EuroComply
Créer un compte

Digital Operational Resilience Act

Le Règlement sur la Résilience Opérationnelle Numérique (Règlement (UE) 2022/2554, DORA) est le cadre européen pour le risque TIC du secteur financier, directement applicable depuis 17 janvier 2025. Il oblige entités financières — banques, assureurs, prestataires paiement, entreprises investissement, prestataires crypto-actifs — à : gestion du risque TIC, classification et notification incidents majeurs, tests réguliers résilience numérique (y compris test d'intrusion sur menace, TLPT), supervision des prestataires tiers TIC critiques via registre d'information et garanties contractuelles. France : Autorité de Contrôle Prudentiel et de Résolution (ACPR) pour banques et assurances, Autorité des Marchés Financiers (AMF) pour entreprises investissement, supervisent conformité.

Free DORA Scope Checker

What does DORA require and when does it apply?

DORA applies to Banking and Insurance organisations across all EU member states. The key deadline is January 17, 2025. Non-compliance carries a maximum penalty of CTPPs: 1% of daily global turnover (up to 6 months); Financial entities: per national law. Core obligations include implement ict risk management framework and conduct digital operational resilience testing.

  • Implement ICT risk management framework
  • Conduct digital operational resilience testing
  • Manage third-party ICT risk
  • Report major ICT-related incidents
  • Share threat intelligence
DeadlineJanuary 17, 2025
Max fineCTPPs: 1% of daily global turnover (up to 6 months); Financial entities: per national law
Primary sectorsBanking, Insurance, Investment Firms
Source: Official Journal of the EU — Digital Operational Resilience ActReviewed:
TL;DR

DORA: CTPPs: 1% of daily global turnover (up to 6 months); Financial entities: per national law max fine

DORA applies to Banking and Insurance organisations in all EU member states. Key deadline: January 17, 2025.

Source: Official Journal of the European Union — Digital Operational Resilience Act

Who does DORA apply to?

DORA s'applique à un large ensemble d'entités financières et — fait nouveau — directement aux prestataires tiers de services TIC désignés comme critiques pour le système financier européen.

  • Établissements de crédit, établissements de paiement, établissements de monnaie électronique, entreprises d'investissement
  • Prestataires de services sur actifs numériques (au sens de MiCA), dépositaires centraux de titres, contreparties centrales, plateformes de négociation
  • Entreprises d'assurance et de réassurance, IRP, agences de notation de crédit, cabinets d'audit (dispositions limitées)
  • Prestataires tiers de services TIC critiques (CTPP) désignés par les autorités européennes de surveillance
Source: Regulation (EU) 2022/2554 (DORA) — EUR-Lex Official Journal — Article 2 (Champ d'application personnel)Reviewed:

What are the penalties for DORA non-compliance?

Les sanctions visant les entités financières sont fixées au niveau national ; en France, par l'ACPR et l'AMF dans le cadre de leurs pouvoirs disciplinaires respectifs. Les prestataires tiers critiques sont soumis à un régime de surveillance harmonisé au niveau européen, avec un mécanisme spécifique de pénalités périodiques fixé par DORA lui-même.

Maximum fineCTPPs: up to 1% of average daily global turnover, applied daily for up to six months. Financial entities: per national law.
Source: Regulation (EU) 2022/2554 (DORA) — EUR-Lex Official Journal — Article 35 (Pouvoirs de l'autorité de surveillance principale) et article 50Reviewed:

When does DORA apply?

DORA est entré en vigueur le 16 janvier 2023 et s'applique directement dans toute l'UE depuis le 17 janvier 2025. Les autorités nationales compétentes — en France l'ACPR et l'AMF — ont engagé des dialogues prudentiels avec les entités concernées dès la fin 2024.

  • 2023-01-16 — Entry into force
  • 2025-01-17 — Direct application across the EU
Source: Regulation (EU) 2022/2554 (DORA) — EUR-Lex Official Journal — Article 64 (Entrée en vigueur et application)Reviewed:

Comment tenir un registre d'information DORA des prestataires TIC tiers

L'article 28(3) impose aux entités financières la tenue d'un registre d'information sur l'ensemble des accords contractuels avec les prestataires tiers de services TIC, mis à la disposition de l'autorité compétente sur demande.

