DORA: A New Pillar of Digital Resilience

The financial sector must step up its regulatory resilience efforts to maintain trust and stability in its ecosystems. With the rise of cyber threats and increasing interconnectivity among players, digital risk management has become a top priority.

This is where regulators step in, multiplying regulations to meet the demands of an increasingly complex digital environment. Among them is the Digital Operational Resilience Act (DORA), which came into effect on January 17, 2025. This groundbreaking regulation standardizes security requirements across the European financial sector, enforcing a unified approach to risk management, third-party oversight, and business continuity.

But DORA goes beyond mere compliance—it offers a strategic opportunity to turn cybersecurity into a true driver of resilience and innovation.
Whether you are a bank, an insurance company, an asset management firm, or a technology provider, successfully implementing DORA is essential for ensuring lasting compliance—even in the face of evolving regulations. This guide provides a detailed analysis of DORA’s challenges, practical implementation advice, and a strategic outlook, helping you leverage it as a competitive advantage.

What will you find in this white paper?

  • The rise of new threats: sophisticated cyberattacks, increased reliance on external providers, and an evolving regulatory landscape.
  • An evolving compliance approach: how to integrate DORA’s deployment into a broader strategy, drawing on GDPR lessons while preparing for future regulations such as the Cyber Resilience Act.
  • A practical guide to DORA: breakdown of requirements, operational recommendations, and key steps for successful compliance—plus insights into persistent pain points for banks post-implementation.

Featuring insights from our Sopra Steria experts:

  • Erwan Brouder, Deputy Director of Cybersecurity, Sopra Steria
  • Marine Lecomte, Head of Offerings and Innovations, Financial Services Vertical, Sopra Steria

With a special guest:

  • Wilfried Lauber, Chief Information Security Officer, Amundi Asset Management

Download our white paper and discover how to turn DORA into a strategic asset for your organization!

Download the white paper:

Testimonies

DORA: Strengthening TLTP for Cyber Resilience

DORA requires financial institutions to enhance their ICT audit and testing frameworks, ensuring thorough logging, access controls, and advanced TLTP strategies. Experts from Addleshaw Goddard and Sopra Steria emphasize the need for skilled auditors, proactive cybersecurity, and realistic threat simulations. By leveraging threat intelligence and red teaming, institutions can stay ahead of cyber risks and ensure compliance with evolving regulatory standards.

[Julien Bacus: Partner, finance at Addleshaw Goddard] In their contractual arrangements with ICT providers, financial institutions shall ensure that they include provisions governing access rights, inspection and audit. These provisions must detail the areas to be audited, the standards to be applied and the frequency of such audits. These requirements are similar to the outsourcing requirements which were already applying before DORA.

However, DORA is not a "cut and paste" on these provisions and goes further than the existing regulatory guidance. Subjected to a limited exemption, DORA imposes to verify that auditors appointed to perform audits of ICT services of high technical complexity have the appropriate skills and knowledge. Even if DORA is a regulation directly applicable in all member states, please note that the certification of auditors is dealt with at national level. The harmonization sought by DORA is actually not complete in this respect. From a practical perspective, financial institutions need to have a clear picture of their own risks, but also of the risks that ICT providers may create. This is an extensive exercise which imposes new obligations on financial institutions.

[Ludovico Ninotti: Threat Intelligence Analyst, Sopra Steria] At Sopra Steria, our European reach enables us to have the appropriate local skills as required by DORA, to fulfill those strong audits and test requirements. In our view, cybersecurity is not just about reacting to threat, it is rather about staying ahead of a fast-evolving cyber threat landscape. Now the question is: how do we do that? how do we reach this ambitious objective? We do that by leveraging the cooperation between threat intelligence and the red team which becomes essential in the context of DORA activities. Threat intelligence collects huge amounts of data from different sources, about attack patterns and techniques used by threat actors, which specifically targets the financial sector.

Once all this info has been analyzed and structured, it is passed on to the red team which uses this info, which is stored into intelligence, to build realistic threat attack scenarios based on the most relevant threat and customize on your environment. So let us turn intelligence into resilience so that you are always prepared for whatever comes next in the future.

