RGPD

DORA Regulation: notifying major IT security incidents

The DORA Regulation, or Digital Operational Resilience Act, is one of the key pieces of legislation aimed at strengthening the digital resilience of financial entities in the face of growing threats to their infrastructures. With this regulation entering into force on 17 janvier 2025, IT secur

Contents
Schedule a discussion

Reading time:

5 min

The DORA Regulation, or Digital Operational Resilience Act, is one of the key pieces of legislation aimed at strengthening the digital resilience of financial entities in the face of growing threats to their infrastructures. With this regulation entering into force on 17 janvier 2025, IT security incidents must be managed and notified in accordance with strict requirements imposed on financial entities, in particular by the Prudential Supervision and Resolution Authority (ACPR). This regulatory framework raises major questions regarding the definition of major incidents and the effectiveness of notification procedures. Given the issues relating to data security and the proactive management of incidents, it is crucial to explore together the obligations and recommendations arising from this regulation in order to ensure optimal management of crisis situations.

If you would like to engage a cybersecurity lawyer, contact me!

What are the obligations to notify major incidents under the DORA Regulation?

The DORA Regulation imposes strict obligations regarding the notification of major IT security incidents, specifically defined in Article 19 of this legal text. From the date of entry into force, each financial entity must notify any major incident to the Prudential Supervision and Resolution Authority (ACPR) within 4 hours of its classification. It is essential to understand the various stages of this notification:

DORA Regulation
The obligations to notify major incidents under DORA
Notification stageDeadline / Requirement
Initial notificationWithin 4 hours of the classification of the incident.
Maximum deadlineWithin 24 hours of discovery.
Intermediate reportUpdates provided as the situation evolves.
Final reportDetailed report required once the root-cause analysis has been completed.
Provided for informational purposes only; does not constitute legal advice.

The definition of a major incident under the regulation is instructive: “An ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity”. This highlights the importance of notification procedures, which must not be taken lightly.

The criteria for classifying a major incident are also supplemented by the Delegated Regulation, thereby introducing new aspects to consider. The clarity of these definitions is paramount in order to avoid biased interpretations when making a notification.

In short, incident management within the framework of the DORA Regulation represents an immense responsibility for financial entities, requiring adequate preparation in order to respond effectively to regulatory requirements and to guarantee data security. A lawyer specialising in software and database law can assist you in bringing your information systems into compliance.

Let's discuss your needs for 15 minutes!

How does the ACPR define the concept of major incidents?

The Prudential Supervision and Resolution Authority (ACPR) plays a crucial role in understanding and defining major incidents within the framework of the DORA Regulation. According to the ACPR, the term “major incident” is not limited to an isolated event but must be understood from a broader, contextual perspective. The authority has established clear criteria that enable entities to better assess the seriousness and potential impact of such incidents.

To classify an incident as major, several factors must be taken into account:

  • Impact on the continuity of critical services: An incident is considered major if it threatens the continuity of operations of essential financial services.
  • Duration of the disruption: An incident causing a prolonged disruption of services may be classified as major.
  • Sensitive information compromised: If sensitive data is exposed or compromised, this reinforces the major nature of the incident.
  • Reaction of stakeholders: The reaction of clients and partners to the incident also influences its assessment.

It is essential to rely on these criteria to ensure a rigorous classification of incidents and thereby avoid any confusion that could undermine the data security of financial entities. This vigilance is all the more important in a context where IT threats are evolving rapidly.

Finally, the ACPR encourages institutions to put in place monitoring and assessment procedures on a regular basis in order to refine their understanding of security incidents and improve their digital resilience. Adopting a proactive approach to incident management will help strengthen the overall security of financial services and ensure better preparedness in the event of an incident.

I want reliable legal documents!

What recommendations are there for CIOs facing these new requirements?

Given the demanding provisions of the DORA Regulation and the ACPR's tendency to adopt a broad interpretation of the concept of major incidents, it is essential for Chief Information Officers (CIOs) to prepare for the management of numerous potential incidents. This preparation must involve putting in place appropriate and effective measures.

Thus, CIOs, working closely with Chief Information Security Officers (CISOs), must:

  • Formalise an incident classification procedure: This will enable rapid and accurate identification of incidents, thereby facilitating their notification within the prescribed deadlines.
  • Develop an effective notification procedure: Ensure that all relevant authorities, such as the ACPR, the CNIL and ANSSI, are kept informed of each major incident as soon as it occurs. A CNIL lawyer can assist you in setting up these notification procedures and support you in your dealings with the data protection authority.
  • Put in place advanced detection mechanisms: It becomes essential to use monitoring tools to prevent or minimise the impact of security incidents.
  • Review contracts with ICT providers: Ensure that clear clauses on notification deadlines are present in all contracts.
  • Raise staff awareness: Provide regular training to employees in order to develop a culture of security and good practices to anticipate or promptly report an incident.

