Demonstration
To process your request, we need to process your personal data. Find out more about the processing of your personal data here.

Introduction

In response to the rise of cyber threats and digital risks, the Digital Operational Resilience Act (DORA) now regulates the European financial sector. This new regulation marks a major turning point for digital security in the sector.

The DORA regulation aims to strengthen digital resilience, secure operations, and protect citizens. In this article, we detail the five essential levers for successfully complying with the Digital Operational Resilience Act.

1. Understanding the DORA Directive

1.1. What is the DORA Directive?

Adopted on December 14, 2022, and effective in early 2025, the DORA directive is aimed at financial sector players. It was adopted in response to the rise in cyberattacks and aims to protect the European financial system.

DORA provides a supervisory framework to strengthen digital operational resilience and harmonize practices across all EU countries.

1.2. The objectives of the DORA regulation

The DORA regulation takes a comprehensive view of digital operational resilience. The idea is to implement better management of risks that could destabilize the entire financial sector.

In concrete terms, the DORA Directive aims to ensure a high level of resilience and pursues the following objectives:

  • Ensuring business continuity: Companies must have backup plans in place to remain operational despite incidents such as server failure or power outages.
  • Reducing the impact of criminal cyberattacks: The directive requires better detection of and response to cyberattacks.
  • Harmonize cybersecurity and risk management requirements: All European banks and financial institutions must follow the same rules for managing digital risks. This facilitates oversight by regulators and reduces security gaps between countries.
  • Isolating major incidents: the DORA directive ensures that an IT problem in one company does not spread and affect other market players. The aim is to avoid a domino effect that could disrupt the entire financial system.
  • Manage dependencies on critical technology providers: Companies must identify the risks associated with their essential suppliers, such as cloud or software providers, and plan for alternative solutions.

2. Who is affected by the application of the DORA Directive?

The DORA directive applies to a very broad range of entities in the financial and technology sectors, extending well beyond traditional banks, reflecting the rapid evolution of digital finance in Europe.

Financial entities directly concerned

  • Banks, money institutions, payment institutions, and credit institutions: These are the main players in the financial system. These structures handle sensitive data and ensure the flow of funds. They are particularly targeted by the DORA directive because a failure or cyberattack can block transactions and create a domino effect on the financial system.
  • Insurance and reinsurance companies: Insurers and reinsurers manage large volumes of clients financial data. They are targeted because a digital failure could prevent the payment of claims or the management of contracts, which could impact financial stability.
  • Management companies and investment funds: Management companies or fund managers and investment funds handle financial portfolios and strategic information. An interruption in their systems can distort the valuation of funds.
  • Trading platforms and market infrastructures: Stock exchanges, trading platforms, and central depositories manage the circulation of financial assets. They must comply with enhanced security requirements. Any failure can create systemic risk for the entire financial system, impacting the resilience of infrastructures.
  • Credit rating agencies: Credit rating agencies assign credit ratings that influence financial markets. The DORA regulation requires them to secure their systems to prevent data manipulation or loss.
  • Fintech, crowdfunding platforms, and PSANs (Digital Asset Service Providers) : These innovative digital players manage financial services, often online. DORA includes them to strengthen their security and prevent cyberattacks from disrupting transactions, fundraising, or cryptoasset management.

Third-party service providers and technology partners

Although the DORA directive is primarily aimed at financial institutions, it also applies to their critical technology providers or service providers (hosting providers, cloud services, SaaS software, or IT outsourcing providers). These third-party service providers must demonstrate that they comply with security and continuity standards. In practical terms, DORA requires technology providers to ensure that their services comply with the requirements of the regulation and do not jeopardize the security or operation of financial entities.

Special cases: subsidiaries outside the EU and processors

The application of the DORA directive is not limited to European borders. Non-European subsidiaries of a group subject to DORA must also comply with its management framework when they are involved in providing services to EU entities. Similarly, technology subcontractors are indirectly impacted by the operational implementation of DORA requirements.

3. Key obligations and deliverables for DORA compliance

The DORA Directive imposes the following obligations:

3.1. Governance and responsibilities: roles, committees, and reporting

DORA requires that every company clearly knows who is responsible for what, and that compliance is monitored and coordinated at all levels. This means:

  • Appoint responsible persons: senior management, Risk Manager, CIO (Chief Information Officer) or DPO (Data Protection Officer).
  • Create internal committees: working groups that regularly check that DORA rules are being properly applied.
  • Monitoring and reporting incidents: these committees report progress to senior management to ensure that compliance remains a strategic priority.

3.2. ICT risk management and operational resilience

The DORA directive requires companies to systematically manage digital risks. This means identifying their critical systems and data, pinpointing weaknesses, and implementing a security policy and appropriate cybersecurity measures within a consistent management framework. Companies must also have continuity and disaster recovery plans in place, with indicators to verify that everything is functioning in accordance with the security requirements defined by the DORA Directive.

3.3. Incident notification process

DORA requires companies to quickly identify IT incidents and understand their severity. They must have clear rules and define precise classification criteria for better incident classification. Everything must be written down, tested regularly, and integrated into an incident management process. This ensures that compliance remains a strategic priority within the European supervisory framework.

