The European regulation on the digital operational resilience of the financial sector (DORA) requires financial entities - and, by extension, their ICT providers - to maintain an exhaustive register of contracts, precise contractual clauses and dated audit evidence. SYAGA DORA-Express helps you meet these requirements without improvising, whether you are a financial entity or a provider.
DORA is a regulation, not a directive: it applies directly in all member states, with no national transposition law to wait for.
Regulation (EU) 2022/2554 of 14 December 2022, published in the Official Journal of the EU on 27 December 2022, entered into force on 16 January 2023 and applicable since 17 January 2025. No national transposition required: it is directly enforceable.
Every financial entity must maintain and transmit annually to the authorities a complete register of its ICT contracts: provider, nature of the service, criticality of the function, country where the data is hosted.
Audit and inspection rights, guarantees of data availability and integrity, tested exit plans, incident notification without delay. These clauses cascade down from your financial client to you if you are its ICT provider.
Before signing or renewing a contract, a bank, insurer or investor sends a cyber questionnaire (governance, MFA, EDR, encryption, awareness training). Answering without documented evidence costs you the contract.
On 18-19 November 2025, the European Supervisory Authorities (EBA, ESMA, EIOPA) published the first official list of critical ICT third-party providers under Article 32 of DORA. Among the names confirmed by the official announcements: AWS EMEA Sarl, Microsoft Ireland Operations Limited, Google Cloud, Orange SA, Capgemini SE (and 14 other providers not confirmed by name in our sources).
Concrete consequence: if your critical services rely on one of these providers, your financial client must now document this in its ICT register - and may question you about your own subcontracting chain.
Source: official EIOPA and ESMA announcements of 18-19 November 2025 (eiopa.europa.eu, esma.europa.eu).
A structured 5-step engagement to document your compliance - without promising what neither a tool nor a firm can certify on your behalf.
Are you a financial entity directly subject to DORA (one of the 21 categories in article 2), or an ICT provider indirectly targeted through the contractual clauses of your financial clients (article 30)? The exact scope determines everything else.
We answer your bank, investor or insurer due diligence questionnaire (governance, MFA, EDR, encryption, awareness training...), relying on a technical audit of your Microsoft 365 tenant as dated, verifiable evidence.
We help you structure your ICT contracts register (art. 28 §3) and check or integrate the minimum and enhanced contractual clauses of article 30 into your provider contracts.
Our BCP/DRP Suite offers a Finance sector profile (DORA, PSD2, ACPR) that covers the operational resilience testing requirements of Chapter IV of DORA, aligned with ISO 22301.
Delivery to your management, CISO or CFO of a consolidated file, with the precise points to be decided by your legal counsel before any communication to the authorities.
Concrete, sourced deliverables, with no certification promise that no one can guarantee
10 typical bank / M&A due diligence questions, documented and sourced (ILPA DDQ, CSA CAIQ, cyber insurer questionnaires).
Sourced summary of Regulation (EU) 2022/2554.
Structure of the exhaustive register required by the authorities.
To be integrated or checked in your ICT provider contracts.
Business continuity and disaster recovery plan, dedicated sector profile.
PDF and DOCX formats, consolidating the full set of deliverables.
Excerpt of the 10 questions we document for you, with the source for each question
| Topic | Question | Source |
|---|---|---|
| Governance | Is your security policy based on a recognized framework (NIST, ISO 27001)? | ILPA DDQ 2.0 |
| Third-party audit | Do you carry out an annual independent audit and penetration tests? | CSA CAIQ v4 |
| Incident plan | Is there a formal, documented and maintained incident response plan? | CSA CAIQ v4 / ILPA DDQ 2.0 |
| MFA | For which services do you enforce multi-factor authentication? | Travelers - MFA Supplement |
| Privileged accounts | Do access rights follow the least-privilege principle, reviewed periodically? | CSA CAIQ v4 IAM |
| Messaging | Which M365 license do you use? Is Defender / advanced threat hunting active? | vCSO.ai Cyber DD Checklist |
| Encryption | Are endpoint disks fully encrypted? | Google VSAQ |
| Training | Is a security awareness program established for all staff? | CSA CAIQ v4 HRS |
Each deliverable explicitly states what it covers - and what it does not
ICT register (art. 28), contractual clauses (art. 30), notification deadlines (art. 19), reference to designated critical ICT providers (art. 32).
DORA is a lex specialis relative to NIS2 for the financial sector: the entities concerned apply DORA instead of the equivalent NIS2 measures.
The BCP/DRP Finance profile is aligned with ISO 22301, the business continuity management framework used to complement DORA.
The DORA incident notification (ACPR/AMF, the French authorities) is separate from the GDPR notification (to the competent data protection authority, the CNIL in France) in the event of a personal data breach: both may be required simultaneously.
Every DORA file is different depending on your status - a personalized quote in every case
You supply services to one or more financial entities
You are directly subject to DORA (one of the 21 categories, art. 2)
Regular update of the file (obligations, contracts, register)
Contact us to receive a personalized quote based on your status (financial entity or ICT provider).