In June 2024, 77 entities, including 10 French banks, fell victim to a remote access Trojan called "DroidBot." Resold to cybercriminal networks, more than 776 infections were detected in Western Europe within banking organizations, cryptocurrency platforms, and financial companies.

The urgent need to deploy security and operational resilience solutions on a European scale, particularly in the financial sector, is becoming crucial. This is the role of the European DORA (Digital Operational Resilience Act) regulation, designed to strengthen the ability of financial entities to deal with cyber threats.

Coming into force in January 2025, DORA marks a major step forward by unifying ICT risk management (Information and Communication Technology) in the financial sector at the European level. It requires better risk control, efficient incident management, and better assessment of ICT service providers.

What is DORA?

DORA, or the Digital Operational Resilience Act, is a European regulation designed to strengthen the digital operational resilience of financial entities. The DORA regulation establishes a common framework for member countries for managing cyber and ICT risks in financial entities. It came into force on January 17, 2025.

The DORA regulation has several objectives:

• Strengthen the operational resilience of financial institutions by ensuring business continuity in the event of cyber attacks or incidents;
• Harmonize regulatory requirements across the European Union. DORA defines a consistent and uniform framework for all financial institutions in Europe in the face of growing cyberattack risks.
• Improve risk monitoring and proactive management. DORA requires increased vigilance with regard to technological risks, in particular through regular resilience tests. These tests enable system weaknesses to be detected and a high level of service to be maintained.

Who does DORA apply to?

DORA applies to all financial entities in Europe defined in Article 2 :

• Banks and credit institutions;
• Payment institutions;
• Portfolio management companies and investment funds;
• Insurance and reinsurance companies;
• Occupational pension institutions;
• Investment firms;
• Electronic money institutions;
• ICT service providers.

An important aspect of DORA concerns third-party ICT service providers, particularly those considered "critical." These providers are those whose services may have a systemic impact on the stability, continuity, or quality of financial services in the European Union.

DORA imposes a strengthened supervisory framework for these providers, including:

• New contractual requirements;
• Keeping a register of information on contractual agreements entered into with these providers.

These provisions ensure that financial entities exercise adequate control over the risks associated with the use of ICT services provided by third parties. They also ensure that these providers comply with the security and operational resilience standards required by DORA.

By minimizing the potential risks associated with dependence on these third-party providers, DORA helps maintain the stability of the financial system.

What are the obligations imposed by DORA?

The DORA Regulation sets out the digital operational resilience requirements applicable to financial entities across the European Union. These obligations are structured around four main themes:

• ICT risk management: DORA provides a framework for identifying, managing, and reducing ICT-related risks. The identification phase, known as " ," should result in a comprehensive map of digital services considered "at risk."
• Notification of major incidents: the organizations concerned must notify the competent authorities (ACPR for France) of any major incidents that occur and are likely to affect the stability, continuity, or quality of financial services. This notification must be made within four hours for major incidents and within 24 hours of their detection.

The scope of payment-related risks is now governed by the DORA Regulation. The classification criteria is defined in the RTS and all incidents (operational or security) must be reported.

• Digital operational resilience testing: Article 24 of the DORA regulation requires the implementation of a security testing program. These tests assess the robustness of systems and processes in the event of disruptions or attacks. This allows any weaknesses to be identified and corrected.

• Management of third-party ICT service providers: the DORA regulation sets out two approaches to third-party risk management:

  → for financial entities: measures taken to limit the risks associated with ICT providers;

  → for ICT service providers: supervision by European authorities.

Held liable in the event of failure, the financial entity must protect itself against third-party risks by ensuring that outsourced contracts are compliant and recorded in an information register. This approach must be part of a third-party risk management (Third Party Cyber Risk Management), particularly for third-party ICT service providers deemed critical.

