RGPD

DORA Lawyer - Cybersecurity

The European regulation on digital operational resilience for the financial sector, also known as the “DORA Regulation” (Digital Operational Resilience Act), is a European Union initiative aimed at strengthening the digital resilience of financial sector players.

Contents
Schedule a discussion

Reading time:

5 min

The European regulation on digital operational resilience for the financial sector, also known as the “DORA Regulation” (Digital Operational Resilience Act), is a European Union initiative aimed at strengthening the digital resilience of financial sector players.

With the rise in cyber threats and attacks targeting critical infrastructure, DORA imposes strict obligations to ensure the security of information systems and guarantee the continuity of essential services. Being supported by a cybersecurity lawyer is becoming essential!

DORA entered into application on 16 janvier 2023, but the entities concerned have a transition period until 17 janvier 2025 to fully comply with its requirements. This period is intended to allow companies to review their internal policies, update their contracts, and ensure that all measures necessary for compliance are in place.

DORA is not merely a legal framework: it establishes standards that affect not only financial institutions but also their information and communication technology (ICT) service providers.

As a result, the companies concerned must not only comply with the technical requirements but also ensure that their contracts, internal practices, and security policies meet these new standards.

The main aspects of the DORA regulation:

The DORA regulation seeks to ensure that financial sector players, as well as their ICT service providers, can prevent, withstand, and quickly recover from IT incidents. This framework rests on several essential pillars that impose specific obligations:

  • ICT risk management (Chapter II of the regulation) Financial entities must implement robust policies to identify, assess, and manage risks related to information and communication technologies. Regular assessment makes it possible to detect vulnerabilities and define appropriate strategies to minimise risks.
  • Oversight and obligations towards third-party providers (Chapter V of the regulation) Increased vigilance is required in managing contracts with ICT service providers. Companies must structure their contracts in such a way as to ensure that their suppliers comply with the security standards set out by DORA. This includes bringing into compliance the clauses relating to operational resilience and the continuity of critical services.
  • Mandatory incident reporting (Chapter III of the regulation) Major ICT-related incidents must be reported to the competent authorities within strict deadlines to enable a swift and coordinated response. Putting in place effective reporting mechanisms is essential to meet these obligations.
  • Digital resilience testing (Chapter IV of the regulation) Regular tests must be carried out to ensure that information systems are able to withstand cyberattacks and major disruptions. These exercises help improve the overall robustness of digital infrastructures.

Specialised legal support can help analyse each of these requirements in detail and ensure optimal compliance with the DORA regulation.

Let’s discuss your needs for 15 minutes!

Key steps for effective compliance with a DORA lawyer:

Achieving compliance with the DORA regulation requires a structured approach. A lawyer can guide you through the following steps:

  • Initial audit: Assess the current state of your practices and identify the gaps with DORA’s requirements. To do so, provide auditors with evidence of your compliance efforts; plan frequent control points to avoid sanctions; develop mechanisms to manage future audits autonomously.
  • Planning corrective actions: Draw up a detailed plan to remedy the identified shortcomings, prioritising critical aspects such as systems security and risk management.
  • Team training: Raise your staff’s awareness of DORA’s obligations to ensure effective and lasting implementation of the new policies.

However, compliance with the DORA regulation is not limited to an initial implementation: it requires continuous monitoring and regular adjustments to stay in line with the requirements. This involves several essential actions.

First of all, it is necessary to analyse regulatory developments, as the DORA regulation may be amended or clarified by delegated acts, such as the RTS (Regulatory Technical Standards). A lawyer ensures that your company remains up to date on these changes.

Next, putting in place a monitoring plan is crucial in order to incorporate regular controls aimed at ensuring the compliance of processes, policies, and contracts.

Finally, you should prepare for external audits, which involves organising the required documents and effectively structuring responses to regulators’ questions.

Practical tips for succeeding in compliance assessments:

  1. Document all your actions: Keep a written record of risk management policies, reported incidents, and the results of digital resilience tests.
  1. Set up dashboards: Track your compliance indicators in real time to quickly identify any gaps.
  1. Train your teams: Raise your staff’s awareness of DORA’s requirements so that they can respond effectively to audits.

Benefits of legal support for DORA compliance: Complying with the DORA regulation is a crucial step in protecting your company against cyber threats and ensuring the resilience of your digital operations. However, this compliance can be complex and may require specific skills. Engaging a lawyer offers several advantages:

  • Time savings: The lawyer handles the legal and contractual aspects, allowing you to focus on your operational priorities.
  • Regulatory expertise: A lawyer masters DORA’s technical and legal requirements, ensuring full compliance.
  • Anticipating risks: They identify potential vulnerabilities and propose solutions tailored to your sector.

