Difference between DORA and NIS2?

DORA is sectoral (finance) and more demanding; NIS2 is horizontal (all critical sectors). A French bank is subject to DORA, which takes precedence over NIS2 on covered topics. Both converge on principles (ICT risk management, incident notification, third-party management), but DORA goes further on resilience (TLPT, hyperscaler exit plan).

What is a TLPT and who undergoes it?

TLPT (Threat-Led Penetration Testing) is a penetration test conducted under conditions reproducing a real attack, by a certified provider, without blue-team notification. The most significant entities (systemic banks, private banks above €30bn, main asset managers) must conduct one before end-2027.

Is my banking SaaS classified as CTPP?

Not automatically. CTPPs are designated by the ESAs on aggregate criticality criteria (how many banks use the service, what exposure). Hyperscalers (AWS, Microsoft, Google) are almost certainly classified CTPPs. For a niche SaaS, designation remains rare but possible if several critical actors depend on it.

Must the hyperscaler exit plan be tested?

Yes, DORA requires a "credible" plan, and credibility means tested. Very few banks have actually tested an AWS or Azure exit scenario. It is a major work-stream for 2026-2028, especially for actors heavily dependent on a single cloud.

ApplicableApplication : 2025-01-17

DORA

Digital Operational Resilience Act, Regulation (EU) 2022/2554

EU regulation on digital operational resilience for the financial sector. Applicable since 17 January 2025, with TLPT exercises in 2026.

Secteurs concernés

01 · Qu'est-ce que c'est ?

DORA (Digital Operational Resilience Act, regulation EU 2022/2554) is the European framework for digital operational resilience in the financial sector. Adopted in December 2022, applicable since 17 January 2025, it harmonizes ICT (Information & Communications Technology) risk-management requirements for banks, insurers, fund managers, payment service providers, and more broadly any regulated financial entity.

The regulation rests on five pillars: ICT governance and risk management, incident management and reporting, operational resilience testing (including TLPT, Threat-Led Penetration Testing), third-party risk management (CTPP, Critical Third-Party Providers), and threat-information sharing.

02 · Qui est concerné ?

Every regulated European financial entity is concerned:

Credit institutions (banks) and payment institutions.
Investment firms and UCITS/AIF management companies.
Insurance and reinsurance undertakings.
Trading venues, central securities depositories, central counterparties.
Crypto-asset service providers (CASPs under MiCA).
Critical ICT Third-Party Providers (CTPPs): hyperscalers, datacenters, critical SaaS providers used by financial entities, supervised directly by the ESAs.

03 · Calendrier d'application

Applicable since 17 January 2025. TLPT penetration tests on identified actors to be conducted before end-2027.

17 January 2025: entry into application.
First half of 2026: ACPR publication of lists of French entities subject to TLPT.
Before end-2027: first TLPT conducted by concerned actors.
2026-2028: ramp-up of ACPR/AMF/EIOPA controls and progressive CTPP designation by the ESAs.

04 · Sanctions

DORA refers to the national sanctions regimes of sectoral authorities (ACPR for banks and insurance, AMF for fund managers). Classical sanctions apply: administrative fines, injunctions, withdrawal of authorization.

For CTPPs, the ESAs have specific powers: information requests, on-site inspections, binding recommendations, and as a last resort, suspension of use by financial entities.

05 · Comment s'y conformer

Four structuring software capabilities:

ICT-providers register with critical/non-critical classification, DORA-compliant contracts (audit rights, exit plan), associated certifications.
Incident workflow with ACPR notification within 4h for major incidents, 72h interim report, 1-month final report.
Inventory of critical functions with dependencies (systems, teams, providers), forming the scope base for TLPTs.
Documented AND periodically tested exit plan for critical providers (notably for hyperscalers).

06 · Questions fréquentes

Difference between DORA and NIS2?: DORA is sectoral (finance) and more demanding; NIS2 is horizontal (all critical sectors). A French bank is subject to DORA, which takes precedence over NIS2 on covered topics. Both converge on principles (ICT risk management, incident notification, third-party management), but DORA goes further on resilience (TLPT, hyperscaler exit plan).
What is a TLPT and who undergoes it?: TLPT (Threat-Led Penetration Testing) is a penetration test conducted under conditions reproducing a real attack, by a certified provider, without blue-team notification. The most significant entities (systemic banks, private banks above €30bn, main asset managers) must conduct one before end-2027.
Is my banking SaaS classified as CTPP?: Not automatically. CTPPs are designated by the ESAs on aggregate criticality criteria (how many banks use the service, what exposure). Hyperscalers (AWS, Microsoft, Google) are almost certainly classified CTPPs. For a niche SaaS, designation remains rare but possible if several critical actors depend on it.
Must the hyperscaler exit plan be tested?: Yes, DORA requires a "credible" plan, and credibility means tested. Very few banks have actually tested an AWS or Azure exit scenario. It is a major work-stream for 2026-2028, especially for actors heavily dependent on a single cloud.

Sources officielles

Réglementations connexes

Network and Information Security 2, Directive (UE) 2022/2555
In force2024-10-17
NIS2
Network and Information Security 2, Directive (UE) 2022/2555
Directive cybersécurité européenne applicable depuis octobre 2024. Élargit le périmètre aux SaaS, datacenters, transporteurs, alimentaire.
- B2B SaaS
- Banking
- Clinic & Health
- +3
Decode →

Articles d'analyse

DORA banque privée : le vrai test arrive avec les tests de résilience 2026
Secteur bancaireApril 1, 2026
DORA banque privée : le vrai test arrive avec les tests de résilience 2026
Applicable depuis janvier 2025, DORA enclenche en 2026 ses obligations les plus dures : tests de résilience opérationnelle TLPT et registre des prestataires critiques.

Un projet logiciel DORA ?

Quand DORA demande un logiciel sur-mesure, nous le livrons en quelques semaines, 3× moins cher qu'un éditeur historique.

Décrire votre projet