DORA, explained simply: the law that protects finance from outages and cyberattacks
4
Min
•
06.07.2026
In short: DORA requires banks, insurers and other financial players, along with their technology providers, to keep operating even during an IT outage or a cyberattack. The law has already been in force since January 2025, and 2026 marks the start of the checks.
What exactly is DORA?
DORA is a European law: Regulation (EU) 2022/2554. Its full name, "Digital Operational Resilience Act", simply means a law on the ability of digital systems to withstand disruption.
The idea fits in one sentence: when a bank or an insurer depends on IT to operate, an outage or a cyberattack is no longer a mere technical concern, it is a risk for the entire financial system. DORA therefore sets common rules to prevent these incidents, react quickly when they happen, and keep serving customers.
Two things to keep in mind:
- The law has been applicable since 17 January 2025. It applies directly, without going through a French law.
- It covers around twenty types of financial entities (banks, insurers, payment providers, fintechs, fund managers), and also their technology suppliers.
Who is concerned (and why it goes beyond banks)
The point often misunderstood: DORA does not stop at financial institutions. It also applies to their IT providers. A software vendor that sells its services to a bank becomes, in the eyes of the law, a link in that bank's resilience. It must therefore be able to meet the same requirements: security, availability, the client's right to oversight.
In other words: if you supply technology to the financial sector, DORA concerns you too, even if you are not a bank.
What DORA requires, in 5 points
1. Manage IT risks
Map your tools, identify the sensitive points, and plan how to keep operating in a crisis. Responsibility goes all the way up to senior management.
2. Report serious incidents
Any major IT incident must be reported to the authorities, within timelines and a format that are identical across Europe.
3. Test your resilience
The most important players must have their defences tested through real attack simulations, at least once every three years.
4. Oversee your IT providers
This is the most structuring point. Contracts with suppliers must include clear guarantees: security, right to audit, control over subcontracting, data location, and the ability to switch provider. Suppliers deemed the most critical are even monitored directly at European level.
5. Share information on cyber threats
DORA encourages financial players to exchange with one another about threats in order to defend themselves better collectively.
Where do things stand in 2026?
The law has been applied for about eighteen months. In France, the ACPR has moved from support to stepped-up checks. The work under way: keeping the register of IT providers up to date, designating critical suppliers, and launching security tests for the largest players.
The key point: knowing your providers and suppliers well
DORA is a reminder of the obvious: a bank is only as strong as its suppliers are. This obliges institutions to better assess the companies they work with.
That is exactly the logic of Know Your Supplier (KYS) and, more broadly, of KYB: checking a company, its managers and its reliability before and during the relationship, thanks to a company trust score.
How much non-compliance costs
The penalties are heavy. A financial institution risks up to 2% of its annual worldwide turnover. A critical supplier can be penalised every day it is not in order, up to 1% of its average daily turnover, for six months. Beyond the fine, it is customer trust that is at stake.
DORA and the fight against fraud
Staying operational and fighting fraud are the same battle: reliable, available customer journeys. An identity and fraud detection system that goes down is an open door for fraudsters. Securing these journeys therefore serves both DORA compliance and fraud protection.
Your DORA checklist
You are on the right track if you can answer yes to each point:
- The list of your IT providers is up to date.
- Your supplier contracts include the DORA guarantees (audit, security, reversibility).
- You know how to detect and report a major IT incident.
- Your security tests are scheduled.
- You assess the reliability of your suppliers and corporate clients (KYS / KYB).
In conclusion
DORA turns IT resilience into a legal obligation, not just a good practice. And it sends a clear message to the whole ecosystem: knowing your suppliers, securing your journeys and keeping a record of your decisions is no longer optional. The good news: these are habits that also protect against fraud.
Sources: Regulation (EU) 2022/2554 (DORA), Official Journal of the European Union; ACPR, DORA file.
Assess your providers, secure your journeys
Meelo helps financial players know and assess their providers and corporate clients (KYB, trust score, Know Your Supplier), and secure their identity and anti-fraud journeys. A decision in 2 to 5 seconds, documented and auditable.

%20(1).jpg)
.png)
.jpg)