Govern IT

DORA Directive: a strategic turning point for the operational resilience of the European financial sector

Compliance & Sovereignty, Cybersecurity & Resilience

The DORA regulation (Digital Operational Resilience Act), applicable since January 2025, establishes a unified European framework aimed at ensuring the digital operational resilience of all financial entities.

Unlike a directive, DORA is a directly binding regulation for the 27 member states.

Its purpose: to ensure that all players in the financial sector have robust prevention, detection, management and recovery capabilities against computer incidents, cyber attacks and major disruptions, including through their technology providers.

The analysis of Regulation 2022/2554 reveals a much more precise, structuring and demanding mechanism than what was hinted at in the initial framework. The article below has therefore been updated to reflect the full regulatory obligations.

1. Strategic issues and scope of the regulation

DORA aims to reduce systemic risk related to digital failures and strengthen trust in the European financial ecosystem. This includes:

  • the harmonization of ICT risk management practices;

  • the accountability of leaders;

  • the strict supervision of critical ICT providers;

  • a coordinated European supervision.

The act covers more than 20 categories of financial entities, as well as all IT providers, including cloud, data center, managed services, application developers, data providers and analytics providers.

2. Essential definitions introduced by the regulation

To ensure consistent interpretation, DORA establishes precise definitions, including:

  • Critical or important function: activity whose interruption impacts continuity, stability, or customer rights.

  • Critical ICT Provider: supplier whose failure represents a systemic risk.

  • ICT major incident: significant disruption according to harmonised criteria.

  • Threat-Guided Penetration Test (TLPT): advanced test based on real attacker scenarios.

These concepts structure all operational obligations.

3. Digital resilience governance

Direct responsibility of the leaders

The management bodies must:

  • approve the ICT risk management policy;

  • validate the continuity plans each year;

  • follow the security investments;

  • have specific training in ICT risks.

DORA strengthens the link between corporate governance and cybersecurity, placing leaders on the front line.

Critical functions register

Entities must maintain a comprehensive register describing:

  • critical processes;

  • their technical dependencies;

  • the providers involved.

This tool is central to supervision and audits.

4. Integrated ICT risk management

The regulation imposes a comprehensive and documented approach including:

Mapping of resources and dependencies (art. 16)

Organizations must map:

  • infrastructures, software, critical assets;

  • internal and external interconnections;

  • cloud dependencies and subcontractors.

Life cycle management of assets (art. 17)

Detailed documentation must cover:

  • the inventory;

  • maintenance;

  • obsolescence;

  • the controlled decommissioning.

Configuration policy, patches and vulnerabilities (art. 18-21)

Entities must demonstrate capabilities:

  • management of configurations,

  • of quick application of patches,

  • automated risk monitoring,

  • for the identification and remediation of vulnerabilities.

Security of software development (art. 20)

DORA requires a secure development approach integrating tests, code review, and version management.

5. Gestion des incidents et notification

harmonised classification

Incidents shall be classified according to:

  • their operational impact;
  • the duration;
  • the number of affected clients;
  • the criticality of the affected services.

Three-step reporting (art. 33)

The regulation requires:

  1. Initial notification
  2. Interim reports according to the evolution
  3. Final report including causal analysis and corrective measures

Notifications must be transmitted without undue delay to the national authorities (AMF, ACPR) and, if necessary, to the ECB.

Informing customers (art. 36)

In the event of a major incident, customers may need to be informed clearly and quickly.

6. Operational resilience tests

Mandatory test plan (art. 42-54)

Organizations must drive:

  • technical tests;
  • crisis management exercises;
  • incident recovery plans ;
  • restoration tests and switches.

6.2. TLPT: advanced tests guided by the threat

Significant entities must organize every three years:

  • a TLPT carried out by independent and certified teams;
  • realistic scenarios simulating the operating methods of hostile actors;
  • a validated and tested remediation action plan.

7. Management and supervision of ICT providers

Mandatory register of providers (art. 28)

Entities must identify:

  • all their ICT providers;
  • the services provided;
  • the associated criticality.

Mandatory contractual clauses (art. 30)

Any contract must include:

  • the expected level of service;
  • the security requirements, PRA/PCA;
  • the right of audit;
  • the terms of reversibility and access to newspapers;
  • the incident notification obligations.

Concentration risk analysis (Art. 41)

Entities need to assess the risk of over-reliance on a single provider, including cloud.

European supervision of critical service providers (art. 49-57)

The European Union establishes:

  • a Lead Overseer (ESMA, EIOPA or EBA depending on the sectors);
  • European audits;
  • on-site visits;
  • injunctions or corrective measures;
  • a device that can go as far as the restriction of a service.

This supervision is a major step forward.

8. Sectoral information sharing

DORA encourages participation:

  • to the exchange communities related to cyber threats;
  • to the sectoral centres (ISAC);
  • to the collective learning programs of resilience.

This aspect aims to strengthen intra-European cooperation.

9. Sanctions and corrective measures

The regulation provides for:

  • administrative penalties;

  • remediation obligations ;

  • injunctions;

  • potential restrictions on activities or services;

  • reinforced supervision when persistent shortcomings are observed.

National authorities may require corrective plans with enhanced monitoring.

ACPR Banque de France5
EUR - LEX5

The bottom line

  • DORA constitutes a fully binding regulation, imposing a high level of digital resilience.

  • Leaders are responsible and accountable for compliance.

  • The framework imposes detailed requirements for mapping, testing, reporting, contracting and third-party supervision.

  • Critical ICT providers will be subject to direct monitoring at the European level.

  • DORA harmonizes digital crisis management throughout the financial sector, enhancing performance, transparency and trust.

Arthur Delpech de Frayssinet

Arthur Delpech de Frayssinet

Chief Information Officer

J’accompagne les directions générales dans la transformation et la sécurisation du système d’information, en reliant stratégie, innovation et exécution pour produire des résultats mesurables.

Mon action vise à donner une trajectoire claire au numérique, à garantir la maîtrise des risques et à renforcer la performance opérationnelle. J’interviens avec un leadership fondé sur la clarté et la responsabilité partagée afin de fédérer les équipes autour d’objectifs communs.

Ma capacité d’analyse et ma compréhension des dynamiques technologiques me permettent d’anticiper les évolutions, de conduire le changement et de structurer une performance durable et souveraine.

Planifier un échange


Share This