REGULATION (EU) 2022/2554 - APPLICABLE SINCE 17 JANUARY 2025

Your DORA compliance,
documented and defensible

The European regulation on the digital operational resilience of the financial sector (DORA) requires financial entities - and, by extension, their ICT providers - to maintain an exhaustive register of contracts, precise contractual clauses and dated audit evidence. SYAGA DORA-Express helps you meet these requirements without improvising, whether you are a financial entity or a provider.

17/01
Applicable since 2025
21
Categories of entities in scope (art. 2)
4h
Notification deadline for a major incident
19
Critical ICT providers already designated

The regulatory context

DORA is a regulation, not a directive: it applies directly in all member states, with no national transposition law to wait for.

DORA has applied directly since 17 January 2025

Regulation (EU) 2022/2554 of 14 December 2022, published in the Official Journal of the EU on 27 December 2022, entered into force on 16 January 2023 and applicable since 17 January 2025. No national transposition required: it is directly enforceable.

📋

An exhaustive ICT register is required (art. 28 §3)

Every financial entity must maintain and transmit annually to the authorities a complete register of its ICT contracts: provider, nature of the service, criticality of the function, country where the data is hosted.

📄

Your contracts must contain precise clauses (art. 30)

Audit and inspection rights, guarantees of data availability and integrity, tested exit plans, incident notification without delay. These clauses cascade down from your financial client to you if you are its ICT provider.

📧

The due diligence questionnaire is already in your inbox

Before signing or renewing a contract, a bank, insurer or investor sends a cyber questionnaire (governance, MFA, EDR, encryption, awareness training). Answering without documented evidence costs you the contract.

The 18 November 2025 trigger

Your cloud providers have just been officially designated "critical"

On 18-19 November 2025, the European Supervisory Authorities (EBA, ESMA, EIOPA) published the first official list of critical ICT third-party providers under Article 32 of DORA. Among the names confirmed by the official announcements: AWS EMEA Sarl, Microsoft Ireland Operations Limited, Google Cloud, Orange SA, Capgemini SE (and 14 other providers not confirmed by name in our sources).

Concrete consequence: if your critical services rely on one of these providers, your financial client must now document this in its ICT register - and may question you about your own subcontracting chain.

Source: official EIOPA and ESMA announcements of 18-19 November 2025 (eiopa.europa.eu, esma.europa.eu).

Our response: DORA-Express

A structured 5-step engagement to document your compliance - without promising what neither a tool nor a firm can certify on your behalf.

1
Step 1 - Qualification

Let's identify your actual exposure

Are you a financial entity directly subject to DORA (one of the 21 categories in article 2), or an ICT provider indirectly targeted through the contractual clauses of your financial clients (article 30)? The exact scope determines everything else.

2
Step 2 - Due diligence

Response to your cyber questionnaire

We answer your bank, investor or insurer due diligence questionnaire (governance, MFA, EDR, encryption, awareness training...), relying on a technical audit of your Microsoft 365 tenant as dated, verifiable evidence.

3
Step 3 - Register and contracts

ICT register and article 30 clauses

We help you structure your ICT contracts register (art. 28 §3) and check or integrate the minimum and enhanced contractual clauses of article 30 into your provider contracts.

4
Step 4 - Continuity and resilience

BCP/DRP Finance sector profile

Our BCP/DRP Suite offers a Finance sector profile (DORA, PSD2, ACPR) that covers the operational resilience testing requirements of Chapter IV of DORA, aligned with ISO 22301.

5
Step 5 - Handover

A documented compliance file

Delivery to your management, CISO or CFO of a consolidated file, with the precise points to be decided by your legal counsel before any communication to the authorities.

What you receive

Concrete, sourced deliverables, with no certification promise that no one can guarantee

📝

Cyber due diligence answers

10 typical bank / M&A due diligence questions, documented and sourced (ILPA DDQ, CSA CAIQ, cyber insurer questionnaires).

  • Security policy / recognized framework
  • MFA, least privilege, privileged accounts
  • M365 license, EDR / threat hunting
  • Legacy protocols, disk encryption
  • Awareness program
📄

DORA reference sheet

Sourced summary of Regulation (EU) 2022/2554.

  • Scope: 21 categories of entities (art. 2)
  • 5 areas of obligations
  • Notification deadlines (4h / 72h / 1 month)
  • Interplay with NIS2 (lex specialis)
📋

ICT register (art. 28 §3 template)

Structure of the exhaustive register required by the authorities.

  • Provider and nature of the service
  • Criticality of the supported function
  • Country where the data is hosted
  • Format ready for annual submission
🔐

Contractual clauses (art. 30 template)

To be integrated or checked in your ICT provider contracts.

  • Minimum clauses (all contracts)
  • Enhanced clauses (critical functions)
  • Audit and inspection rights
  • Exit plans and data extractability
🏗

BCP/DRP Finance profile

Business continuity and disaster recovery plan, dedicated sector profile.

