opportunity to strengthen digital confidence in an increasingly digitalized financial world.