Tous les articles

DORA (Digital Operational Resilience Act) - How to stay compliant ?

February 20, 2025
The DORA regulation imposes new requirements on EU financial entities to strengthen their digital operational resilience.

The DORA (Digital Operational Resilience Act) regulation will come into force on 17 January 2025, imposing new requirements on EU financial entities to strengthen their digital operational resilience.

Key calendar

  • Entry into force: January 16 2023
  • Date of application: January 17, 2025

Who is concerned?

This regulation applies to a wide range of players in the financial sector, without being exhaustive, here are the main categories:

  • Credit institutions : National Commercial Banks, Cooperative and Mutual Banks, Online Banks, Specialized Credit Institutions
  • Investment firms : Brokerage Firms, Trading Firms, Market Firms, Trading Platforms
  • Insurance companies : Life Insurance, Damage Insurance, Reinsurers, Mutual Insurance
  • Market infrastructures : Stock Exchanges, Clearing Houses, Central Depositaries, Settlement and Delivery Systems
  • Fund managers : Portfolio Management Companies, Alternative Fund Managers, UCITS Managers, Private Equity Managers
  • Crypto service providers : Cryptocurrency Exchanges, Digital Asset Custody Services, Stablecoin Issuers, Digital Wallet Providers
  • Critical ICT providers : Cloud Computing Providers, Data Hosting Services, Security Service Providers, Payment Solutions

Why DORA?

DORA (Digital Operational Resilience Act) was adopted by the European Commission as part of its digital finance strategy.

This regulation responds to the financial sector's growing dependence on digital systems and third-party services, by establishing a unified framework for managing IT risks.

DORA in clear

This regulation harmonizes approaches to IT risk management and imposes common requirements in terms of cybersecurity, incident management, resilience testing and the management of third party ICT service providers.

1. Computer security

The organization must maintain an exhaustive inventory of its IT resources and identify critical systems.

A program of periodic checks must be established, accompanied by precise performance indicators and a preventive maintenance schedule.

2. Incident Management

The notification procedure requires an alert within 2 hours for any major incident, followed by a preliminary report within 24 hours and a complete file within 30 days.

Critical incidents (interruption >30 minutes, data compromise, cyberattacks) require immediate reporting to the competent authorities.

3. Test program

The institution must conduct regular security assessments of critical applications and validate business continuity plans.

Crisis simulations and recovery tests must be carried out periodically, with validation by independent auditors.

4. Management of service providers

A rigorous evaluation of service providers is required, including the analysis of their financial strength and security arrangements.

Continuous monitoring of their performance must be ensured, complemented by annual audits and a documented reversibility plan.

5. Protective devices

The infrastructure must incorporate enhanced authentication and strict access management.

Sensitive data needs to be encrypted, the network architecture secure, and a robust backup system in place. Ongoing monitoring of the systems is mandatory.

Possible sanctions

  • Up to 2% of annual turnover
  • Compliance injunctions
  • Possible suspension of activity
  • Publication of sanctions

Identity and strong authentication with DORA

With regard to authentication, the DORA regulation imposes specific requirements on financial entities to strengthen the security of their systems. Here are the main specificities:

  1. Establishment of strong authentication mechanisms : Businesses must implement protocols and procedures relating to strong authentication mechanisms.
  1. Access rights control policy: A detailed policy should be developed, documented, and implemented to manage access to ICT assets.

This policy should include:

  • Allocation of access rights based on the principles of need to know, need to have, and least privilege, including for remote access and emergency access.
  • A segregation of duties to prevent unwarranted access to critical data.
  • User liability provisions, limiting the use of generic or shared accounts.
  • Account management procedures for granting, modifying, or revoking access rights.
  1. User identification: Businesses must ensure that users are identifiable at all times for actions carried out in ICT systems.
  1. Access restrictions: Controls and tools should be in place to prevent unauthorised access to ICT assets.
  1. Physical access control: Measures should be taken to control physical access to ICT assets.

For more information or assistance in your DORA compliance, do not hesitate to contact us.

Financial firms should prepare now for DORA, the new European digital resilience regulation, as bringing it into compliance by January 2025 requires significant changes in their systems and processes.

ShareID meets these regulatory requirements thanks to its strong MFA 3.0 authentication and its ZTZKP (Zero Trust Zero Knowledge Proof) technology.

Our solution secures data exchanges without storage and with advanced encryption, allowing precise access control while ensuring compliance with DORA standards.

Do not hesitate to contact us to find out more about supporting your compliance.