  • Covers Chapter IV DORA (resilience testing)
  • Aligned with ISO 22301
  • DORA / PSD2 / ACPR sector profile
  • Built on our existing BCP/DRP Suite
💾

Documented compliance file

PDF and DOCX formats, consolidating the full set of deliverables.

  • Ready for your management / CISO / CFO
  • Points to be validated by your lawyer flagged
  • Basis for your exchanges with ACPR / AMF (the French authorities)
  • Editable for annual updates

An example: the bank due diligence questionnaire

Excerpt of the 10 questions we document for you, with the source for each question

Topic Question Source
Governance Is your security policy based on a recognized framework (NIST, ISO 27001)? ILPA DDQ 2.0
Third-party audit Do you carry out an annual independent audit and penetration tests? CSA CAIQ v4
Incident plan Is there a formal, documented and maintained incident response plan? CSA CAIQ v4 / ILPA DDQ 2.0
MFA For which services do you enforce multi-factor authentication? Travelers - MFA Supplement
Privileged accounts Do access rights follow the least-privilege principle, reviewed periodically? CSA CAIQ v4 IAM
Messaging Which M365 license do you use? Is Defender / advanced threat hunting active? vCSO.ai Cyber DD Checklist
Encryption Are endpoint disks fully encrypted? Google VSAQ
Training Is a security awareness program established for all staff? CSA CAIQ v4 HRS

Texts and frameworks covered

Each deliverable explicitly states what it covers - and what it does not

DO

DORA (Regulation (EU) 2022/2554)

ICT register (art. 28), contractual clauses (art. 30), notification deadlines (art. 19), reference to designated critical ICT providers (art. 32).

N2

NIS2 - interplay with DORA

DORA is a lex specialis relative to NIS2 for the financial sector: the entities concerned apply DORA instead of the equivalent NIS2 measures.

ISO

ISO 22301 - business continuity

The BCP/DRP Finance profile is aligned with ISO 22301, the business continuity management framework used to complement DORA.

RG

GDPR - separate notification

The DORA incident notification (ACPR/AMF, the French authorities) is separate from the GDPR notification (to the competent data protection authority, the CNIL in France) in the event of a personal data breach: both may be required simultaneously.

An engagement tailored to your situation

Every DORA file is different depending on your status - a personalized quote in every case

ICT provider

You supply services to one or more financial entities

Quote
depending on scope
  • Cyber due diligence response
  • ICT register, provider-side
  • Review of article 30 clauses
  • Documented file ready to submit
Request a quote

Annual follow-up

Regular update of the file (obligations, contracts, register)

Quote
recurring
  • ICT register update
  • Annual review of contractual clauses
  • Monitoring of designated critical providers
  • Support for your client due diligences
Request a quote

Frequently asked questions

Is my company a financial entity in scope of DORA?
Article 2 of DORA lists 21 categories of financial entities: credit and payment institutions, investment firms, MiCA-authorized crypto-asset providers, insurance and reinsurance, fund management, credit rating agencies, and others. Microenterprises (fewer than 10 employees, turnover or balance sheet below 2 million euros) benefit from proportionality on certain obligations, but are not fully excluded. To be checked case by case with legal counsel.
I'm not a bank, why does DORA concern me anyway?
If you provide ICT services (IT, cloud, software, hosting) to a financial entity, article 30 requires your client to list you in its register and to impose precise contractual clauses on you: audit rights, incident notification without delay, exit plans. These obligations flow through your client's contract, not through direct supervision by the authority - unless you are yourself designated a critical ICT provider (article 31).
What are the notification deadlines for a major ICT incident?
Article 19: initial notification within 4 hours of classification as a major incident (at most 24 hours after detection), intermediate report within 72 hours, final report within 1 month. These notifications are separate from any GDPR notification to the competent data protection authority (the CNIL in France) in the event of a personal data breach.
What is a "critical ICT provider"?
These are providers explicitly designated by the European Supervisory Authorities (EBA, ESMA, EIOPA) based on criteria of systemic impact, substitutability and dependency (article 31). The first official list, published on 18-19 November 2025, includes 19 providers. They are subject to direct supervision (inspections, extended reporting); other ICT providers remain governed solely by the contractual clauses of their financial clients.
Does DORA replace NIS2 for my sector?
Yes, for financial entities within the meaning of article 2: DORA constitutes a lex specialis relative to NIS2 for the financial sector. The 21 categories concerned apply DORA instead of the equivalent NIS2 measures on risk management and incident notification.
Does this service constitute legal advice?
No. DORA-Express is a documentation support tool, not legal advice. The exact applicability of DORA to your organization and the legal compliance of your contracts must be validated by a specialized lawyer before any binding decision.

Ready to document your DORA compliance?

Contact us to receive a personalized quote based on your status (financial entity or ICT provider).

DORA-Express is a documentation support tool and does not constitute legal advice. The applicability of DORA to your organization and the legal validity of your contracts and registers must be confirmed by a specialized lawyer.