  1. 1

    Recenser tous les prestataires tiers de services TIC

    Cartographiez chaque accord contractuel portant sur la fourniture de services TIC, qu'il s'agisse d'un prestataire intra-groupe ou externe.

  2. 2

    Renseigner les champs définis par les normes techniques d'exécution (ITS)

    Saisissez les champs prescrits par le règlement d'exécution (UE) 2024/2956 (ITS sur le registre d'information) : métadonnées contractuelles, description de la fonction, criticité, localisation des données et du service, chaîne de sous-traitance, etc.

  3. 3

    Identifier les accords supportant des fonctions critiques ou importantes

    Identifiez les accords qui supportent des fonctions classées comme critiques ou importantes — ils déclenchent des exigences contractuelles et de stratégie de sortie renforcées (article 28(2)).

  4. 4

    Transmettre annuellement à l'autorité compétente

    Transmettez le registre au moins une fois par an dans le format prescrit ; mettez-le à jour dès qu'un changement substantiel intervient dans un accord supportant une fonction critique ou importante.

1 % du chiffre d'affaires journalier mondial

Pénalité périodique maximale quotidienne que l'autorité européenne de surveillance principale peut imposer à un prestataire tiers de services TIC critique en cas de non-respect des mesures de surveillance DORA (plafonnée à six mois).

Règlement (UE) 2022/2554, article 35(6)

Deadline

January 17, 2025

Max Fine

CTPPs: 1% of daily global turnover (up to 6 months); Financial entities: per national law

Sectors Affected

Banking, Insurance, Investment Firms

1 % du chiffre d'affaires journalier mondial

Pénalité périodique maximale quotidienne que l'autorité européenne de surveillance principale peut imposer à un prestataire tiers de services TIC critique en cas de non-respect des mesures de surveillance DORA (plafonnée à six mois).

Règlement (UE) 2022/2554, article 35(6)

Key regulatory facts: Digital Operational Resilience Act
Official nameRegulation (EU) 2022/2554 of the European Parliament and of the Council on digital operational resilience for the financial sector
Reg. No.(EU) 2022/2554
CELEX32022R2554
Typeregulation
In force2023-01-16
Applies from2025-01-17
Max fineCTPPs: up to 1% of average daily global turnover, applied daily for up to six months. Financial entities: per national law.
Authorities
European Banking Authority (EBA) (EU)
European Securities and Markets Authority (ESMA) (EU)
European Insurance and Occupational Pensions Authority (EIOPA) (EU)
National competent authorities (member-state)
ESAs Lead Overseer for CTPPs (EU)
Source(EU) 2022/2554 — EUR-Lex Official Journal

How do I comply with DORA?

  • Implement ICT risk management framework
  • Conduct digital operational resilience testing
  • Manage third-party ICT risk
  • Report major ICT-related incidents
  • Share threat intelligence

Does DORA apply to your business?

Find out in 2 minutes with our free regulation checker.

Check now — free

DORA by Country

🇩🇪

Germany

🇫🇷

France

🇳🇱

Netherlands

🇪🇸

Spain

🇮🇹

Italy

🇦🇹

Austria

🇧🇪

Belgium

🇵🇱

Poland

🇸🇪

Sweden

🇮🇪

Ireland

🇵🇹

Portugal

🇩🇰

Denmark

🇫🇮

Finland

🇨🇿

Czech Republic

🇷🇴

Romania

🇭🇺

Hungary

🇸🇰

Slovakia

🇧🇬

Bulgaria

🇭🇷

Croatia

🇬🇷

Greece

🇱🇺

Luxembourg

🇪🇪

Estonia

🇱🇻

Latvia

🇱🇹

Lithuania

🇸🇮

Slovenia

🇲🇹

Malta

Explore DORA in depth

Penalties & Fines

Maximum fine tiers, Article-by-Article breakdown, and mitigation factors.

Enforcement Timeline

Key dates, application milestones, and per-Member-State transposition status.

