DORA Regulation

Our certifications
Standards & Directives DORA Regulation

What is the DORA regulation?

The Digital Operational Resilience Act (DORA) is a European regulation adopted in 2022 that applies to banks, insurance companies, and other financial services actors from January 17, 2025.

Its objective is to strengthen the digital operational resilience of the entire EU financial sector, in a context of increasing cyberattacks and growing dependency on technology. By harmonizing rules across all Member States, DORA ensures that the various sector players can be resilient.

Entities must be able to withstand, respond to, and recover effectively from any IT incident (cyberattack, major outage).

Who is affected by DORA?

The DORA regulation applies to financial entities, covering 21 different types of actors such as:

  • Credit institutions
  • Payment institutions
  • Electronic money institutions
  • Crypto-asset service providers
  • Asset management companies
  • Pension institutions
  • Etc.

It applies both to financial entities and to their ICT service providers that deliver a critical or important function, meaning a function whose disruption could seriously affect the financial stability, service continuity, or regulatory compliance of a financial entity.

In France, this potentially represents hundreds of supervised entities that will be overseen by the Autorité de Contrôle Prudentiel et de Résolution (ACPR), which is affiliated with the Banque de France.

Financial market entities remain subject to the Autorité des Marchés Financiers (AMF).

DORA is a lex specialis of the NIS 2 Directive: financial entities subject to both must comply with NIS 2 and DORA.

Operators of vital importance remain subject to the Military Programming Law, which is more stringent, and will not be supervised by the ACPR under DORA.

What are the requirements of the DORA regulation?

DORA establishes a common baseline for financial entities built around five key pillars that structure their obligations:

01

Risk management

  • Establish an IT risk governance framework
  • Conduct a comprehensive and in-depth ICT risk analysis
  • Regularly monitor and test systems and implemented security measures to ensure organizational resilience
  • Ensure continuous risk tracking
  • Produce an annual report at the request of the supervisor (ACPR or AMF)
Get support for your DORA Risk Analysis

02

Incident management and notification

  • Protect the availability of essential and core functions through resilience measures
  • Implement a BCP/DRP
  • Establish an IT security incident classification mechanism
  • Notify any major incident to the supervisor (ACPR or AMF)
  • dora.exigences.incidents.item5
ZIWIT Cybersecurity Operations Center at your service

03

Operational resilience testing

  • Standard tests:
    • Annual business continuity exercises
    • Disaster recovery tests
    • Crisis management exercises
    • Vulnerability scans
    • Penetration tests
    • Etc.
  • Advanced tests: threat-led penetration testing (TLPT – Threat-Led Penetration Testing) every 3 years for certain significant entities
Have your DORA TLPT carried out by an expert team

04

Critical third-party risk management

  • Identify and monitor ICT service providers
  • DORA-specific contractual clauses and critical provider clauses
  • Register of third-party ICT service providers
  • Audit of critical third-party providers
  • Exit strategy for services supporting critical functions

05

Operational resilience testing

  • Information sharing on cyber threats and vulnerabilities
  • Participation in information-sharing groups

In summary, DORA provides a holistic view of digital resilience in the financial sector. It does not merely require the deployment of firewalls or annual penetration tests: it mobilizes all corporate functions (executives, CISO, IT teams, risk managers, compliance) to ensure a coordinated response and maintain business continuity in the event of an incident.

The regulation places equal emphasis on preparation (risk anticipation, testing) and incident response. It often aligns with principles already present in banking regulations: for example, the French decree of November 3, 2014 (banking internal control) has required institutions since 2021 to establish an IT risk management organization integrating information system security and business continuity.

What are the penalties for non-compliance with the DORA regulation?

The DORA regulation introduces a strengthened sanctions regime to deter financial entities and critical providers from failing to comply with its requirements.

Penalties vary depending on the entity that does not comply with the regulation:

For financial entities

Administrative fines of up to EUR 10 million or 5% of total annual turnover.

For critical providers

Daily penalty payments, for up to 6 months, equivalent to 1% of average daily worldwide turnover.

It should be noted that Member States may choose to apply criminal sanctions instead of administrative sanctions where such sanctions already exist under national law.

The ACPR and AMF will have the authority to conduct investigations, carry out inspections, and issue injunctions targeting non-compliant practices, potentially leading to the suspension of such practices.

How to prepare for the DORA regulation?

The DORA regulation entered into force on January 17, 2025.

It represents a major step forward in strengthening the resilience of financial infrastructures and should help better protect them against cyberattacks.

Here is a practical guide to help you prepare:

Assess your situation

Identify whether your organization falls within the scope of the DORA regulationIdentify whether your organization falls within the scope of the DORA regulation

  • The regulation targets more than twenty financial entities
  • Requirements vary depending on the size of your organization, which may benefit from a simplified or lighter regime

Conduct an in-depth cybersecurity risk analysisConduct an in-depth cybersecurity risk analysis

  • Identify your critical assets, potential threats, and existing vulnerabilities
  • This analysis will help define priorities for implementing security measures
Have my risk analysis carried out by ZIWIT experts

Implement the necessary security measures

Apply the core requirements of the DORA regulationApply the core requirements of the DORA regulation

  • This includes implementing risk management, security, data protection, and incident management measures for both your services and your organization
  • You may refer to implementing regulations and practical guides published by competent authorities for detailed guidance

Strengthen your existing security measuresStrengthen your existing security measures

  • Assess whether your current practices comply with CRA regulation requirements
  • Update your security policies, procedures, and technologies if necessary
Get expert support to build your DORA security framework

Adopt a proactive risk management approachAdopt a proactive risk management approach

  • Implement continuous monitoring and detection mechanisms to identify cyber threats and potential intrusions in real time
  • Deploy preventive protection measures such as strict access control and regular product updates

Strengthen your incident and vulnerability management capabilities

Develop a documented incident response planDevelop a documented incident response plan

  • This plan must define roles, responsibilities, and procedures to follow in the event of a cyberattack
  • It must also include communication and system restoration plans

Test your vulnerabilitiesTest your vulnerabilities

  • Carry out regular security testing ( configuration audits or penetration testing ) to continuously improve your security

Seek expert advice and support

Do not hesitate to seek assistance from cybersecurity consultants and expertsDo not hesitate to seek assistance from cybersecurity consultants and experts

  • These professionals can help you assess risks, implement required security measures, and prepare for compliance audits
Contact us

Stay informed about regulatory developments and new cyber threatsStay informed about regulatory developments and new cyber threats

  • Subscribe to communications from competent authorities and participate in webinars and training sessions related to the DORA regulation.

Our team has deep experience in the financial sector: we closely followed the development of DORA and helped several pilot banks and insurers anticipate its implementation.

Ziwit offers a pragmatic approach to DORA compliance, from the initial gap analysis to the deployment of required processes (e.g. development of the ICT risk management plan, redesign of the business continuity plan according to new standards, implementation of the outsourcing register, etc.).

Our approach prioritizes synergy with NIS2 and ISO 27001 obligations: rather than treating DORA as an additional silo, we help our clients build an integrated management system covering NIS2, DORA, ISO 27001, and ACPR controls—avoiding duplication and optimizing resources.

A need for an IT security audit?

Our team of IT security experts is ready to offer you the audit that best suits your needs and your business.

Your satisfaction and security are our priorities. Contact us

Contact us!

+33 1 85 09 15 09
*required