🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays
Call us on +(33)4 28 70 91 81
Log in

Find out everything about the DORA regulations

Home DORA Find out everything about the DORA regulations

1. What is the DORA Regulation?

The DORA (Digital Operational Resilience Act) regulation is a European regulation (EU 2022/2554) which aims to strengthen the digital operational resilience of the financial sector. It imposes strict requirements in terms of cybersecurity, ICT risk management, resilience testing, and supervision of critical service providers.

2. When does DORA come into effect?

The regulation entered into force on January 16, 2023, but its application is mandatory from January 17, 2025. Businesses must be fully compliant by this date.

3. Who is affected by the DORA regulation?

DORA applies to more than 22,000 financial entities in the EU, such as:

  • Banks, insurers, payment institutions,
  • Asset managers, cryptoasset platforms,
  • Retirement institutions, rating agencies,
  • And also ICT service providers considered critical for these entities.

4. What are the main obligations imposed by DORA?

DORA's requirements cover 6 major areas:

  • Strengthened cybersecurity governance.
  • Structured management of ICT risks
  • Incident detection, classification and notification,
  • Carrying out resilience tests (including TLPT),
  • Management of ICT service providers, especially in the event of critical outsourcing,
  • Sharing information between sector players and authorities.

5. What types of security tests does DORA require?

DORA notably imposes threat-based intrusion testing (TLPT) every 3 years for systemic entities. These tests must simulate real cyberattacks using the TIBER-EU method.

6. What should companies do with their ICT providers?

Businesses must:

  • Update their contracts (clauses, reversibility, audits, SLA...)
  • Evaluate the criticality of the subcontracted ICT service,
  • Require certifications, audits, security reports,
  • Impose tested continuity and contract exit plans,
  • Provide access, inspection and security testing rights for service providers.

7. What are the sanctions in the event of non-compliance?

Penalties can reach 1% of global turnover/day for 6 months for critical service providers. Financial entities also risk an injunction to terminate any contract with a non-compliant service provider.

8. What is the difference between DORA and NIS 2?

DORA is specific to the financial sector and constitutes a "lex specialis" of the NIS 2 directive. NIS 2 applies to a broader spectrum of critical and important organizations. For financial players, the two texts can coexist.

9. How do you know if an ICT service provider is critical according to DORA?

A provider is considered critical if:

  • It provides critical ICT services to many systemic entities,
  • Its substitutability is low,
  • Its failure could impact the financial stability of the EU,
  • It operates a concentration of services or strong dependencies.

10. Are there tools or software to facilitate DORA compliance?

Yes, cyber compliance software allows you to:

  • Centralize audits, incidents, continuity plans,
  • Manage regulatory obligations (ICT, security, contractualization),
  • Continuously monitor compliance with indicators and alerts,
  • Be supported by DPO or cybersecurity experts.

11. How to start DORA compliance?

  1. Identify the critical functions of your information system,
  2. Map your ICT suppliers and their criticality levels,
  3. Update contracts according to DORA requirements,
  4. Evaluate your security posture, your tests, your audits,
  5. Launch a governance strategy, action plan and DORA audit.
Other articles
on the same subject