The DORA regulation (Digital Operational Resilience Act), applicable since January 2025, establishes a unified European framework aimed at ensuring the digital operational resilience of all financial entities.

Unlike a directive, DORA is a directly binding regulation for the 27 member states.

Its purpose: to ensure that all players in the financial sector have robust prevention, detection, management and recovery capabilities against computer incidents, cyber attacks and major disruptions, including through their technology providers.

The analysis of Regulation 2022/2554 reveals a much more precise, structuring and demanding mechanism than what was hinted at in the initial framework. The article below has therefore been updated to reflect the full regulatory obligations.

1. Strategic issues and scope of the regulation

DORA aims to reduce systemic risk related to digital failures and strengthen trust in the European financial ecosystem. This includes:

• the harmonization of ICT risk management practices;

• the accountability of leaders;

• the strict supervision of critical ICT providers;

• a coordinated European supervision.

The act covers more than 20 categories of financial entities, as well as all IT providers, including cloud, data center, managed services, application developers, data providers and analytics providers.

2. Essential definitions introduced by the regulation

To ensure consistent interpretation, DORA establishes precise definitions, including:

• Critical or important function: activity whose interruption impacts continuity, stability, or customer rights.

• Critical ICT Provider: supplier whose failure represents a systemic risk.

• ICT major incident: significant disruption according to harmonised criteria.

• Threat-Guided Penetration Test (TLPT): advanced test based on real attacker scenarios.

These concepts structure all operational obligations.

3. Digital resilience governance

Direct responsibility of the leaders

The management bodies must:

• approve the ICT risk management policy;

• validate the continuity plans each year;

• follow the security investments;

• have specific training in ICT risks.

DORA strengthens the link between corporate governance and cybersecurity, placing leaders on the front line.

Critical functions register

Entities must maintain a comprehensive register describing:

• critical processes;

• their technical dependencies;

• the providers involved.

This tool is central to supervision and audits.

4. Integrated ICT risk management

The regulation imposes a comprehensive and documented approach including:

Mapping of resources and dependencies (art. 16)

Organizations must map:

• infrastructures, software, critical assets;

• internal and external interconnections;

• cloud dependencies and subcontractors.

Life cycle management of assets (art. 17)

Detailed documentation must cover:

• the inventory;

• maintenance;

• obsolescence;

• the controlled decommissioning.

Configuration policy, patches and vulnerabilities (art. 18-21)

Entities must demonstrate capabilities:

• management of configurations,

• of quick application of patches,

• automated risk monitoring,

• for the identification and remediation of vulnerabilities.

Security of software development (art. 20)

DORA requires a secure development approach integrating tests, code review, and version management.

5. Gestion des incidents et notification

harmonised classification

Incidents shall be classified according to:

• their operational impact;
• the duration;
• the number of affected clients;
• the criticality of the affected services.

Three-step reporting (art. 33)

The regulation requires:

1. Initial notification
2. Interim reports according to the evolution
3. Final report including causal analysis and corrective measures

Notifications must be transmitted without undue delay to the national authorities (AMF, ACPR) and, if necessary, to the ECB.

Informing customers (art. 36)

In the event of a major incident, customers may need to be informed clearly and quickly.

6. Operational resilience tests

Mandatory test plan (art. 42-54)

Organizations must drive:

• technical tests;
• crisis management exercises;
• incident recovery plans ;
• restoration tests and switches.

6.2. TLPT: advanced tests guided by the threat

Significant entities must organize every three years:

• a TLPT carried out by independent and certified teams;
• realistic scenarios simulating the operating methods of hostile actors;
• a validated and tested remediation action plan.

7. Management and supervision of ICT providers

Mandatory register of providers (art. 28)

Entities must identify:

• all their ICT providers;
• the services provided;
• the associated criticality.

Mandatory contractual clauses (art. 30)

Any contract must include:

• the expected level of service;
• the security requirements, PRA/PCA;
• the right of audit;
• the terms of reversibility and access to newspapers;
• the incident notification obligations.

Concentration risk analysis (Art. 41)

Entities need to assess the risk of over-reliance on a single provider, including cloud.

European supervision of critical service providers (art. 49-57)

The European Union establishes:

• a Lead Overseer (ESMA, EIOPA or EBA depending on the sectors);
• European audits;
• on-site visits;
• injunctions or corrective measures;
• a device that can go as far as the restriction of a service.

This supervision is a major step forward.

8. Sectoral information sharing

DORA encourages participation:

• to the exchange communities related to cyber threats;
• to the sectoral centres (ISAC);
• to the collective learning programs of resilience.

This aspect aims to strengthen intra-European cooperation.

