DORA: the new cyber regulation for financial services (in effect since Jan. 2025)

DORA: the new cyber regulation for financial services has required since January 2025 that banks, insurance companies, ICT providers, and European financial players strengthen their digital resilience against cyberattacks, outages, and technological dependencies.

DORA and the digital operational resilience of the financial sector

The European DORA regulation, for Digital Operational Resilience Act, establishes a common cybersecurity framework for the financial sector. It aims at a simple idea: a bank, an insurance company, or a payment platform must be able to continue operating even when a major digital incident occurs.

Before DORA, requirements were scattered across several texts, guidelines, and national practices. The regulation now harmonizes obligations across the European Union, with clearer rules for groups operating in several countries.

This regulation is not limited to prevention. It requires organizations to identify their risks, test their defenses, document their dependencies, and notify critical incidents according to structured procedures.

Why DORA has become essential for financial services

The financial sector has become deeply digitized: mobile payments, online banking, automated trading, remote identity verification, AI applied to fraud detection, cloud infrastructures. This transformation improves the customer experience, but it also expands the attack surface.

Cybercriminals target sensitive data, administrator access, critical applications, and supplier chains. A service interruption no longer affects just an informatics team: it can block payments, disrupt customers, and undermine confidence in an entire institution.

ENISA notably analyzed 488 publicly reported incidents between January 2023 and June 2024 in the European financial sector. Banks were among the most exposed players, which confirms the value of a stricter and more operational European framework.

The rise in risks linked to the dark web, compromised credentials, and data leaks also makes monitoring more complex. On this point, the analyses devoted to the dark web and new digital threats clearly illustrate the growing pressure weighing on exposed organizations.

Who is concerned by the DORA cyber regulation

DORA applies to a broad range of European financial players. The text covers traditional institutions, but also more specialized structures, because digital resilience depends on the entire ecosystem.

A mutual insurance company, an asset management company, a payment provider, or a critical cloud provider may be concerned to different degrees. The regulation incorporates a principle of proportionality in order to adapt requirements to the size, complexity, and risk profile of each entity.

• Credit institutions, investment banks, cooperative banks, and mutual banks.
• Insurance companies, reinsurance companies, and relevant occupational retirement institutions.
• Investment firms, portefeuille management companies, and financial advisors.
• Payment institutions, electronic money institutions, and payment service providers.
• Market infrastructures, clearing houses, and securities settlement systems.
• Authorized crypto-asset service providers.
• Critical ICT providers, including hosting providers, software publishers, cloud services, and cybersecurity providers.

This extension to technology providers fundamentally changes the logic of conformité. A financial entity can no longer treat its software or cloud provider as a simple purchasing relationship: it must monitor, control, and document the associated risks.

The 5 pillars of the DORA regulation to master

DORA cyber regulation is based on five complementary pillars. Their common objective is to move from declarative cybersecurity to proven resilience, tested and managed on a daily basis.

For an IT department, this means linking technical processes to business requirements. For executive management, it means that digital risk becomes a governance issue, just like financial or operational risk.

DORA pillar	Main objective	Example of concrete action
ICT risk management	Identify, assess, and control digital risks.	Map critical assets, access, backups, and application dependencies.
Notification of major incidents	Report significant incidents to the competent autorités.	Implement a procedure for classifying incidents and escalating them quickly.
Digital resilience testing	Verify the ability of systems to withstand disruptions.	Carry out vulnerability tests, business continuity recovery tests, and, for critical entities, advanced tests.
ICT provider management	Control risks related to technology providers.	Maintain a register of contracts, audit critical providers, and plan exit strategies.
Cyber information sharing	Strengthen collective defense against threats.	Share indicators of compromise and alerts within a secure framework.

ICT risk management

DORA requires financial entities to structure their management of digital risks. This covers system security, access management, data backup, business continuity, and post-incident recovery.

A concrete example: a regional bank operating a mobile account management application must know its critical components, exposed APIs, hosting providers, and recovery mechanisms. Without this mapping, it is impossible to correctly assess the impact of an outage or an attack.

Sensitive digital projects must therefore integrate cybersecurity from the design stage. This is precisely the approach advocated by DualMedia lorsque a business application, a transactional website, or a mobile application requires a high level of security, UX, and performance.

Classification and notification of major incidents

The DORA regulation governs how to classify and report ICT-related incidents. organizations must assess the impact on services, customers, data, the duration of the interruption, and the criticality of the affected functions.

In France, the ACPR and the AMF play a central role depending on the entities concerned. The expected procedures require structured reports: initial notification, intermediate information, and a final report including causes, impacts, and corrective measures.

This requirement pushes teams to industrialize crisis management. An incident must no longer be handled only in an internal technical channel, but within a documented, managed chain understandable to business teams as well as to the authorities.

