Finance & cybersecurity

DORA compliance

DORA (Digital Operational Resilience Act) is a European regulation adopted in 2022 and implemented in December 2024. It aims to strengthen the cybersecurity resilience of financial entities.

Book a demo

Who is DORA for?

All 22,000 companies linked to the financial sector: providers of credit services, payment services, crypto-assets, insurance, reinsurance, intermediaries, pension funds, etc.

The only exception concerns very small companies with fewer than 10 employees and annual sales of less than €2 million.

Why DORA regulations?

DORA focuses on resilience applied to cybersecurity, listing pragmatic criteria and recommendations.

All financial institutions use computers and process data. An uncontrolled cybersecurity incident can lead to financial disaster (such as the recent hacking of FTX, a crypto-currency exchange), which is why the EU drafted DORA.

What are DORA's objectives?

The financial sector is already regulated by the European Central Bank, but the requirements, their application and interpretation remain local. The aim of DORA is to unify the rules with a common level of security, and help companies to :

  • Identify assets and business risks

  • Protect information systems to ensure delivery of critical infrastructure services

  • Detect cybersecurity events

  • Respond to incidents, support recovery activities and improve the situation

  • Recover and restore affected systems

Solution & platform for Dora regulation

Patrowl is fully compliant with DORA's continuous asset monitoring requirements thanks to its SaaS solution.

Discover Patrowl

What are the DORA requirements?

DORA lists several criteria to be addressed:

  • Risk management and governance to limit the disruption caused by a cybersecurity incident

  • Permanent detection of cybersecurity incidents.

  • Service resilience, with a Business Continuity Plan (BCP) and crisis management process that must be tested and updated.

  • Permanent monitoring with pentesting, linked to resilience: this is what Patrowl does with permanent pentesting, Offensive Cybersecurity-as-a-Service, sometimes called Pentest-as-a-Service.

  • Permanent detection of vulnerabilities: this is also what Patrowl does by constantly rediscovering and monitoring companies' external attack surface (assets exposed to the Internet).

  • Classify and adapt cybersecurity incidents to limit their spread and impact, and share knowledge with peers and regulators.

  • Real consideration of the cybersecurity of third parties (suppliers) through risk analysis, control and audit.

  • Sharing intelligence between financial organizations

Our latest news

See more news