DORA: Secure your ICT contracts for optimal resilience

DORA mandates financial institutions to strengthen ICT contracts, ensuring resilience in digital operations. Experts from Addleshaw Goddard and Sopra Steria highlight the need for clear risk-based provisions, collaboration across stakeholders, and regular crisis management exercises. While compliance is key, turning contract terms into actionable security measures is essential. Banks must support subcontractors in meeting stringent standards for a secure and robust ecosystem.

[Elisabeth Marrache - Partner, IP/IT and Data protection at Addleshaw Goddard] DORA highlights the necessity of managing relationships with third-parties to ensure digital resilience for financial institutions. One of the key requirements under this regulation is to formally outline ICT-Related risks in contracts.

The contracts must in particular include provisions on availability, authenticity, integrity, and confidentiality of data including personal data. Additional provisions must also be provided in contracts covering critical important functions. In practice, we find that clients have mostly adopted a risk-based approach, focusing on dealing with their key in-scope ICT service providers. However, this analysis is no walk in the park, mainly because DORA requires financial institutions to verify that their ICT third party service providers meet specific information security-standards - a requirement that could be particularly burdensome for some smaller ICT service providers. Thus, collaboration among all stakeholders, involved in the process, not just the legal teams, becomes necessary in order to offer pragmatic and tailored solutions that meet each parties' concerns and requirements. *

[Erwan Brouder: Deputy head of cyber-security business unit at Sopra Steria] To operationalize DORA, banks and subcontractors must move beyond compliance and turn contract terms into actionable realities. Clear agreements on resilience standards must be defined upfront. Both banks and subcontractors need to engage in regular crisis management exercises to test response strategies, identify gaps, and refine their coordinated actions. Although banks are now mostly focused on reviewing contracts with their critical subcontractors, they must recognize that all ICT suppliers are included in DORA's scope.

Banks can then play a vital role by providing clear guidelines, on resilience, offering frameworks, tools, and best practices that help subcontractors meet DORA's stringent requirements. Moving hand in hand is in the best interest of both parties as it enables shared expertise and resources, ensuring a robust compliant and secure operational environment for all. This is our vision at Sopra Steria, and something we promote with our clients and their ecosystem of suppliers.

DORA: Mastering the Register for Compliance
Under DORA, financial institutions must maintain a comprehensive ICT register, crucial for identifying critical third-party providers within the EU financial system. Experts from Addleshaw Goddard and Sopra Steria outline the regulatory challenges, tight compliance deadlines, and the complexity of the 15 data tables and 116 controls required. With enforcement set as a top priority for 2025, firms must focus on data quality and readiness to meet stringent reporting obligations.

[Pierre Mathé, Senior associate, finance, Addleshaw Goddard] Financial institution shall maintain and update register of information, containing information on all ICT, contractual arrangement provided by third-party providers. Such a register is of paramount importance as the European supervisory authority will use the data from the register to inform which third-party providers should be designated as critical to the EU financial system.

The first designations are expected in the second half of 2025. The first version of this ITS was rejected by the Commission in September and finally adopted in December. This DNA creates additional difficulties for financial institutions in their DORA compliance roadmap. In practice, the ESAs want the registers by 30 April 2025, so national regulators are asking firms to submit the registers they will collect at national level before that date. Please note that regulators have clearly indicated that the compliance of the register of information will be a top enforcement priority in 2025.

[Vincent Lefevre, Director, Sopra Steria Next – Regulatory Tribe] In this challenging context, Sopra Steria may assist in designing solutions to help entities managing their register of information, ensuring efficient and accurate data submission to the competent authorities. From a practical point of view, the ITS final version defined a set of 15 data tables to be produced on which more than 116 controls will be performed. In response to the concerns raised by this new reporting system, the regulator decided to set a full dry run, exercise on 1,000 financial entities. Viewed from the regular's side, the conclusion of the test is optimistic. But it still demonstrates that the objectives are very ambitious and requires significant workload for impacted entities.

To date, less than 7% of participants have passed all their entry checks. The ESAs have provided numerals tool to facilitate implementation of the register. They also streamlined the process by confirming that the technical ID to input in the reporting could be the LEI, already largely used. Financial entities now need to prepare the first declaration. Regulators already confirmed that the priority has to be given to the data quality rather than to completeness. Thanks to our data experience, we, at Sopra Steria, are ready to work side by side with our clients and help them solving operational issues to align with the DORA requirements.