Digital operational resilience testing

DORA requires regular testing to verify that security measures actually work. These tests may include vulnerability assessments, network security checks, business continuity exercises, and recovery simulations.

The most important entities must go further with advanced threat-led testing. The goal is not to tick a box, but to detect weaknesses before a malicious actor exploits them.

For financial web and mobile applications, this logic is decisive. An authentication flaw, a poorly protected token, or an insufficiently filtered API can have a direct impact on customers and on conformité.

DORA, ICT providers, and cloud dependency

One of DORA’s major concerns is the oversight of third-party ICT service providers. Financial institutions must know to whom they entrust their data, processing, infrastructure, and essential services.

This obligation notably concerns cloud providers, SaaS publishers, hosting providers, managed service providers, cybersecurity providers, and critical software solutions. In the event of a failure by a central player, the domino effect can impact several entities simultaneously.

DORA therefore requires an information register listing the contractual arrangements with these providers. This register must specify the criticality of the services, the supported functions, dependencies, and the essential contractual elements.

Contracts must also include appropriate clauses: service levels, security, audit access, incident notification, data location, business continuity, and exit strategy. This approach transforms the supplier relationship into genuine risk management.

The case of a mobile provider for an insurance company

Let’s imagine an insurance company that entrusts a service provider with the development of its customer mobile application. This application allows claims to be reported, supporting documents to be sent, and reimbursements to be tracked.

With DORA, the insurance company must verify development security, access management, data protection, recovery capacity, and the quality of contractual commitments. The service provider must therefore document its practices and contribute to overall compliance.

DualMedia is involved precisely in this type of scope when an organization wishes to secure a mobile application, audit an architecture, or strengthen a critical interface. The issues detailed in this article on cybersecurity in mobile application development directly align with DORA’s operational requirements.

DORA and NIS2: two similar but not identical texts

DORA and NIS2 pursue a common objective: strengthening European cybersecurity. However, their scope of application and legal logic differ.

NIS2 targets many critical or important sectors, such as energy, healthcare, transportation, water, digital infrastructure, or certain government administrations. DORA, for its part, focuses specifically on the financial sector.

In this context, DORA acts as a specialized text for financial entities. When its requirements cover a subject of digital resilience in finance, they take precedence over the more general rules of NIS2.

Criteria	DORA	NIS2
Main scope	European financial sector.	Essential and important sectors of the European economy.
Objective	Digital operational resilience of financial services.	General strengthening of cybersecurity for critical entities.
Third-party providers	Very detailed oversight of critical ICT services.	A more cross-functional approach to the supply chain.
Nature of the text	Directly applicable regulation.	Directive to be transposed into national laws.

For a financial ororganization, the priority is therefore to analyze DORA as the central framework. The other regulatory frameworks remain useful, but they must be aligned without creating unnecessary duplication.

DORA timeline and obligations since January 2025

The DORA Regulation legally entered into force on January 16, 2023, and then became applicable on January 17, 2025. The entities concerned must therefore have been operating since that date with operational compliance arrangements in place.

The technical texts and implementation standaorrds have gradually clarified the concrete expectations. In France, the submission of the information register constituted a first major deadline in spring 2025, depending on the competent authorities and the categorries of stakeholders.

In practice, ororganizations must maintain their framework over time. DORA compliance is not a one-time project: it requires updates, recurring tests, contractual reviews, and continuous risk management.

• January 16, 2023: entry into force of the European regulation.
• July 17, 2024: adoption of implementing texts and technical standaorrds on several operational aspects.
• January 17, 2025: effective application of DORA obligations.
• Spring 2025: first submissions of information registers to the competent authorities, depending on the case.
• From 2025 onward: continuous maintenance of compliance, controls, tests, and document updates.

This timeline shows that the subject is norw in its execution phase. Business, legal, procurement, compliance, and information systems departments must work together to avoid blind spots.

DORA sanctions and management responsibilities

DORA strengtheorns the responsibility of financial entities and their governance. Executives can no longer fully delegate digital risk to technical teams without strategic oversight.

The competent authorities may impose corrrective measures, injunctions, restrictions, public communications, or administrative sanctions. The amounts depend on the severity, the context, the duration of the breach, and the applicable national rules.

Critical third-party providers may also be subject to specific measures. In the event of non-compliance with the imposed requirements, penalty payments may be applied in accordance with the framework provided by DORA.

Beyond sanctions, reputational risk remains considerable. A prolonged disruption, a data breach, or poor crisis communication can cost more than a properly managed compliance program.

How to prepare effective DORA compliance

An effective approach begins with clear mapping. The ororganization must identify its critical services, digital assets, data flows, providers, and most likely incident scenarios.

Next comes priorization. Not all actions present the same level of urgency: an API exposed to sensitive data, a critical cloud provider, or an untested recovery plan must be addressed before secondary optimizations.

