Since January 17, 2025, the DORA regulation has been mandatory for European financial institutions. For you, the stakes go far beyond cybersecurity. It affects your ability to maintain your services, manage your technology providers, document your incidents, and demonstrate, with supporting evidence, that your organization remains operational in times of stress. DORA is a directly applicable European regulation, designed to raise the common level of digital operational resilience across the entire financial sector.
At AP Solutions IO, we view this regulatory change as a governance, traceability and business continuity. For a compliance officer, a CCO, a RCSI, an MLRO or a legal department, the central issue is one of proof. Are you able to demonstrate that your critical systems, workflows, technological dependencies, and controls remain under control when an incident occurs or when a regulator requests specific information?
DORA: Definition, Objectives, and Implementation Schedule
The Digital Operational Resilience Act refers to Regulation (EU) 2022/2554. Its purpose is clear: to establish common requirementsregarding the security of networks and information systems that support the business processes of financial entities. The text covers, in particular:
- of ICT risk management ;
- of the reporting of major incidents ;
- of resilience tests ;
- from sharing information on cyber threats ;
- of management of risks associated with ICT service providers ;
- of the framework for overseeing critical service providers.
The effective date fundamentally changes the way compliance projects are approached. You are no longer in a theoretical preparation phase. You are now in an implementationand maintenance and justification.
In France, theACPR has already made the system operational. It has done so, in particular, by issuing instructions regarding reporting of major incidents and the submission of records containing information on contractual agreements for ICT services.
DORA is also transforming internal governance. The text requires thethe governing body to define, approve, oversee, and take responsibility for the ICT risk management framework, including the digital operational resilience strategy and the risk tolerance level. The principle of proportionality remains applicable, but it does not diminish the requirement for governance. It adjusts the intensity of the obligations based on the entity’s size, risk profile, and degree of complexity.
The 5 pillars of DORA: ICT risk management, incidents, testing, third parties, and information sharing
To manage your DORA compliance, we recommend organizing your approach around five operational pillars. The European framework also provides for a sixth level of vigilance: the supervision of critical ICT providers at the EU level.
The first pillar focuses on ICT risk management. It covers internal policies, organization, business continuity, incident response, recovery, and the governance of digital assets.
The second concerns the incident management and reporting, including their classification, escalation, the reporting of major incidents, and the reporting of certain significant cyber threats.
The third focuses on digital operational resilience tests, through a risk-based program, supplemented, for certain entities, by advanced testing.
The fourth section deals with risks associated with third-party ICT providers, through dependency mapping, contractual clauses, concentration, reversibility, and supplier monitoring.
The fifth covers the information sharing, with structured discussions on cyber threats and vulnerabilities to strengthen collective preparedness.
These pillars form the core of the regulatory framework.
In practice, this framework requires you to move from a stack of checks to a true chain of evidence. An incident must be identified, classified, escalated, documented, and then linked to clearly defined responsibilities. A critical service provider must be assessed before the contract is signed, monitored during its execution, and integrated into a consolidated risk assessment.
As for the testing program, it must produce results that are truly actionable by management. For some organizations, threat-led penetration testing (TLPT) are becoming an advanced and recurring requirement.
Who is affected? Banks, insurance companies, asset management firms, and IT service providers
The scope of DORA is broad. The regulation applies in particular to:
- credit institutions ;
- payment institutions ;
- electronic money institutions ;
- investment firms ;
- crypto-asset service providers ;
- market infrastructure ;
- management companies ;
- insurance companies and reinsurance ;
- insurance intermediaries ;
- credit rating agencies ;
- managers of critical indices ;
- crowdfunding platforms ;
- securitization frameworks ;
- third-party ICT service providers.
TheESMA states that DORA covers 21 categories of financial entities.
Specifically, this includes banks and payment services, insurance companies and their intermediaries, asset management firms, market participants, and service providers in the crypto-asset as well as financial infrastructure providers. It also includes third-party providers of ICT involved in the financial value chain.