DORA (Digital Operational Resilience Act) - How to stay compliant ?

RéglementationExigence cléRéponse ShareIDRésultat pour vous
DSP2 – Directive (UE) 2015/2366 + RTS SCA (UE 2018/389) Source DSP2 : Directive (UE) 2015/2366Authentification forte du client (SCA) obligatoire (art. 97) avec lien dynamique (art. 5 RTS) et indépendance des facteurs (art. 9 RTS).- Full IDV : authentification du document d’identité + biométrie (détection du vivant) - MFA 3.0: Ré-authentification forte basée sur l’identité Full IDV + MFA 3.0Conformité immédiate SCA ; fluidité pour l’utilisateur, sécurité renforcée.
DSP3 / Payment Services Regulation (projet) Source RTS SCA : Règlement délégué (UE) 2018/389 Entrée en vigueur prévue en 2025/ 2026.Articles 85–89 : consolidation de la SCA, règles d’accessibilité, clarification des exemptions.- Full IDV : authentification du document d’identité + biométrie (détection du vivant) - MFA 3.0: Ré-authentification forte basée sur l’identité Solution déjà alignée sur les parcours biométriques & exemptions. MFA 3.0Anticipez les évolutions futures sans refonte lourde.
DORA – Règlement (UE) 2022/2554 Source DORA : Règlement (UE) 2022/2554Authentification forte pour protéger les systèmes et les données critiques (art. 9(4)(d)), encadrement strict des prestataires de Technologie de l’information et de la communication (art. 28–30).- MFA 3.0: Ré-authentification forte basée sur l’identité. Intégrable via SDK/API (iOS, Android, Web), traçabilité complète. MFA 3.0Sécurisation des systèmes d’informations critiques, conformité démontrable aux superviseurs.
eIDAS (UE 910/2014) + implémentation 2015/1502 Source eIDAS (2014) : Règlement (UE) 910/2014Niveaux simple / substantiel / élevé ; multi-facteurs encouragés pour les niveaux substantiel et élevé.Authentification des documents + biométrie (détection du vivant). Full IDVValeur probante proche d’un contrôle présentiel.
eIDAS 2 – Règlement (UE) 2024/1183 Source eIDAS 2 : Règlement (UE) 2024/1183Les EUDI Wallets devront fonctionner à un niveau d’assurance élevé, avec partage sélectif d’attributs.- MFA 3.0: Ré-authentification forte basée sur l’identité Intégrable via SDK/API (iOS, Android, Web), traçabilité complète. MFA 3.0Intégration fluide des futurs portefeuilles européens.
MiCA – Règlement (UE) 2023/1114 Source MiCA : Règlement (UE) 2023/1114Les prestataires de services sur crypto-actifs doivent appliquer les obligations KYC/AML (Directive 2015/849) ; art. 76 impose CDD (renforcement de la vigilance client) renforcé pour certaines plateformes.Authentification des documents + biométrie (détection du vivant) = anti-deepfake et anti-spoofing. Doc IDV ou Full IDVRéduction drastique des fraudes, conformité crypto-AML.
ETSI TS 119 461 (V2.1.1, 2025) Source ETSI TS 119 461 : Norme européenneVérification d’identité à distance : 5 étapes (initiation → collecte → validation → liaison → résultat). Liveness et anti-spoofing obligatoires pour les parcours à distance.- Enrôlement complet : authentification des documents + Biométrie (détection du vivant) - Algorithmes entraînés sur une base de données de vrais et de faux documents de la Gendarmerie Nationale. Full IDVEnrôlement KYC robuste, valeur probante reconnue.
FIDA – Financial Data Access (projet) Source FIDA (proposition) : Commission européenneConsentement explicite, traçable et révocable via des tableaux de bord.- MFA 3.0: Authentification forte basée sur l’identité au moment du consentement + réauthentification fluide avec un simple sourire. MFA 3.0Accès aux données conforme et centré utilisateur.
RGPD – Règlement (UE) 2016/679 Source RGPD : Règlement (UE) 2016/679Durée de maintien de données chez ShareID paramétrable. Aucun stockage biométrique : hachages homomorphiques brevetés , ISO 27001.Image de marque, risque réglementairejuridique réduit, confiance accrue des régulateurs et clients.



← Tous les articles
Our newsletter - Digital Consciousness

Each month, get tips and tricks to protect yourself against online fraud.

Paris
San Francisco
Casablanca
Copyright © 2025 ShareID, Inc. All Rights Reserved.