The work must remain operational. A voluminous document repository is not enough if teams do not know whom to alert, how to classify an incident, or how to restore a prioriority service.

1. Map ICT assets, critical applications, and supplier dependencies.
2. Assess risks according to business impact, likelihood, and recovery capacity.
3. Update security, continuity, and access management policies.
4. Review contracts with ICT providers and document exort strategies.
5. Build a reliable, maintained, and usable information register.
6. Regularly test resilience measures and retain evidence.
7. Trorin business, IT, procurement, and complorance teams on incident procedures.
8. Establish governance oversight with indicators, action plans, and periodic reviews.

In web, mobile, or application projects, DualMedia can contribute to this approach through technical auditing, securing user journeys, improrving performance, and designing more robust architectures. The convergence between blockchain, mobile and cybersecurity, mentioned in this analysis on the technologies reshaping the digital world, shows how much today’s systems must be designed as interdependent environments.

The role of UX, performance, and secure development

Digital resilience does not depend solely on firewalls or complorance procedures. A poorly designed, slow, or confusing application can increase human error, generate workarounds, and complicate crisis management.

A UX clear reduces usage risks. Understandable error messages, reliable authentication flows, consistent session management, and a mobile-friendly interface contribute to operational security.

Web performance also plays a role. When a financial service experiences a traffic spike or a denial-of-service attack, an optimized and correctly monitored architecture makes business continuity easier.

This view aligns with the concerns of companies digitizing their transactional services. In a context where e-commerce and digital payments continue to grow, the lessons related to e-commerce figures in Paris in 2025 remind us that digital trust remains a decisive factor.

Our opinion

DORA marks a turning point for European financial services. The regulation requires ororganizations to move from a logic of theorical compliance to a culture of demonstrable, tested, and managed resilience.

The most mature institutions will see it as an opporrtunity to strengthen their architecture, contracts, governance, and their clients’ trust. The others will have to accelerate, because ICT risk supervision is norw a permanent issue.

The right approach is to connect compliance, cybersecurity, UX, software development, and performance. It is in this articulation that expert agencies like DualMedia can provide concrete value, particularly on mobile applications, critical web platforrms and connected business systems.

What is DORA in financial services?

DORA is the European regulation on the digital operational resilience of the financial sector. It requires banks, insurance companies, payment service providers, management companies, and critical ICT providers to better prevent, manage, and overcome digital incidents.

Since when has DORA been applicable?

DORA has been applicable since January 17, 2025. The entities concerned must therefore have procedures, registers, tests, and controls conformes with the requirements of the regulation.

Who is affected by DORA cyber regulation?

DORA applies to a broad range of European financial entities. This includes, in particular, banks, insurance companies, investment firms, payment institutions, market infrastructures, crypto-asset entities, and critical ICT service providers.

What are the 5 pillars of DORA?

The 5 pillars of DORA are ICT risk management, the reporting of major incidents, resilience testing, the management of third-party ICT providers, and the sharing of cyber threat information. These pillars structure a continuous approach to financial cybersecurity.

Does DORA apply to IT service providers?

Yes, DORA also concerns certain ICT service providers, especially when they provide critical services to the financial sector. Cloud providers, software publishers, hosting providers, and cybersecurity service providers may be included in the monitoring framework.

What is the difference between DORA and NIS2?

DORA specializes in the financial sector, while NIS2 covers several essential or important sectors. For financial entities, DORA is the reference framework for digital operational resilience.

What should the DORA information register contain?

The DORA information register lists contractual agreements with ICT providers. It must make it possible to identify suppliers, the services concerned, their criticality, and the associated dependencies.

What incidents must be reported under DORA?

Major ICT incidents must be reported to the competent autorities. Their classification depends in particular on the impact on services, data, clients, the duration of the event, and the criticality of the affected functions.

Does DORA require cybersecurity testing?

Yes, DORA requires regular digital operational resilience testing. These tests may include vulnerability assessments, continuity testing, recovery exercises and, for certain entities, advanced threat-led testing.

Do small financial entities have the same DORA obligations?

DORA applies a principle of proportionality. The requirements may be adapted according to the size, complexity, risk profile, and systemic importance of the entity concerned.

How to prepare for DORA compliance?

DORA compliance begins with mapping risks, critical assets, and ICT service providers. It must then incorporate incident procedures, regular testing, a contract review, and clear governance.

Why is DORA important for a financial mobile app?

DORA is important for a financial mobile application because it can por critical functions and sensitive data. Development security, access management, service availability, and recovery capability then become alors operational requirements.

Would you like to get a detailed quote for a mobile application or website?
Our team of development and design experts at DualMedia is ready to turn your ideas into reality. Contact us today for a quick and accurate quote: contact@dualmedia.fr