However, the exact scope depends on the entity’s status and the exclusions specified in the text.
For you, this means that a compliance chain is never isolated. The KYC, KYB, KYT, sanctions screening, and management of politically exposed persons (PEP) and transaction monitoring rely on tools, APIs, repositories, and providers.
Since these building blocks support critical or important functions, DORA becomes a key issue for compliance,internal audit, procurement, IT department and senior management.
DORA and AML-CFT Synergies in Compliance
This is where the connection between DORA and AML-CFT comes into its own. A sanctions filter sanctions engine, an incomplete supplier registry, an insufficiently documented cloud dependency, or an incident not classified in a timely manner can compromise your due diligence framework. The impact extends beyondIT.
It also affects the continuity of your AML-CFT controls, the quality of your decision-making, and your ability to justify a decision during an audit or inspection. digital operational resilience thus directly protects the operational robustness of your compliance program.
In the field, we often encounter the same challenges: incomplete mapping of dependencies, scattered evidence, inconsistent contracts, governance spread across multiple teams, opaque tools, and reviews that are difficult to audit. DORA requires you to regain control over these areas that are not sufficiently managed. You must identify the service supporting each function, the third party involved, the data flowing through the system, the test performed, the decision made, and the rationale behind it.
At AP Solutions IO, we bring precisely this approach of demonstrable control. Our Glass Box enhancesauditability, traceability and transparency of decisions in KYC, KYB, KYT, sanctions and transaction monitoring.
With AP Scan, AP Scoring, AP Monitoring and AP Filter, we help you design systems that remain understandable to your teams, robust in the face of regulatory scrutiny, and compatible with your business continuity requirements. This approach is based on an open SaaS architecture, multilingual, no-code and integrated via API, 100% hosted in France. It is based on over 90 configurable criteria and can reduce false positives by up to 98%, depending on the use case.
Ensure your DORA compliance with aFrench sovereign solution
We do not view DORA as merely a documentary project. We treat it as an operational mastery. This entails:
- to identify the critical steps in your compliance processes;
- to assess the ICT dependencies that support them;
- to supervise suppliers;
- to consolidate the evidence;
- to organize incident scenarios;
- to make your decisions legally enforceable.
This approach makes it possible to effectively implement the regulatory requirement.
Our positioning meets this expectation. AP Solutions IO provides the balance sought by key accounts and ME : long-standing expertise in AML-CFT compliance, combined with next-generation that is sovereign, auditable, and can be quickly integrated into your IT system. Our solutions are updated every four months. An approach toaugmented intelligence explainable helps you prepare both your internal reviews and your interactions with theACPR.
This approach also prepares you for broader regulatory pressures. Expectations regarding technology governance,explainability, documentation and audit trail are already making significant progress.
DORA is a particularly concrete example of this. The European regulation on artificial intelligence (AI Act) further reinforces this trend for algorithmic tools. It is therefore in your best interest to build a sustainable, transparent, and justifiable architecture.
If you would like to move forward with this project, we can work with you to develop a DORA action plan tailored to your AML-CFT, your compliance timeline, and your interpretation of theACPR and your governance of compliance tools.
FAQ
Does DORA replace existing directives?
No. DORA does not replace all existing legislation applicable to the financial sector. The regulation harmonizes the requirements regarding digital operational resilience, while the Directive (EU) 2022/2556 amends several sector-specific directives to ensure the consistency of the framework. For financial entities falling within its scope, DORA also constitutes a specific sectoral act with respect to NIS 2.
Does DORA apply to RegTech companies?
The answer depends on their position in the value chain. A RegTech may be directly affected if it itself falls under a category offinancial entity referred to in Article 2. It may also be affected as a third-party ICT service provider.
In this case, it falls under the third-party risk management for financial entities and, for those designated as critical, within the European supervisory framework. In practice, this means that your RegTech must be assessed, contracted, monitored, and properly registered in your information records.
