Contents
DORA: the new deal in cybersecurity for financial institutions
DORA: a wide range of risks to master
Regulatory compliance: a constant headache for companies in the financial sector
How to guarantee digital resilience?
Coming into force in January 2023, the European DORA (Digital Operational Resilience Act) directive redefines the rules of the game for cybersecurity and risk management in finance. It establishes a common EU-wide framework to strengthen the digital operational resilience of industry players. Banks, asset management companies, market infrastructures, investment firms, crypto-asset service providers and participative financing platforms: all are now affected by these demanding regulations, designed to better anticipate, absorb and react to cyber threats and major technological incidents.
DORA: the new deal in cybersecurity for financial institutions
These provisions are built around five fundamental pillars:
- Digital risk management and governance
The first pillar of DORA establishes that management committees are responsible for technological risks. They must not only validate ICT risk management policies, but also actively supervise their implementation. DORA requires protection of critical systems and data. To achieve this, companies must first draw up a detailed map of their digital assets and associated vulnerabilities. Next, they need to classify the criticality of systems, applications and services. Finally, security measures must be kept up to date.
- Incident classification and reporting
It is vital to categorize and report security incidents to the authorities. Security Operations Centers (SOCs) play a key role in qualifying alerts. If the criticality and impact of an incident so require, it can be reported to the regulatory authorities. This can only be done with automation for the sorting, analysis and escalation of alerts.
- Digital operational resilience testing
Operational resilience tests are essential to measure the ability of institutions to cope with crises, with simulations of attacks that are as realistic as possible. Going beyond the requirements of DORA, the ECB 's Cyber Resilience Stress Test was a further milestone in assessing and attesting to the operational resilience of financial institutions. This is a major initiative assessing banks' ability to recover from a cyber attack, evaluating not only their immediate response but also their ability to maintain essential operations despite the disruption.
- Risk management for third-party service providers
Reinforced monitoring of third parties helps to control the risks associated with outsourced operations. This involves mapping all strategic suppliers and identifying interdependencies. Not to mention regular audits, especially of the most strategic suppliers.
- Sharing information
This last pillar of DORA focuses on sharing information about threats, which is essential for strengthening collective resilience. This requires, among other things, data anonymization, standardization (format, incident classification, etc.) and the definition of common standards.
DORA: a wide range of risks to manage
DORA does more than simply set out a regulatory framework: it imposes a genuine risk management culture. Its objective is clear: to guarantee the continuity and quality of essential digital services for financial institutions, even in the event of a major incident. But it is still necessary to identify the diversity of threats to be taken into account. And the spectrum is wide.
- Cyberattacks: the most frequent and feared risk.Ransomware, distributed denial-of-service (DDoS) attacks, phishing campaigns, and intrusions targeting sensitive data theft: cyberthreats are everywhere. According to CESIN, nearly one in two French companies was the victim of a cyberattack in2024. The financial sector remains particularly exposed: it was even the most affected by DDoS attacks, with a 24% increase over one year, according to Akamai. DORA reminds us that resilience depends above all on preparation and responsiveness to these scenarios, which have become almost daily occurrences.
- Technical failures: the invisible but equally critical risk. Incidents don't always come from an external attack. A simple configuration error, a software bug, aging hardware or a patch not applied in time can cause major interruptions. These internal malfunctions are often underestimated, even though they directly compromise service availability and user confidence. DORA helps institutions to strengthen their maintenance, audit and systems lifecycle management processes.
- Chain risks: dependence on third-party suppliers in the crosshairs. This is undoubtedly the most delicate point. Let's not forget that the concentration of digital services (particularly in the cloud) in the hands of a small number of major American players creates a systemic risk. A failure at a critical provider can paralyze multiple financial players simultaneously. According to a study by Censuswide on behalf of Veeam, monitoring third-party risks is the most problematic DORA requirement: it is the most difficult aspect to implement for 38% of French companies, while only 16% have already done so. This is a worrying finding, all the more so as visibility of interdependencies often remains fragmentary.
Regulatory compliance: a constant headache for companies in the financial sector
This regulatory context represents an unprecedented step forward for the cybersecurity of financial institutions. According to the CensusWide-Veeam study, 96% of European financial services companies recognize the need to strengthen their compliance with DORA resilience requirements. But this is not yet reflected in reality: in one in five companies, there have been no recovery and continuity tests, incident reporting systems or digital operational resilience tests. Similarly, 27% of companies have not yet clearly identified who is responsible for implementing DORA.
While DORA has established itself as a benchmark for operational resilience, it represents just one piece of the regulatory puzzle that financial institutions now face. For compliance is not limited to one directive: it extends to a complex ecosystem of European and national texts following the example of NIS2, Cyberscore, GDPR, or even the future IA Act, which are profoundly redefining security, governance and transparency obligations. According to CESIN, 79% of French companies were already impacted by at least one of these regulations in 2023, compared with 70% a year earlier. Even more worrying: more than one in two (52%) report a strong impact, a sign that compliance is no longer simply a matter of documentation, but a major organizational and technological challenge. The difficulty lies not just in understanding or implementing the texts, but in the massive data management they require. According to a One Poll study for Splunk, 53% of French CIOs have struggled to maintain compliance over the past three years due to the sheer volume of data to be processed, a burden accentuated by the multiplication of sources, formats and systems. And 63% of them now fear the fines associated with non-compliance.
How can we guarantee digital resilience?
To ensure operational resilience, theAMF recommends conducting vulnerability scans, network security assessments, physical security reviews, as well as threat-based cyber penetration tests and others aimed at simulating an end-to-end crisis.
A security policy must meet four imperatives:
- Ensure availability of systems, applications and data access
- Protect confidentiality, particularly with regard to transactions and personal data
- Preserve theintegrity of systems and applications.
- Guarantee transaction traceability , a key point in the financial sector.
If these four conditions are met, in particular by implementing the measures recommended by the DORA regulations in terms of governance, internal control, risk classification, escalation and notification, digital resilience is under control.
However, to secure such a perimeter, with huge volumes of data to collect and manage, software solutions are essential. The robustness and maturity of the AP Scan, AP Scoring and AP Monitoring solutions developed by AP Solutions IO were fully confirmed following the various tests carried out as part of the preparation of the Digital Operational Resilience report. They have demonstrated their ability to meet the requirements of the DORA framework, guaranteeing financial players proven, compliant and sustainable digital resilience.
Anticipate DORA's requirements today.
