RGPD
The DORA Regulation, or Digital Operational Resilience Act, is one of the key pieces of legislation aimed at strengthening the digital resilience of financial entities in the face of growing threats to their infrastructures. With this regulation entering into force on 17 janvier 2025, IT secur
Reading time:
5 min
The DORA Regulation, or Digital Operational Resilience Act, is one of the key pieces of legislation aimed at strengthening the digital resilience of financial entities in the face of growing threats to their infrastructures. With this regulation entering into force on 17 janvier 2025, IT security incidents must be managed and notified in accordance with strict requirements imposed on financial entities, in particular by the Prudential Supervision and Resolution Authority (ACPR). This regulatory framework raises major questions regarding the definition of major incidents and the effectiveness of notification procedures. Given the issues relating to data security and the proactive management of incidents, it is crucial to explore together the obligations and recommendations arising from this regulation in order to ensure optimal management of crisis situations.
If you would like to engage a cybersecurity lawyer, contact me!
The DORA Regulation imposes strict obligations regarding the notification of major IT security incidents, specifically defined in Article 19 of this legal text. From the date of entry into force, each financial entity must notify any major incident to the Prudential Supervision and Resolution Authority (ACPR) within 4 hours of its classification. It is essential to understand the various stages of this notification:
The definition of a major incident under the regulation is instructive: “An ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity”. This highlights the importance of notification procedures, which must not be taken lightly.
The criteria for classifying a major incident are also supplemented by the Delegated Regulation, thereby introducing new aspects to consider. The clarity of these definitions is paramount in order to avoid biased interpretations when making a notification.
In short, incident management within the framework of the DORA Regulation represents an immense responsibility for financial entities, requiring adequate preparation in order to respond effectively to regulatory requirements and to guarantee data security. A lawyer specialising in software and database law can assist you in bringing your information systems into compliance.
Let's discuss your needs for 15 minutes!
The Prudential Supervision and Resolution Authority (ACPR) plays a crucial role in understanding and defining major incidents within the framework of the DORA Regulation. According to the ACPR, the term “major incident” is not limited to an isolated event but must be understood from a broader, contextual perspective. The authority has established clear criteria that enable entities to better assess the seriousness and potential impact of such incidents.
To classify an incident as major, several factors must be taken into account:
It is essential to rely on these criteria to ensure a rigorous classification of incidents and thereby avoid any confusion that could undermine the data security of financial entities. This vigilance is all the more important in a context where IT threats are evolving rapidly.
Finally, the ACPR encourages institutions to put in place monitoring and assessment procedures on a regular basis in order to refine their understanding of security incidents and improve their digital resilience. Adopting a proactive approach to incident management will help strengthen the overall security of financial services and ensure better preparedness in the event of an incident.
I want reliable legal documents!
Given the demanding provisions of the DORA Regulation and the ACPR's tendency to adopt a broad interpretation of the concept of major incidents, it is essential for Chief Information Officers (CIOs) to prepare for the management of numerous potential incidents. This preparation must involve putting in place appropriate and effective measures.
Thus, CIOs, working closely with Chief Information Security Officers (CISOs), must:
CIOs must regard these recommendations as a proactive response to the challenges posed by the DORA Regulation. The diligent application of these practices will not only help to meet legal obligations but will also strengthen the digital resilience of organisations in the face of an increasingly omnipresent IT threat.
With these measures in place, financial entities will be better equipped to cope with a constantly evolving environment in which the management and notification of IT security incidents are crucial issues for their protection and their success.
To learn more
The DORA Regulation requires financial entities to manage and notify major IT security incidents in accordance with strict requirements. This obligation, governed in particular by the ACPR, aims to ensure a swift and coordinated response to threats to financial infrastructures.
The DORA Regulation entered into force on 17 janvier 2025. As from that date, IT security incidents must be managed and notified in accordance with the strict requirements imposed on financial entities, with a view to strengthened operational resilience.
DORA distinguishes major incidents, which are subject to mandatory notification, from incidents of lesser seriousness. The classification of a major incident is based on criteria defined by the regulation, relating in particular to the impact on services and data. This classification triggers the notification obligations.
The Prudential Supervision and Resolution Authority (ACPR) is the competent authority in France for monitoring financial entities' DORA obligations. In particular, it receives notifications of major incidents and ensures compliance with digital operational resilience requirements.
The notification must be made within the deadlines and in accordance with the procedures set by DORA, to the competent authority. It presupposes an internal procedure for detecting, classifying and escalating major incidents, in order to enable a coordinated response that complies with regulatory requirements.
The prompt notification of major incidents enables proactive crisis management and limits the impact on financial services and data. DORA makes it a central obligation, since a coordinated response is essential in the face of growing threats to infrastructures.
Failure to comply with the notification obligations laid down by DORA exposes the financial entity to measures from the competent authority and to penalties. Beyond that, the absence of proactive incident management increases operational risk and exposure to the consequences of a cyberattack.
A cybersecurity lawyer helps to structure procedures for detecting and notifying major incidents, to classify incidents in light of DORA, and to liaise with the ACPR. This support secures crisis management and the compliance of the financial entity.
Still have questions?
Our team is available!
Have a question?

Ressources
Aller plus loin