The Regulation on Digital Operational Resilience in the Financial Sector (DORA)

What is the DORA regulation?

Part of a series of measures concerning digital finance in Europe (the EU Digital finance package), the European Regulation 2022/2554 on digital operational resilience in the financial sector (Digital Operational Resilience Act, “DORA”) sets out rules on cyber security and IT risk management, including cyber risks, for a large number of financial entities.

The DORA regulation includes provisions requiring financial entities to:

• Implement a risk management framework for ICT risks, including cyber risks;
• Notify major ICT-related incidents to the competent authorities;
• Perform digital operational resilience testing;
• Manage risks related to third-party ICT service providers, including new contractual requirements and maintaining a register of information on contracts with these providers;
• Voluntarily share operational information on cyber threats and vulnerabilities between financial sector actors.

The Regulation also imposes an Oversight framework at the European level for ICT service providers deemed “critical,” i.e. those which could have a systemic impact on the stability, continuity, or quality of financial services in the European Union.

Which entities are affected by the DORA regulation?

The Regulation sets out a digital resilience framework covering most financial institutions. Entities subject to the regulation are listed in Article 2(1), including management companies, market infrastructures, investment firms (as defined by Article 4(1)(1) of the MIFID II Directive), and crypto-asset service providers.

In addition, a new European supervisory framework applies to third-party ICT service providers which are deemed critical, which will be designated by the three European supervisory authorities (ESMA, EBA, and EIOPA) in 2025, based on criteria set out in the Regulation and a delegated act of the European Commission.

In addition, the Regulation introduces proportionality principle, according to which certain small financial entities, as well as entities referred to as “micro-enterprises” (defined in Article 3(60) of DORA) may benefit from simplified or streamlined regimes. Accordingly, under this principle, DORA provides a simplified ICT risk management framework for micro-enterprises and smaller financial entities providing certain services.

Some entities are excluded from the scope of the Regulation as specified in Article 2(3), including:

• Alternative investment fund managers managing portfolios whose assets do not exceed the AIFMD threshold;
• Natural or legal persons exempted under Articles 2 and 3 of MIFID II.

Implementation timeline of the DORA regulation

DORA has been applicable since January 17, 2025.

What are the main measures of the DORA regulation?

ICT Risk Management

The Regulation sets out a harmonised framework for ICT risk management that financial entities must integrate to address ICT risks quickly, efficiently and comprehensively, tonsure a high level of digital operational resilience.

The measures to be implemented by entities in scope notably include:

• Establishing a governance and internal control framework, along with a digital operational resilience strategy. This risk management framework must include, for example, ICT systems, protocols, and tools that must be kept up to date;
• Identifying and assessing all sources of ICT risks, using a classification that must be reviewed at least annually;
• Developing an information security policy to protect the availability, authenticity, integrity, and confidentiality of data;
• Implementing a comprehensive ICT business continuity policy, along with backup, restoration, and recovery procedures, with annual tests;
• Setting up post-incident review mechanisms to determine improvements and ensure procedures are followed, supported by staff training program;
• Establishing internal and external communication plans in case of a crisis.

Notification of Major Incidents to Competent Authorities

Financial entities are required to classify ICT incidents and cyber threats based on several criteria, including the criticality of the affected services and the number of clients impacted.

Based on this classification, financial entities must report incidents deemed major to their relevant sectoral authority. This reporting to the authorities includes an initial notification, an interim report, and a final report. Entities must also inform clients promptly about major ICT incidents if they impact their financial interests and provide potential protective measures in the case of cyber threats.

Step 1: Incident Classification

Financial entities must classify their ICT incidents according to the criteria set by DORA. The criteria for classifying ICT incidents are specified in a dedicated delegated regulation. An incident is considered major if the following conditions are met:

1. The incident:
   1. Affects or has affected ICT services or networks and information systems that support critical or important functions of the financial entity;
   2. Affects or has affected financial services provided by the financial entity that require authorisation or registration, or are supervised by the competent authorities;
   3. Constitutes or has constituted successful, malicious, and unauthorised access to the financial entity’s networks and information systems.
2.  And when one of the following conditions (a or b) is met:
   1. The networks and information systems are subject to successful, malicious, and unauthorised, where such access may result in data losses;
   2. At least two significant thresholds are met, among the following:
      • The threshold “clients, financial counterparties, and transactions” is met when one of the following conditions is satisfied:
        • The number of affected clients is higher than  10% of all clients using the affected service;
        • The number of affected clients using the affected service is higher than  100,000;
        • the number of affected financial counterparts is higher than 30 % of all financial counterparts carrying out activities related to the provision of the affected service;
        •  the number of affected transactions is higher than 10 % of the daily average number of transactions carried out by the financial entity related to the affected service;
        • the amount of affected transactions is higher than 10 % of the daily average value of transactions carried out by the financial entity related to the affected service;
        • Affected clients or financial counterparties identified as relevant have been affected;
      • The threshold “Reputational impact” is met when one of the following conditions is satisfied:
        • the incident has been reflected in the media;
        • the incident has resulted in repetitive complaints from different clients or financial counterparts on client-facing services or critical business relationships;
        • the financial entity will not be able to or is likely not to be able to meet regulatory requirements as a result of the incident;
        • the financial entity will lose, or is likely to lose, clients or financial counterparties with a material impact on its business as a result of the incident.
      • The threshold “duration and service downtime” is met when one of the following conditions is satisfied:
        • The incident lasts more than 24 hours;
        • The service disruption lasts more than 2 hours for ICT services supporting critical or important functions;
      • The threshold “geographical spread” is met when the incident affects two or more EU Member States;
      • The threshold “data losses” is met when one of the following conditions is satisfied:
        • The impact on the availability, authenticity, integrity, or confidentiality of data harms or will harm the financial entity’s operational objectives or its ability to meet regulatory requirements;
        • The networks and information systems are subject to successful, malicious, and unauthorised access not covered by the previous point, likely leading to data loss;
      • The threshold “economic impact” is met when the costs and losses incurred by the financial entity due to the incident have exceeded, or are likely to exceed, €100,000.

