Finance & cybersecurity

DORA compliance

DORA (Digital Operational Resilience Act) is a European regulation adopted in 2022 and implemented in January 2025. It aims to strengthen the cybersecurity resilience of financial entities.

Book a demo

Who is DORA for?

All 22,000 companies

linked to the financial sector: providers of credit services, payment services, crypto-assets, insurance, reinsurance, intermediaries, pension funds, etc.

The only exception

concerns very small companies with fewer than 10 employees and annual sales of less than €2 million.

Why DORA regulations?

DORA focuses on resilience applied to cybersecurity, listing pragmatic criteria and recommendations.

All financial institutions use computers and process data. An uncontrolled cybersecurity incident can lead to financial disaster (such as the recent hacking of FTX, a crypto-currency exchange), which is why the EU drafted DORA.

What are DORA's objectives?

The financial sector is already regulated by the European Central Bank, but the requirements, their application and interpretation remain local. The aim of DORA is to unify the rules with a common level of security, and help companies to :

  • Identify assets and business risks

  • Protect information systems to ensure delivery of critical infrastructure services

  • Detect cybersecurity events

  • Respond to incidents, support recovery activities and improve the situation

  • Recover and restore affected systems

What are the DORA requirements?

  • Permanent detection of vulnerabilities: this is also what Patrowl does by constantly rediscovering and monitoring companies' external attack surface (assets exposed to the Internet).

  • Service resilience with a Business Continuity Plan (BCP) and crisis management process that must be tested and updated.

  • Classify and adapt cybersecurity incidents to limit their spread and impact, and share knowledge with peers and regulators.

  • Risk management and governance to limit the disruption caused by a cybersecurity incident

  • Real consideration of the cybersecurity of third parties (suppliers) through risk analysis, control and audit.

  • Sharing intelligence between financial organizations.

  • Ongoing detection of cybersecurity incidents.

Solution & platform for Dora regulation

Patrowl is fully compliant with DORA's continuous asset monitoring requirements thanks to its SaaS solution.

Discover Patrowl

Going further with DORA?

To find out more about DORA, read Marc-Antoine LEDIEU's articles detailing the issues, implications and consequences of the DORA law:

Read more

Your questions:

How can I avoid DORA compliance penalties?

  • Anticipation: Start now to make your systems and processes compliant.

  • Training: Make your teams aware of DORA requirements.

  • Partnership: Collaborate with cybersecurity providers or digital resilience experts to ensure compliance.

What are the penalties for non-compliance with DORA?

The DORA provides for significant penalties for financial entities that fail to comply with its obligations. Sanctions may vary according to national regulations, but include:

Financial fines

  • Fines proportionate to the seriousness of the non-compliance.

  • These fines can be calculated on the basis of annual sales, as is often the case with similar regulations (e.g. RGPD).

Operational restrictions

  • Temporary or permanent ban on providing certain financial services.

  • Limitation of activities if digital risks are not controlled.

Administrative sanctions

  • Injunctions to comply with requirements within a specified period.

  • Appointment of an external auditor to monitor compliance.


    Reputational damage

  • Non-compliance could lead to a loss of confidence on the part of customers, investors and partners.

How can I assess my compliance with DORA?

a) Understand DORA's Requirements

Identify the specific obligations based on your sector and size. These obligations include:

  • Governance: Establishing a digital resilience strategy.

  • Risk Management: Identifying, managing, and mitigating risks related to ICT (Information and Communication Technology).

  • Resilience Testing: Regularly conducting tests to evaluate the robustness of systems.

  • Third-Party Management: Monitoring risks associated with critical ICT service providers.

  • Incident Reporting: Implementing a mechanism for the prompt reporting of major incidents.

b) Conduct an Internal Audit

Evaluate the following:

  • Is your ICT governance aligned with DORA standards?

  • Do you have a business continuity and disaster recovery plan?

  • Have your systems and processes been tested for resilience against critical scenarios?

c) Implement Controls

  • Identify gaps between current practices and DORA requirements.

  • Implement controls to address these gaps.

  • Document the processes and policies adopted.

d) External Testing

Engage an independent organization to evaluate your systems, or conduct simulation exercises with external experts (such as Patrowl).

e) Continuous Monitoring

DORA requires ongoing monitoring of ICT systems. This involves:

  • Regular reports on digital incidents.

  • Updates to policies and processes in response to emerging threats.

Our latest news

See more news