I want to be DORA-compliant

The DORA regulation concerns highly technical and legal areas, in particular cybersecurity and ICT risk management. A lawyer trained in financial and digital regulation understands the specific challenges of the financial sector and can tailor their advice to your unique needs.

➡️ Proactive compliance with DORA is essential to avoid sanctions and ensure the continuity of your operations. Contact a lawyer for a tailored audit.

I want help!

To learn more

What is the DORA regulation?

DORA (Digital Operational Resilience Act) is the European regulation that strengthens the digital operational resilience of the financial sector. Faced with cyber threats, it imposes strict obligations to secure information systems and guarantee the continuity of the essential services of financial players and their IT providers.

Since when has DORA applied?

DORA entered into application on 16 janvier 2023, with a transition period until 17 janvier 2025 to allow the entities concerned to fully comply. This period was intended to give them time to review their internal policies, update their contracts, and roll out the necessary compliance measures.

On which pillars does the DORA regulation rest?

DORA rests on several pillars: the management of risks related to information technologies, the oversight and supervision of third-party providers, the mandatory reporting of major incidents to the authorities, and regular digital resilience testing. Together, they aim to prevent, withstand, and recover from IT incidents.

Does DORA concern IT providers?

Yes. DORA targets not only financial institutions but also their ICT service providers. Financial entities must structure their contracts to ensure that their suppliers comply with DORA’s security and resilience standards. Providers are therefore directly impacted by this regulation.

What risk management obligations does DORA impose?

Under Chapter II, financial entities must implement robust policies to identify, assess, and manage risks related to information technologies. Regular assessment makes it possible to detect vulnerabilities and define strategies to minimise them. The governance of this risk falls to senior management.

Must IT incidents be reported under DORA?

Yes. Chapter III of DORA requires the reporting of major ICT-related incidents to the competent authorities, within strict deadlines, to enable a swift and coordinated response. Entities must put in place effective detection and notification mechanisms to meet these reporting obligations.

What is digital resilience testing under DORA?

Chapter IV of DORA requires regular tests to verify that information systems can withstand cyberattacks and major disruptions. These exercises, sometimes advanced for critical players, help strengthen the robustness of infrastructures and identify weaknesses before a real incident reveals them.

Why seek support for DORA compliance?

Because DORA is a cross-cutting undertaking, at the intersection of legal, IT, and compliance matters, with a heavy contractual dimension (bringing provider contracts into compliance). A cybersecurity lawyer analyses each requirement, structures compliance, and secures contracts, in order to achieve compliance without bearing the regulatory risk.

Still have questions?

Our team is available!

Have a question?

Vos informations restent strictement confidentielles.
Thank you! We will get back to you shortly. If you'd like to speed things up, schedule a time with me directly here:
Schedule a 15-minute call
Oops! Something went wrong while submitting the form.
Homme en costume bleu foncé avec cravate et pochette blanche, bras croisés, regardant vers l'avant.

Ressources

Aller plus loin

00
article(s) affiché(s) sur
00

6 min

Acceptance report & software: signing the acceptance report does not release the provider from liability
In the field of service contracts, the question of releasing the provider from liability is of paramount importance, particularly where an unconditional acceptance report is involved. This situation raises questions as to the legal scope of that document and as to the obli

9 min

Cybersecurity and e-commerce: your legal obligations in the event of data breaches
Cybersecurity: this article breaks down your obligations in the event of data breaches and how to effectively secure your online business.

11 min

Domain Name Impersonation: Effective Legal Actions to Recover It
The impersonation of a domain name constitutes one of the most serious threats to a company's digital identity . This phenomenon, which is steadily increasing, can take various forms: cybersquatting , typosquatting , fraudulent diversion , or simple malicious anticipation .

16 min

When is a DPO mandatory? GDPR criteria and CNIL sanctions
Appointing a data protection officer (DPO) is one of the cornerstones of compliance with the General Data Protection Regulation (GDPR). For many digital companies, e-commerce sites, digital platforms, mutual insurers, healthcare organisations or public authoritie

3 min

Informatique et Libertés Tables: the CNIL updates its doctrine and publishes its Cahiers
The Informatique et Libertés Tables are an essential tool in the field of data protection, and the CNIL's recent 2024 update is no exception. This initiative highlights the growing importance of access to doctrinal developments for professiona

7 min

Legal grey areas of IT outsourcing: decoding the hidden risks
IT outsourcing is now a cornerstone of corporate strategy, yet it conceals hidden legal risks.
Prendre rendez-vous
Book an appointment