CIOs must regard these recommendations as a proactive response to the challenges posed by the DORA Regulation. The diligent application of these practices will not only help to meet legal obligations but will also strengthen the digital resilience of organisations in the face of an increasingly omnipresent IT threat.

With these measures in place, financial entities will be better equipped to cope with a constantly evolving environment in which the management and notification of IT security incidents are crucial issues for their protection and their success.

To learn more

What does DORA provide regarding the notification of incidents?

The DORA Regulation requires financial entities to manage and notify major IT security incidents in accordance with strict requirements. This obligation, governed in particular by the ACPR, aims to ensure a swift and coordinated response to threats to financial infrastructures.

Since when has DORA applied to IT incidents?

The DORA Regulation entered into force on 17 janvier 2025. As from that date, IT security incidents must be managed and notified in accordance with the strict requirements imposed on financial entities, with a view to strengthened operational resilience.

What is a major incident within the meaning of DORA?

DORA distinguishes major incidents, which are subject to mandatory notification, from incidents of lesser seriousness. The classification of a major incident is based on criteria defined by the regulation, relating in particular to the impact on services and data. This classification triggers the notification obligations.

What is the role of the ACPR under DORA?

The Prudential Supervision and Resolution Authority (ACPR) is the competent authority in France for monitoring financial entities' DORA obligations. In particular, it receives notifications of major incidents and ensures compliance with digital operational resilience requirements.

How do you notify a security incident under DORA?

The notification must be made within the deadlines and in accordance with the procedures set by DORA, to the competent authority. It presupposes an internal procedure for detecting, classifying and escalating major incidents, in order to enable a coordinated response that complies with regulatory requirements.

Why is the notification of incidents crucial?

The prompt notification of major incidents enables proactive crisis management and limits the impact on financial services and data. DORA makes it a central obligation, since a coordinated response is essential in the face of growing threats to infrastructures.

What are the consequences of a failure to notify?

Failure to comply with the notification obligations laid down by DORA exposes the financial entity to measures from the competent authority and to penalties. Beyond that, the absence of proactive incident management increases operational risk and exposure to the consequences of a cyberattack.

Is a lawyer useful for DORA compliance regarding incidents?

A cybersecurity lawyer helps to structure procedures for detecting and notifying major incidents, to classify incidents in light of DORA, and to liaise with the ACPR. This support secures crisis management and the compliance of the financial entity.

Still have questions?

Our team is available!

Have a question?

Vos informations restent strictement confidentielles.
Thank you! We will get back to you shortly. If you'd like to speed things up, schedule a time with me directly here:
Schedule a 15-minute call
Oops! Something went wrong while submitting the form.
Homme en costume bleu foncé avec cravate et pochette blanche, bras croisés, regardant vers l'avant.

Ressources

Aller plus loin

00
article(s) affiché(s) sur
00

13 min

CNIL sanction: how to reduce the risk and respond effectively
The CNIL is no longer a symbolic authority. In 2025 and 2026, its restricted committees imposed fines of several million euros on French companies of all sizes, including online commerce and retail players. A CNIL sanction can represen

10 min

Website maintenance contract: the essential clauses
At a time when cyberattacks are multiplying and data protection regulations are tightening, the security of your website has become a major strategic issue.

6 min

Distribution: validity of a waiver-of-claims clause in the absence of revenue
Within the framework of a partnership agreement, it is common to include specific clauses governing the relations between the parties. Among these, the waiver-of-claims clause holds an essential place, particularly with regard to contractual liability. This clause, when it

4 min

Database consultation and exploitation contracts by a lawyer - Romain Mirabile
In the current state of information technology, database consultation and exploitation contracts have become common practice. However, these processes involve complex legal agreements that must be incorporated into a database contract.

4 min

Website creation contract by an attorney - Romain Mirabile
The website creation contract is an essential document for web agencies and e-commerce sites. It establishes the working basis between the service provider and the client, and defines the commitments of each party. In this article, we will address the different phases of this contract, e

5 min

Legal notices for an e-commerce website!
Mandatory in France, a website's legal notices are pieces of information that allow internet users to know who they are dealing with and how they can get in touch with the website's owners. This information must be easily and quickly accessible from
Prendre rendez-vous
Book an appointment