3.4. Resilience testing

DORA requires companies to regularly test their ability to withstand various types ofIT incidents. These tests may include:

  • practical exercises,
  • business continuity simulations, BCP (Business Continuity Plan)
  • threat-led penetration testing (TLPT).

Regular testing then enablescontinuous improvement in security and resilience, providing better protection against new operational threats.

3.5. External relationships: service providers, third-party service providers

The DORA directive requires companies to closely monitor their third parties and critical service providers. This means including specific obligations in contracts regarding security, continuity, and auditability. Companies must also regularly monitor service providers and conduct audits to ensure that they comply with these rules and limit the risks associated with dependence on a single supplier.

4. Anticipate inspections and penalties

To ensure that the DORA directive is properly implemented, financial companies are subject to oversight by national and European supervisory authorities:

  • In France: the ACPR (Prudential Supervision and Resolution Authority),the AMF (Financial Markets Authority)
  • At European level: the EBA (European Banking Authority), the ESMA (European Securities and Markets Authority) or the EIOPA (European Insurance and Occupational Pensions Authority).

Thanks to technical regulatory standards, these authorities can intervene if compliance rules are not followed.

What are the penalties for non-compliance?

Failure to comply with the European supervisory framework established by the DORA Directive may result in heavy penalties:

  • Significant financial penalties.
  • Restrictions on activities or suspension of certain services.
  • Prohibition on certain third-party providers from continuing to provide their services.

Furthermore, delays or failure to report or notify incidents constitute a breach of the reporting obligations set out in the DORA Directive and may result in additional measures. Beyond financial penalties, companies are exposed to legal and reputational consequences, which is particularly critical in a sector where the trust of clients partners is essential.

How to prepare for DORA audits and inspections

To prepare for DORA inspections, companies must demonstrate their sound risk management by proving that they are managing digital risks appropriately. The authorities will examine:

  • Documentation and traceability: records, technical logs, logs, and operational information must be complete and accessible, in accordance with the requirements of the regulation.
  • Response capability: demonstrate how the company detects and manages incidents, tracks threats, and applies the measures set out in the DORA management framework .

Here, the principle of proportionality applies: a systemic bank will be more closely monitored than a small Fintech company, but in the interests of transparency, no structure is exempt from monitoring.

5. Successfully implementing DORA compliance

Dora Directive: European Union flags in front of an institutional building, representing the European framework of the Digital Operational Resilience Act (DORA) and its harmonized compliance.

5.1. Assess gaps and set priorities

The first step is to identify potential blockers by assessing the gap between the organization's current practices and the requirements of the DORA directive. This analysis helps identify areas for improvement and set priorities. For successful implementation, DORA compliance actions must be prioritized based on their criticality and potential impact on operational resilience, while relying on a comprehensive continuity policy.

5.2. Developing the roadmap and steering

Successful implementation requires a clear roadmap backed by a realistic timeline. Management must allocate financial and human resources, integrate the DORA directive into their governance, and establish regular oversight at the committee level. The goal is to ensure the organization's stability in the face of digital threats, build a solid resilience strategy, and guarantee ongoing compliance monitoring.

5.3. CRM tools and compliance monitoring

To successfully comply with the DORA directive, companies must centralize and structure the management of their digital risks, particularly for their critical IT systems. The adoption of governance, risk, and compliance (GRC) tools is essential to achieving this goal.

These tools enable you to:

  • Monitor key performance indicators: for example, the average time taken to detect an incident or the compliance rate of internal processes.
  • Effectively manage incidents: each incident can be recorded, classified, and tracked until it is resolved, facilitating rapid decision-making and preventing future problems.
  • Generating reports for audits: CRMs centralize all the information needed to demonstrate compliance with DORA requirements to the authorities, thereby simplifying controls and reducing the risk of errors or omissions.

5.4. Rely on experts and train teams

Calling on specialized firms can facilitate the structuring of the compliance project and the performance of external audits. At the same time, it is imperative to train key teams: senior management, data protection officers (DPOs), information system security managers (RSSIs), and compliance teams. Practical sessions, Dora webinars, multimedia resources such as explanatory videos, a dedicated website page, and specific training courses should be organized to effectively prepare for audits.

Conclusion

The DORA directive requires financial institutions and their service providers to adopt a rigorous and harmonized approach to digital resilience: clear governance, ICT risk management, incident monitoring, regular testing, and appropriate contractual clauses. For executives, compliance officers, DPOs, and CISOs, the challenge is twofold: anticipating regulators' expectations and protecting their organization in the long term. Success requires a structured methodology: analyzing gaps, defining a roadmap, mobilizing resources, documenting processes, and supervising service providers.

Beyond a regulatory obligation, the Digital Operational Resilience Act is a lever for trust, continuity, and competitiveness. The earlier the anticipation, the more controlled the transition, transforming compliance into a real strategic asset.

François Lemarié
François Lemarié

Co-founder & COO - GDPR Expert