Particular attention is paid to the subcontracting chain. Two additional requirements supplement the initial framework:

• Ex ante assessment of the provisions included in contracts (jurisdiction of the ICT subcontractor and its parent company, number of subcontractors, shared data, etc.);
• Verification of the compliance of clauses (service continuity, audit rights, etc.).

Finally, supervisory authorities encourage the voluntary sharing of operational information on cyber threats and vulnerabilities (CVE). This voluntary reporting helps to improve collective knowledge of risks and strengthen the operational resilience of the banking and financial sector.

DORA and NIS 2: what are the differences?

DORA (Digital Operational Resilience Act) and NIS 2 (Network and Information System Security Directive) are two European regulatory frameworks designed to strengthen the security and resilience of IT systems across the European Union. For CIOs, RSSIs, and CISOs, these two texts are fundamental, and their legal structure can sometimes be difficult to distinguish.

	DORA	NIS 2
Objectives	DORA focuses specifically on digital operational resilience in the financial sector. Its aim is to ensure that financial institutions continue to operate without major disruption in the event of ICT incidents.	NIS 2 aims to secure critical infrastructure against external threats and improve cybersecurity in various sectors by harmonizing security standards.
Legal scope	DORA is a regulation that applies exclusively to financial entities and their third-party ICT service providers..	NIS 2 is a directive that must be transposed into each Member State. This new version covers 18 new sectors (versus 7). It covers governance, cyber risk management measures, IT compartmentalization, incident reporting obligations, supply chain security, and more.
Requirements	ICT risk management Digital operational resilience testing Notification of major incidents Supervision of critical suppliers and third parties	IT risk management Cybersecurity risk notification Technical and organizational measures Cooperation with authorities Creation of the Computer Security Incident Response Team (CSIRT)

 

For the financial sector, the question arises: which takes precedence?

We must rely on the Lex specialist principle: specific laws take precedence over general laws. DORA must be prioritized.

How can you prepare for DORA?

Implementing DORA requires a structured and proactive approach. Compliance cannot be improvised. Here are the key milestones to follow in order to approach DORA with confidence and strengthen operational resilience.

1/ Assessment and gap analysis: the first step is to conduct a thorough risk assessment and analysis of the gaps between current practices and the requirements imposed by the regulation:

• Conduct a risk analysis to identify potential vulnerabilities and threats;
• Plan and execute penetration tests;
• Implement standardized procedures for promptly notifying the competent authorities of major incidents;
• Align incident classification methodologies with DORA requirements;
• Determine the measures necessary to comply with the new regulations.

2/ Implementation of a risk management framework, particularly for ICT ****:

• Establish a methodology for continuously assessing and measuring your suppliers' risks ;
• Analyze test and measurement data to detect anomalies and threats;
• Define internal procedures to ensure an effective response in the event of an incident.

3/ Team awareness and training: improving compliance requires awareness and adoption of new requirements to be implemented on a daily basis by teams:

• Implement organization-wide training programs to strengthen operational resilience;
• Ensure that all employees are informed of new requirements and procedures.

4/ Use experts and technology: to facilitate and accelerate DORA compliance:

• Rely on cybersecurity and risk management experts;
• Deploy technologies to monitor your operational resilience program;
• Automate penetration testing and incident management. It is important to validate these tests and processes with regulators before the compliance deadline.

5/ Data availability, authenticity, protection, and confidentiality: data represents the major risk and is the gateway to cyberattacks:

• Determine business continuity and recovery plans in the event of a hack;
• Deploy data access protection solutions (archiving, compliant hosting, etc.);
• Raise awareness among your employees, suppliers, and service providers.

How can Board of Cyber help you?

DORA compliance directly affects the areas of cybersecurity and operational resilience. Board of Cyber offers a range of solutions to support cyber and compliance teams in achieving DORA compliance.

These solutions are structured around four main areas.