Finally, provisions also stipulate recurring incidents that, on their own, would not be considered major incidents, may be classified as major incidents when certain conditions are met.

Step 2: Major incident reporting

When an incident is classified as major by a financial entity, the entity must report the incident to the competent authority under the following conditions:

1. Initial notification: The financial entity must make an initial notification within 4 hours of the classification of the incident as major, and no later than 24 hours after its detection. This notification must specify the entity or entities affected by the incident, provide a description of the incident, the circumstances of its discovery, and the criteria that led to its classification as a major incident.
2. Interim report: Within 72 hours after the initial notification, the financial entity must submit an interim report. This report must include details of the incident’s impacts (financial, service unavailability, reputational, etc.), the affected services, and any temporary measures taken to resolve the incident.
3. Final report: Within one month, the financial entity must submit a final report that includes an analysis of the causes of the incident and an action plan to address those causes.

The format for the initial notification, interim report, and final report is specified in a dedicated implementing technical standard (ITS).
Financial entities required to notify their incidents to the AMF must use a notification template and transmit the information via the AMF’s secure messaging system (Sesterce). This template will be made available on the AMF’s Form and Declaration page. 

Significant cyber threats, which are potential risks to financial entities rather than confirmed incidents, must be recorded by financial entities. The criteria for determining the significance of a cyber threat are specified in Delegated regulation (EU) 2024/1172 (under DORA Article 10). Financial entities are encouraged to report these significant cyber threats to their competent authority on a voluntary basis.

The AMF strongly recommends that financial entities report these significant cyber threats.

The template for reporting these cyber threats is specified in a dedicated implementing technical standard (ITS) and will also be made available to reporters in the Form and Declaration section.

Digital Operational Resilience Testing

To properly manage their ICT-related risks, financial entities are required to establish a digital operational resilience testing program and review this program regularly. These tests must be conducted by independent parties, either internal or external, and must include, in particular:

• Vulnerability assessments;
• Network security assessments;
• Physical security reviews;
• End-to-end crisis simulation tests;
• Penetration testing

Entities must also perform tests on ICT systems and applications supporting critical functions at least once a year.

Following these tests, financial entities must define strategies to address the weaknesses identified during the testing phase.

Certain significant financial entities, particularly those with systemic importance or specific ICT risk profiles, must also implement more advanced tests through “threat-led” penetration testing (TLPT) at least every three years. The criteria for identifying entities subject to these advanced tests are further clarified in a dedicated Regulatory Technical Standard (RTS).

This advanced testing must cover at least several critical or important functions of the financial entity. After these tests, the financial entities must provide their competent authority with a summary of the test results and the corrective measures being considered.

Management of ICT third-party riskand the Register of Information (RoI)

The regulation sets out key principles for managing the risk associated with third-party ICT service providers. Financial entities must identify and integrate risks related to the use of these providers into their risk management framework and remain fully responsible for ensuring compliance with the obligations of the DORA regulation when engaging with these third parties.

The Regulation outlines several obligations for financial entities arising from their relationships with third-party ICT service providers, including:

The definition and implementation of a risk management framework for ICT third-party providers, notably in the drafting of contracts which must include key contractual provisions specified in Article 30 of the DORA regulation;

• Maintaining an updated information register (RoI) of contractual agreements made with these providers, which must be communicated to the competent authority at least once a year;
• The notification to the competent authority, at least once a year, of new contractual agreements related to the use of ICT services. Draft agreements for services supporting critical functions must also be communicated;
• Conducting audits before entering into a contract, and only entering into contracts with third-party ICT service providers who meet adequate information security standards;
• Ensuring that contracts can be terminated under certain circumstances, particularly when the third-party provider shows deficiencies in managing ICT-related risks;
• Establishing exit strategies for ICT services supporting critical or important functions in the event of provider failure.

The Regulation also introduces a new system for the European supervision of so-called “critical” third-party ICT service providers. These providers will be subject to specific supervision coordinated by one of the ESAs, in order to ensure they have implemented sufficient rules to manage ICT-related risks.

Regarding the use of critical providers established in third countries, the DORA regulation specifies that financial entities can only use ICT services from third-party providers designated as critical and established in third countries if they have established a subsidiary in the European Union. If this European subsidiary does not exist, the critical third-party provider has one year to establish its subsidiary within the EU after being designated.

Implementing Texts

The DORA regulation provides for the adoption of several implementing texts (Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS)) developed by the ESAs (EBA, EIOPA, ESMA).

These technical standards aim to harmonise cybersecurity requirements and ICT risk management across the European Union. They also provide financial entities with specific guidance on how to comply with DORA obligations.

The relevant implementing texts for financial entities are detailed in the table below, which includes links to the texts published in the Official Journal of the European Union (as of Feburary 26, 2025): 

The final versions of these texts are listed on the dedicated webpage of the European Commission’s website.