Digital Operational Resilience Act Compliance in France
DORA creates a comprehensive framework for ICT risk management in the financial sector. It requires resilience testing, third-party risk management, and incident reporting.
How does DORA apply in France?
DORA applies in France under EU law with the same obligations as across the bloc — maximum fine CTPPs: 1% of daily global turnover (up to 6 months); Financial entities: per national law. The national supervisory authority is the CNIL (Commission Nationale de l'Informatique et des Libertés), which handles enforcement, complaints, and notifications. Deadline: January 17, 2025.
- Supervisory authority: CNIL (Commission Nationale de l'Informatique et des Libertés)
- Maximum fine: CTPPs: 1% of daily global turnover (up to 6 months); Financial entities: per national law
- Key deadline: January 17, 2025
| Supervisory authority | CNIL (Commission Nationale de l'Informatique et des Libertés) |
| Maximum fine | CTPPs: 1% of daily global turnover (up to 6 months); Financial entities: per national law |
| Key deadline | January 17, 2025 |
| Sectors affected | Banking, Insurance |
January 17, 2025
CTPPs: 1% of daily global turnover (up to 6 months); Financial entities: per national law
Banking, Insurance, Investment Firms
What are my DORA obligations in France?
- Implement ICT risk management framework
- Conduct digital operational resilience testing
- Manage third-party ICT risk
- Report major ICT-related incidents
- Share threat intelligence
Who enforces DORA in France?
Autorité de contrôle prudentiel et de résolution (ACPR)
Official authority websiteDORA in France: what is different here?
In France, DORA supervision for banks and insurers falls to the Autorité de contrôle prudentiel et de résolution (ACPR), which is attached to the Banque de France.
Source: ACPR — Le règlement DORAThe Autorité des marchés financiers (AMF) is the competent authority for DORA in respect of investment firms and asset managers in France.
Source: AMF — DORADORA has applied in France since 17 January 2025, requiring in-scope financial entities to report major ICT-related incidents to their competent authority.
Source: ACPR — Le règlement DORAWhat are the DORA penalties for France organisations?
DORA's penalty regime (Article 50) is unusual in the EU regulatory landscape: rather than a one-off maximum fine, it authorises national competent authorities and ESAs to impose periodic penalty payments of up to 1% of average daily worldwide turnover for each day of non-compliance, for a maximum of 6 months. For designated critical ICT third-party service providers, the ESAs can directly impose periodic penalties. Member States must ensure penalties are 'effective, proportionate and dissuasive'.
Periodic penalty payments for ongoing non-compliance — financial entities
Up to 1% of average daily worldwide turnover per day, for up to 6 monthsPeriodic penalty payments for critical ICT third-party service providers (CTPPs) — imposed directly by ESAs
Up to €5,000,000 or 1% of average daily worldwide turnover per day, for up to 6 monthsWhat is the maximum DORA fine?▼
DORA does not specify a single maximum fine amount. Instead, it authorises periodic penalty payments of up to 1% of a financial entity's average daily worldwide turnover per day of non-compliance, for a maximum of 6 months. For a firm with €1B annual turnover, this could reach approximately €16M over 6 months.
Who enforces DORA?▼
National competent authorities (NCAs) designated by each Member State enforce DORA for financial entities under their supervision. For critical ICT third-party service providers, the European Supervisory Authorities (EBA, EIOPA, ESMA) enforce DORA directly through the Joint Oversight Committee.
Does DORA apply to non-financial companies?▼
DORA applies only to financial entities as defined in Art. 2, plus their critical ICT third-party service providers. Non-financial companies that are ICT service providers to banks or insurers may be designated as critical and become subject to DORA's oversight regime.
Common DORA compliance questions
What are the DORA compliance requirements for fintech?▼
DORA (Regulation 2022/2554) applies to financial entities and their ICT third-party providers from January 2025. Core requirements: (1) ICT Risk Management framework (Articles 5–16) with documented policies and regular testing; (2) ICT-related incident classification and reporting to competent authorities within 4 hours for major incidents; (3) Digital Operational Resilience Testing including penetration testing every three years for significant institutions; (4) Third-party ICT risk management with DORA-compliant contractual clauses; (5) Register all critical ICT third-party providers with the relevant authority. Fintech companies under MiFID II, PSD2, or e-money licensing are in scope.
Does DORA apply to small fintech startups in the EU?▼
DORA applies to all financial entities as defined in Article 2, including payment institutions, e-money institutions, investment firms, and crypto-asset service providers (CASPs), regardless of size. Proportionality provisions in Article 4 allow microenterprises — fewer than 10 employees and under €2M annual turnover — to implement a simplified ICT risk management framework. However, incident reporting obligations (Article 19) and third-party ICT risk management requirements apply to all in-scope entities regardless of size. A fintech startup that has obtained a PSD2 payment institution licence, an e-money licence, or a MiCA CASP authorisation is in scope for DORA from January 2025.
What are DORA's ICT incident reporting requirements?▼
DORA Article 19 requires financial entities to classify and report major ICT-related incidents to their national competent authority (NCA) — e.g., BaFin for German banks, ACPR for French institutions, DNB for Dutch entities. The reporting timeline is: an initial notification within 4 hours of classifying the incident as major (or 24 hours from first detection); an intermediate report within 72 hours; and a final report within one month. An incident is classified as major based on criteria including number of clients affected, service downtime, geographic spread of impact, and data loss. Financial entities must also voluntarily notify NCAs of significant cyber threats that have not yet caused an incident.
What is a DORA-compliant ICT risk management framework?▼
A DORA-compliant ICT risk management framework (Articles 5–16) must include: a documented ICT strategy endorsed by the management body; an ICT asset register covering hardware, software, and data; a business impact analysis for critical functions; a business continuity and disaster recovery plan with tested RTO/RPO targets; regular ICT security testing including vulnerability assessments (annually for all entities) and threat-led penetration testing every three years for significant institutions; and access control policies with privileged account management. The framework must be reviewed annually and after any major ICT incident. Management bodies are personally responsible for compliance and must maintain sufficient ICT knowledge.
Does DORA apply to your France business?
Find out in 2 minutes with our free regulation checker.
Check now — freeDORA compliance in other EU countries
Check Your Compliance Obligations
Find out which DORA obligations apply to your France organisation in under 2 minutes.
Explore DORA Compliance
For informational purposes only. This is not legal advice — consult qualified legal counsel.