DORA by Industry

💻

SaaS & Software

💳

Fintech & Financial Services

🏥

Healthcare & MedTech

🏭

Manufacturing & Industry

🛒

E-commerce & Retail

🎓

EdTech & Education

🚚

Logistics & Transport

Energy & Utilities

📡

Telecoms & Media

👥

HR & Recruitment

⚖️

Legal & Professional Services

🏛️

Public Sector & NGOs

DORA by Role

Small Financial Entities

DORA applies a proportionality principle (Article 4): the depth and granularity of an entity's ICT risk-management framework should reflect its size, overall risk profile, and the nature, scale, and complexity of its services. Article 16 sets a simplified ICT risk-management framework for specific small or non-interconnected entities.

Related Regulations

NIS2

NIS2 expands cybersecurity obligations to essential and important entities across critical sectors. It mandates risk management, incident reporting, and supply chain security.

CRA

The CRA establishes cybersecurity requirements for products with digital elements sold in the EU. Manufacturers must ensure security by design and provide vulnerability handling.

GDPR

GDPR governs the processing of personal data of EU residents. It requires lawful basis for processing, data subject rights, breach notification, and accountability measures.

Explore DORA in depth

Penalties & Fines

See enforcement patterns, fine tier tables, and real enforcement cases across EU member states.

Deadline Timeline

Key milestones, implementation phases, and country-specific deadlines and phased rollout dates.

Industry Guides

Sector-specific DORA guidance for SaaS, fintech, healthcare, and other affected industries.

Next step — classify

Classify your AI systems

Use the free regulation checker to find out exactly which DORA obligations apply to your business in 2 minutes.

Classify your AI systems

Check Your Compliance Obligations

Find out which DORA obligations apply to your organisation in under 2 minutes.

Check Your EU Compliance

Recent DORA Articles

What Is DORA? A Complete Guide for Financial Entities

8 Jun 2026

What Is DORA? A Complete Guide for Financial Entities

31 May 2026

What Is DORA? A Complete Guide for Financial Entities

31 May 2026

Frequently Asked Questions

What are the DORA compliance requirements for fintech?
DORA (Regulation 2022/2554) applies to financial entities and their ICT third-party providers from January 2025. Core requirements: (1) ICT Risk Management framework (Articles 5–16) with documented policies and regular testing; (2) ICT-related incident classification and reporting to competent authorities within 4 hours for major incidents; (3) Digital Operational Resilience Testing including penetration testing every three years for significant institutions; (4) Third-party ICT risk management with DORA-compliant contractual clauses; (5) Register all critical ICT third-party providers with the relevant authority. Fintech companies under MiFID II, PSD2, or e-money licensing are in scope.
Does DORA apply to small fintech startups in the EU?
DORA applies to all financial entities as defined in Article 2, including payment institutions, e-money institutions, investment firms, and crypto-asset service providers (CASPs), regardless of size. Proportionality provisions in Article 4 allow microenterprises — fewer than 10 employees and under €2M annual turnover — to implement a simplified ICT risk management framework. However, incident reporting obligations (Article 19) and third-party ICT risk management requirements apply to all in-scope entities regardless of size. A fintech startup that has obtained a PSD2 payment institution licence, an e-money licence, or a MiCA CASP authorisation is in scope for DORA from January 2025.
What are DORA's ICT incident reporting requirements?
DORA Article 19 requires financial entities to classify and report major ICT-related incidents to their national competent authority (NCA) — e.g., BaFin for German banks, ACPR for French institutions, DNB for Dutch entities. The reporting timeline is: an initial notification within 4 hours of classifying the incident as major (or 24 hours from first detection); an intermediate report within 72 hours; and a final report within one month. An incident is classified as major based on criteria including number of clients affected, service downtime, geographic spread of impact, and data loss. Financial entities must also voluntarily notify NCAs of significant cyber threats that have not yet caused an incident.
What is a DORA-compliant ICT risk management framework?
A DORA-compliant ICT risk management framework (Articles 5–16) must include: a documented ICT strategy endorsed by the management body; an ICT asset register covering hardware, software, and data; a business impact analysis for critical functions; a business continuity and disaster recovery plan with tested RTO/RPO targets; regular ICT security testing including vulnerability assessments (annually for all entities) and threat-led penetration testing every three years for significant institutions; and access control policies with privileged account management. The framework must be reviewed annually and after any major ICT incident. Management bodies are personally responsible for compliance and must maintain sufficient ICT knowledge.

For informational purposes only. This is not legal advice — consult qualified legal counsel.

Last verified: · Source: EUR-Lex 32022R2554 · Editorial policy