DORA is no longer coming — it is enforced
DORA (Regulation (EU) 2022/2554) has applied since 17 January 2025 to a broad range of financial entities: banks, insurers, investment firms, payment and e-money institutions, crypto-asset service providers, management companies and more. Being a regulation, it applies directly, with no national transposition. French supervisors treated 2025 as a year of support and first targeted controls; 2026 marks the shift to in-depth compliance audits.
Who supervises DORA in France
Two authorities share the file: the ACPR (banking and insurance) and the AMF (markets and asset management), each for the entities under its remit. For threat-led penetration testing, France runs a joint cyber team — the TCT-FR — bringing together the Banque de France, the ACPR and the AMF.
The five pillars — and the documents behind them
| Pillar | Core obligation | Documents expected |
|---|---|---|
| ICT risk management | Governance framework approved by the management body | ICT risk policy, security policies, asset mapping |
| Incident management | Classify and notify major ICT incidents | Incident response policy, classification grid, notification runbook |
| Resilience testing | Regular testing; TLPT for designated entities | Test programme, TLPT scoping, remediation plans |
| Third-party ICT risk | Contract clauses + register of information | Vendor security policy, exit strategies, RoI |
| Information sharing | Optional threat-intel sharing arrangements | Sharing agreements |
The register of information (RoI)
Every DORA entity must maintain a register of information covering all its contractual arrangements with ICT third-party providers. Under ACPR instruction 2025-I-12, entities within its remit submit the RoI to the ACPR; the data feeds the European supervisory authorities’ designation of critical ICT third-party providers (major cloud platforms among them), which fall under direct EU-level oversight. In practice the RoI is the single most labour-intensive DORA deliverable for mid-sized entities: it demands a complete inventory of ICT suppliers, functions supported, and criticality ratings.
TLPT and TIBER-FR
Entities designated by their TLPT authority (Banque de France, ACPR or AMF) must run threat-led penetration tests at least every three years, following the TIBER-EU framework implemented nationally as TIBER-FR. These are red-team exercises against production systems, framed by the TCT-FR — a different discipline from an annual pentest, and one that presupposes mature incident response and logging.
What a mid-sized entity should have ready for 2026
- An ICT risk-management framework approved by the board — DORA holds the management body responsible.
- An incident classification and notification process aligned with the DORA timelines and templates.
- The register of information, complete and submittable.
- Contract remediation: DORA-compliant clauses (audit rights, exit, subcontracting) in every ICT contract.
- Evidence of testing — even before any TLPT designation, a documented test programme is expected.
Primary sources
- Regulation (EU) 2022/2554 (DORA) — full text on EUR-Lex (eur-lex.europa.eu/eli/reg/2022/2554/oj).
- ACPR — DORA FAQ and instruction 2025-I-12 (acpr.banque-france.fr).
- AMF — DORA resources (amf-france.org).
- Banque de France — TIBER-FR national implementation guide (banque-france.fr).
How PolicyForge helps
PolicyForge generates the documentary layer DORA auditors ask for first — ICT risk policy, incident response with notification steps, vendor security with exit considerations, access control, logging — bilingual and versioned. Start free →