Are you a financial institution that needs to comply with DORA?

Let us manage your compliance at DORA

  • Our teams get to grips with DORA quickly thanks to our experience
  • We can support you every step of the way (audit, compliance action plan, roadmap management, raising awareness among management and staff, etc.).
  • Our knowledge of cyber standards [NIS2, ISO27001, PASSI, TISAX, etc.] enables us to quickly identify key points.
  • Our certified consultants can provide you with strategic and operational support

NETSYSTEM will support you step by step through the DORA audit and your compliance, with a tailor-made approach combining cybersecurity, IT risk management, governance and audit.

Your personalised DORA quote

The 5 pillars of DORA

Since January 2025, the DORA regulation has required financial entities to strengthen their digital operational resilience across 5 pillars.

ICT governance and risk management
  • Managers must demonstrate a strong commitment to managing ICT-related risks.
  • Mandatory implementation of a risk management framework: policies, procedures, mapping, indicators, control processes.
  • Integration into the company’s global strategy.
Incident management
  • Implementation of a formalised process for detecting, classifying, managing and communicating incidents.
  • Obligation to notify major incidents to the competent authorities within a short timeframe (NIS2 type).
  • Keeping an incident register.
Operational resilience tests
  • Obligation to carry out regular vulnerability, intrusion and continuity tests.
  • For certain entities, advanced ‘TLPT’ (Threat-Led Penetration Testing) tests are required.
  • Objective: to ensure that systems and continuity plans really work.
Expertise in ICT service providers
  • DORA requires mapping of ICT service providers and rigorous governance of critical contracts.
  • The company remains responsible for its service providers.
  • Obligation to include clauses on security, reversibility, auditing, etc. in contracts.
Sharing information
  • Encouragement (not compulsory) to share information on threats between entities in the sector in order to strengthen the collective posture.
  • Regulated framework to avoid abuse or legal risk.

Why comply with DORA?

What is DORA?

DORA (Digital Operational Resilience Act) is a detailed and comprehensive regulatory framework on digital operational resilience for financial entities.

Its aim is to ensure business continuity in the event of a major digital incident, through improved IT risk management, robust governance and clear requirements for third-party service providers.

Who is DORA for?

The DORA regulations apply to all regulated financial entities: banks, insurers, fintechs, asset management companies, investment firms, information service providers (ISPs), etc.

What are DORA's main challenges?

The main objective is to professionalise IT security for financial entities in order to limit risks and guarantee service continuity.

Main issues :

ICT risk management

  • Digital operational resilience strategy
  • ICT risk management policy
  • Information systems security policy (including physical security, logical security, access management, data and network security …. )
  • ICT asset management policy and asset inventory
  • ICT operations management policies and procedures
  • ICT business continuity and disaster recovery policy and plans
  • Awareness and security and operational resilience training

Management and reporting of ICT incidents and cyber threats

  • Classification procedure for ICT incidents and cyber threats
  • Detection procedure, prevention and response to ICT incidents
  • Procedure for reporting major ICT incidents and voluntary notification of significant cyber threats
  • Procedure for reporting aggregated annual costs and losses caused by major ICT incidents
  • Communication plan in the event of an ICT incident

Digital operational resilience testing

  • Digital operational resilience testing programme
  • Operational procedures for conducting tests
  • Procedure for resolving issues highlighted during testing and validating implementation of remediation plans

ICT provider risk management

  • Mapping of ICT services and functions, identification of ICT service providers
  • Policy relating to the use of ICT services supporting critical or important functions (provided by ICT service providers)
  • Register of information on contractual agreements relating to the use of ICT services provided by ICT service providers
  • Exit strategies and plans
What are the risks?

Non-compliance can result in financial penalties, withdrawal of approval or major reputational damage.

But over and above these penalties, the major risk is obviously that the entity’s business will be jeopardised in the event of a cyber attack.

How long does it take to become DORA-compliant?

This depends on your initial level of maturity. On average, it takes between 6 and 12 months to achieve full compliance.

What's the difference between DORA and NIS2?

NIS2 is aimed at broader critical sectors. DORA is specifically designed for the financial sector, with a stronger operational and regulatory focus.

Netsystem supported KERIALIS in its DORA compliance project

KERIALIS, a social protection institution dedicated to the legal and accountancy professions, offers supplementary health, provident, long-term care, end-of-career and retirement benefits, as well as a range of services to support its policyholders on a day-to-day basis.

The organisation wanted to improve its operational resilience by complying with the DORA regulations specific to its business sector and, more generally, to financial services companies.

"KERIALIS was looking for a service provider to help us comply with the requirements of the DORA regulation.
We chose Netsystem because of the speed with which they contacted us, the quality of their discussions and the speed of their response.
NETSYSTEM is an agile organisation with a strong capacity to adapt and experienced CISOs, particularly in the cybersecurity aspects of DORA."

Marie LEAO, Fonction clé conformité et Responsable du contrôle permanent chez KERIALIS

Why choose Netsystem?

  • Proven regulatory expertise (DORA, NIS2, RGPD, ISO 27001)
  • Experience of the financial sector and its constraints
  • Operational and strategic support
  • Certified consultants, proven methodologies
  • Continuous regulatory monitoring and adaptation to changes

DORA is a tremendous opportunity for financial entities to upgrade their cybersecurity and ensure the resilience of their organization.

This text is not limited to a simple compliance framework: it imposes a real transformation in IT governance, critical service provider management, incident preparedness and business continuity.

At NETSYSTEM, we support our customers not only in meeting the requirements of the regulation, but above all in deriving structural benefit from it. Our approach is based on a strategic vision, tried and tested methods, and an ability to make technical issues tangible for business and regulatory departments.

For us, DORA is an opportunity to reinforce digital confidence throughout the financial ecosystem. And that's precisely our role: to build more robust, more transparent and more resilient organizations.

Vincent FERRARA, Head of Digital Trust practice

Examples of cyber missions carried out

Some clients

Follow our News

Paris

34 rue Bassano
75008 Paris
+33 (0)1 85 64 20 30

Aix en Provence – Headquarter

6 Parc d’activités Bompertuis
13120 GARDANNE
+33 (0)4 42 65 85 40

Our Offers

About Us

News