9. Sanctions and corrective measures

The regulation provides for:

• administrative penalties;

• remediation obligations ;

• injunctions;

• potential restrictions on activities or services;

• reinforced supervision when persistent shortcomings are observed.

National authorities may require corrective plans with enhanced monitoring.

The European SRI2 directive has not yet been fully integrated into French law. The bill on critical infrastructure resilience and strengthening cybersecurity has been passed by the Senate, but its final validation remains pending.

This transition marks a major evolution of the digital security framework in Europe: SRI2 significantly expands organizations’ obligations and places cybersecurity at the heart of governance.

As value chains become more interdependent and cyber threats become more sophisticated, SRI2 is undergoing a paradigm shift: digital security is no longer a technical issue reserved for IT teams.

It becomes a strategic responsibility, directly engaging the governing bodies.

1. An expanded scope: more organizations concerned

SRI2 replaces the 2016 SRI Directive and broadens the scope of sectors subject to enhanced obligations. Two categories now structure the device:

• Essential entities: energy, health, water, transport, digital infrastructure, financial sector, public administration, space.
• Important entities: digital services, waste management, agri-food, manufacture of critical products, research, chemistry, logistics, industrial equipment.

Any organisation with more than 50 employees or €10 million in turnover, and operating in one of these sectors, is likely to be concerned.

This extension leads to a direct consequence: a large number of strategic midcaps and SMEs now fall within the regulatory scope.

2. Strengthened governance: a direct responsibility of the EXCOM

One of the major contributions of SRI2 lies in the explicit commitment of the governing bodies.

Governance bodies shall:

• validate cybersecurity policies;
• follow the levels of risks;
• ensure the implementation of security measures;
• follow regular training on cybersecurity issues.

The directive also introduces personal liability on the part of managers in the event of serious breaches.

The COMEX is witnessing a significant change: cybersecurity is now a field that needs to be piloted, documented, and audited with the same level of requirements as finance or operational risks.

3. Ten structuring obligations that companies must apply

SRI2 imposes a common core of measures aimed at strengthening digital resilience. Among the key obligations:

• Governance and risk management: identification and treatment of risks, formalization of a security strategy.
• Security policies and incident management: detection, response and coordination with the competent authorities.
• Business continuity and crisis management: update of PCA, PRA and regular exercises.
• Securing the supply chain: evaluation of critical providers, reinforced contractual clauses.
• IT hygiene and hardening: patch management, MFA, segmentation, controlled backups.
• Network and information systems security: technical controls adapted to the level of risk.
• Vulnerability management: detection, analysis and correction process.
• Identity and access management: strong authentication, principles of least privilege.
• Supervision and detection: SOC, SIEM or equivalent devices adapted to the size of the entity.
• Regular testing: technical audits, penetration tests and crisis exercises.

The objective is clear: to raise the overall level of maturity and structure a coherent approach from prevention to resilience.

4. A new incident notification regime: 24h, 72h, 1 month

To improve coordination and transparency, NIS2 imposes a precise schedule:

• 24 hours: preliminary notification («early warning»)
• 72 hours: detailed report on the incident
• 1 month: final report describing the impact and corrective measures

This requirement strengthens the collective capacity to detect, understand and respond to major incidents.

5. Increased supervision and a meaningful sanctions regime

National authorities will have strengthened levers:

• mandatory audits,
• inspections sur site,
• requests for evidence of conformity,
• follow-up of corrective measures.

The planned sanctions can reach:

• 10 million euros, or

• 2% of global turnover, whichever is greater.

These levels reflect a strong desire to strengthen cybersecurity discipline at the European level.

6. Impacts for organizations: a transversal project

NIS2 compliance affects several dimensions simultaneously:

Governance

• Formalization of the cyber strategy, structuring of responsibilities, implementation of indicators.

Organisation

• Strengthening of security teams, regular training, coordination with the professions and external partners.

Technologies

• Increase of supervision, hardening, segmentation, immutable backups, automation.

Compliance and documentation

• Updates to internal policies, registers, supplier contracts, procedures and evidence of compliance.

SRI2 thus becomes a transformation lever, forcing organizations to move from a reaction logic to an integrated approach to digital risk managemen

7. A strategic opportunity: trust, performance and sovereignty

Beyond the obligations, SRI2 constitutes a vector of value creation:

• reduction of operational risks,
• strengthening of relationships with clients and partners,
• improvement of insurance conditions,
• alignment with other regulatory frameworks (GDPR, DORA, CER, SecNumCloud).

Proactive organizations can turn this constraint into a competitive advantage by installing managed, controlled and trustworthy security.