Skip to content
PolicyForge
All posts
By Vyrhak SATH · Founder, NAGASHIELD SECURITY10 min

DORA in France: ACPR, AMF, the register of information and TLPT

How DORA is supervised in France: ACPR and AMF roles, the register of information (instruction 2025-I-12), TIBER-FR threat-led penetration testing, the 2026 shift to in-depth audits — and the documents a financial entity must have ready.

DORA is no longer coming — it is enforced

DORA (Regulation (EU) 2022/2554) has applied since 17 January 2025 to a broad range of financial entities: banks, insurers, investment firms, payment and e-money institutions, crypto-asset service providers, management companies and more. Being a regulation, it applies directly, with no national transposition. French supervisors treated 2025 as a year of support and first targeted controls; 2026 marks the shift to in-depth compliance audits.

Who supervises DORA in France

Two authorities share the file: the ACPR (banking and insurance) and the AMF (markets and asset management), each for the entities under its remit. For threat-led penetration testing, France runs a joint cyber team — the TCT-FR — bringing together the Banque de France, the ACPR and the AMF.

The five pillars — and the documents behind them

PillarCore obligationDocuments expected
ICT risk managementGovernance framework approved by the management bodyICT risk policy, security policies, asset mapping
Incident managementClassify and notify major ICT incidentsIncident response policy, classification grid, notification runbook
Resilience testingRegular testing; TLPT for designated entitiesTest programme, TLPT scoping, remediation plans
Third-party ICT riskContract clauses + register of informationVendor security policy, exit strategies, RoI
Information sharingOptional threat-intel sharing arrangementsSharing agreements

The register of information (RoI)

Every DORA entity must maintain a register of information covering all its contractual arrangements with ICT third-party providers. Under ACPR instruction 2025-I-12, entities within its remit submit the RoI to the ACPR; the data feeds the European supervisory authorities’ designation of critical ICT third-party providers (major cloud platforms among them), which fall under direct EU-level oversight. In practice the RoI is the single most labour-intensive DORA deliverable for mid-sized entities: it demands a complete inventory of ICT suppliers, functions supported, and criticality ratings.

TLPT and TIBER-FR

Entities designated by their TLPT authority (Banque de France, ACPR or AMF) must run threat-led penetration tests at least every three years, following the TIBER-EU framework implemented nationally as TIBER-FR. These are red-team exercises against production systems, framed by the TCT-FR — a different discipline from an annual pentest, and one that presupposes mature incident response and logging.

What a mid-sized entity should have ready for 2026

  1. An ICT risk-management framework approved by the board — DORA holds the management body responsible.
  2. An incident classification and notification process aligned with the DORA timelines and templates.
  3. The register of information, complete and submittable.
  4. Contract remediation: DORA-compliant clauses (audit rights, exit, subcontracting) in every ICT contract.
  5. Evidence of testing — even before any TLPT designation, a documented test programme is expected.

Primary sources

How PolicyForge helps

PolicyForge generates the documentary layer DORA auditors ask for first — ICT risk policy, incident response with notification steps, vendor security with exit considerations, access control, logging — bilingual and versioned. Start free →

Frequently asked questions

Who supervises DORA in France?

The ACPR for banking and insurance and the AMF for markets and asset management, each for the entities under its remit. For threat-led penetration testing, the Banque de France, ACPR and AMF operate a joint national cyber team, the TCT-FR. 2025 was devoted to support and first targeted controls; 2026 brings in-depth compliance audits.

What is the DORA register of information?

A mandatory register of all contractual arrangements with ICT third-party providers, covering the functions they support and their criticality. Under ACPR instruction 2025-I-12, in-scope entities submit it to the ACPR; the data feeds the EU-level designation of critical ICT third-party providers such as major cloud platforms.

What is TLPT under DORA?

Threat-led penetration testing: red-team exercises against production systems that designated entities must run at least every three years, following the TIBER-EU framework — implemented in France as TIBER-FR under the TCT-FR (Banque de France, ACPR, AMF). Entities are designated by their TLPT authority.

Does DORA apply to fintechs and small financial entities?

DORA covers a broad range of financial entities including payment institutions, e-money institutions and crypto-asset service providers, with proportionality in how measures are applied. Even small regulated entities must maintain an ICT risk framework, incident notification and the register of information.