How to comply with DORA?

Summary

1. 1. Introduction: DORA in brief
   2. Why comply with DORA?
   3. Which companies are affected by DORA?
   4. The 6 main pillars of the DORA regulation
   5. Key steps to becoming compliant with DORA
   6. What are the risks in the event of non-compliance?

1. Introduction: DORA in brief

The Digital Operational Resilience Act (DORA) is a European regulation that imposes new obligations in cybersecurity, digital resilience, ICT provider management and incident reporting for the entire financial sector. It comes into force on January 17, 2025.

Its objective: ensure that all financial entities and their IT providers can resist, respond and recover from a cyber incident or digital failure.

2. Why comply with DORA?

• Legal obligation: DORA is a European regulation, therefore directly applicable.
• Cyber risk reduction: anticipation of major incidents.
• Increased confidence customers, partners and authorities.
• Avoid sanctions: penalty of 1% of global turnover per day for non-compliant service providers.
• Complementarity with GDPR, NIS 2, ISO 27001: DORA strengthens your overall compliance posture.

3. Which companies are affected by DORA?

DORA concerns all European financial entities, including:

• Banks, insurers, mutual societies
• Asset management companies
• Cryptoasset platforms
• Retirement institutions, crowdfunding platforms
• ICT service providers (hosts, publishers, SaaS, outsourcing providers, etc.)

In total, more than 22,000 entities in Europe are affected.

4. The 6 main pillars of the DORA regulation

1. ICT governance and cybersecurity
2. Risk management related to information and communication technologies
3. Incident detection, classification and reporting
4. Carrying out resilience tests (including TLPT intrusion tests)
5. Supervision of ICT service providers (contracts, audit, exit strategy)
6. Sharing of information between financial players and authorities

5. Key steps to becoming compliant with DORA

1. Identify critical functions
   Map your critical business and IT processes. Classify them according to their impact on the activity.
2. Evaluate your ICT risks
   Implement a risk management methodology: vulnerabilities, obsolescence, dependencies, attack scenarios...
3. Update your contracts with ICT service providers
   Add the clauses required by DORA (audit, reversibility, penetration testing, incident reporting, SLA, exit plan...).
4. Structuring your cybersecurity governance
   Define roles, committees, security policies, internal training. Implement a business continuity plan (BCP).
5. Implement a test and audit plan
   Plan your internal audits, vulnerability scans, recovery tests, threat-based penetration testing (TLPT).
6. Document and trace all your actions
   Use a cyber compliance solution that ensures traceability, versioning, reporting, audit evidence.

6. What are the risks in the event of non-compliance?

• Financial sanctions: up to 1% of global revenue per day for 6 months for critical providers.
• Breach of contract imposed by the regulator (AMF, ACPR, AES).
• Direct responsibility of the financial entity even in the event of default by the subcontractor.
• Loss of confidence customers, partners and investors.
• Exclusion calls for tenders or regulated markets.