• Managing compliance

Our Trust HQ solution enables CISOs to publish their security policy (PSSI) and reconcile it with the applicable regulatory frameworks. Our solution collects relevant data and information on security policies. Detailed reports show you where your company is non-compliant. Action plans can then be defined and managed directly from the solution. The ISSP is always up to date and its internal distribution is simplified.

• Assess your digital resilience Our Securty Rating assesses an organization's cyber performance. It analyzes the company's assets in a non-intrusive manner and provides a comparison with other organizations in your sector. Security Rating measures cyber security maturity across six areas (asset assessment, access management, data security, network security, application security, and operational security). The continuous rating scale from 0 to 1000 allows you to monitor your cyber performance. In addition, Security Rating provides detailed explanations of the issues detected. Reports with visual dashboards and graphs can be shared with the executive committee and purchasing management. They can quickly understand the risks to which the company is exposed. For a CISO, this data provides a comprehensive overview of the risks. Operational teams can use the recommendations and concrete measures proposed by the solution.

• Evaluation of ICT service providers

Managing risks related to ICT service providers is a central aspect of DORA. Board of Cyber helps organizations set up and manage dedicated programs, including due diligence and service contract reviews to ensure full compliance with DORA regulations.

Our Trust HQ solution enables audit campaigns to be carried out and evidence to be gathered from suppliers. This avoids email exchanges and shared spreadsheets, which are sources of oversights and handling errors. This data is then processed by Security Rating to obtain a rating for your third parties. Shared dashboards and alerts indicate risk levels, especially in the event of a downgrade.

As an ICT service provider, Board of Cyber relies on qualifications and certifications to guarantee the compliance of our solutions. As such, we are SecNumCloud certified by ANSSI, attesting to the security, robustness, and reliability of the solutions used by our customers.

• Reports ready for the authorities (RTS, internal audits)

Our tools automatically generate reports that comply with regulatory requirements (RTS). In addition, cyber/compliance teams can access detailed and operational reports to manage their digital resilience. As part of a continuous improvement process, these reports can also be shared with suppliers who are subject to audits or controls.

Conclusion

The DORA regulation is a major step forward in strengthening cybersecurity and digital operational resilience in the European financial sector. It requires continuous ICT risk management, incident reporting, resilience testing, and third-party vendor control.

Organizations must assess their current practices in order to define robust risk management frameworks and raise awareness among their teams. Calling on experts, such as those at Board of Cyber, can provide clarity on the requirements imposed by DORA and how to comply with them.

FAQ

Which financial entities are subject to the requirements of the DORA regulation?

The *DORA regulation applies to a wide range of financial entities, including:

• Credit institutions;
• Investment firms;
• Pension fund managers;
• Payment service providers;
• Electronic money institutions;
• And other financial entities listed in Article 2 of Regulation (EU) 2022/2554.

In total, this concerns 20 types of financial entities.

What are the main elements of the ICT risk management framework imposed by the DORA Regulation?

The ICT risk management framework imposed by the DORA Regulation is based on several key elements:

• Establishment of a governance and internal control framework
• Identifying and assessing ICT risks;
• An information security policy;
• ICT business continuity procedures;
• Post-incident review mechanisms;
• Internal and external communication plans in the event of a crisis;

How does the DORA regulation address the management of risks associated with third-party ICT service providers?

The DORA regulation requires financial entities to integrate the risks associated with third-party ICT service providers into their risk management framework. To do so, they must:

• Sign contracts containing minimum clauses;
• Maintain a regularly updated information register;
• Conduct audits of providers;
• Establish exit strategies for critical services.

In addition, entities must:

• Avoid excessive dependence on a single service provider;
• Assess the *substitutability of service providers;
• Monitor subcontractors.

What are the notification and reporting obligations for major ICT incidents under the DORA Regulation?

Under the DORA Regulation, financial entities must notify the competent authorities of major ICT incidents. This includes:

• An initial notification within 24 hours;
• An interim report if the status of the incident changes significantly or if new information becomes available;
• A final report, to be submitted within one month of the interim report.