Blog

DORA: Digital resilience through crisis management

2 May 2023

Framing digital resilience in the financial sector

DORA, (Digital Operational Resilient Act), is the new regulation governing the digital operational resilience of the financial sector.

It is a continuation of the Basel Accords, which aimed to strengthen the regulation, control and risk management of the sector after the 2007 financial crisis.

After focusing on risk management, the European Union is now providing the financial system with uniform and strengthened regulations in order to move towards digital resilience.

The question now facing players in the financial sector: “How to achieve this famous digital resilience?”

We have tried to synthesize the main principles of DORA to guide you and give you some priority axes. Follow!

The 5 pillars of operational digital resilience according to DORA

A cyber crisis can have a heavy impact on a company’s activities. Recent ransomware cases show that from one day to the next, a company can find itself completely paralyzed: data inaccessibility, inoperative workstations, shutdown of services, etc.

Preparedness is therefore crucial to determine the criticality of its activities, to prioritize its essential and vital activities, to be able to continue them in a degraded manner in a crisis situation and to ensure their gradual recovery. This is why the DORA regulation addresses operational risks through the essential business continuity.

Financial entities will have to ensure the provision and quality of essential services. This involves both the assessment and the development of the operational technological integrity of financial entities and third-party providers. The regulation is based on 5 pillars aimed at achieving digital resilience:

  • ICT (Information and Communication Technology) risks
  • Incident reports
  • Resilience tests (crisis exercise, simulation, etc.)
  • Third-party risks
  • Information sharing

To achieve this objective, the regulation requires – among other obligations – to provide for a crisis management plan. The latter will have to be continuously tested and then updated, to achieve operational resilience. The crisis management plan makes it possible to anticipate possible crisis scenarios and ways of dealing with them.

The construction phase of the crisis management plan is an opportunity for a collective reflection, before the crisis, on the responsibilities and roles of each person. The priority of the Alcyconie team, when it builds a crisis management system, is to ensure that it is appropriated by the teams: it must become a reflex, known to all and mastered by everyone.

The notion of financial entity: who is concerned by DORA?

Article 2 of the regulation provides us with a large list of bodies falling within its scope, while taking care in its latest version to exclude certain entities. All the entities concerned are summarized under the generic name of “financial entities”. Third-party IT service providers of financial entities will also be subject to DORA.

Risk management obligations

DORA includes various obligations and recommendations relating to the digital resilience of the financial sector. We will focus in particular on the provisions concerning crisis management, Alcyconie’s core business.

Governance – Training in Digital Operational Resilience

With DORA, management bodies will be required to take over IT risk management. Indeed, cyber and digital crisis management is no longer just the prerogative of the CISO. It is gradually becoming part of a high-level managerial management of the crisis, by “non-expert” populations. Management will therefore have to take responsibility for the adoption of a risk management framework and, more broadly, a governance and internal control framework. To ensure the effectiveness of this framework, DORA provides for a training obligation.

IT risk management framework

The risk management scope document should be documented and reviewed annually. To complement it, financial entities are subject to an obligation to identify material and intangible elements that will subsequently be part of this framework. The identification focuses in particular on the mapping of operational functions, information assets and the IS. This allows entities to know the elements to be protected but also to identify and assess risk scenarios as part of the crisis management plan.

In addition, entities must also have a real security protocol which, in order to remain efficient and preventive, must be updated and controlled with each change made to the IS.

Response Tools

Once the risk management framework is in place, the risk is always present. The regulation therefore provides for the obligation to have an IT business continuity policy, which is itself part of the business continuity policy. The priority is to resume computing, while estimating damage and losses using mechanisms already planned.

Indeed, in the event of a crisis interrupting the activity of the structure, it will be necessary to plan for the gradual, organized and concerted restart of operations. This recovery strategy must be thought out upstream, in a cold phase and not improvised. To support this resumption of activity, DORA also requires that crisis management communication measures be defined in advance in order to promote the circulation of information in a degraded crisis situation.

To ensure that these measures are in place, entities will have to set up a crisis management function and will have to test their procedures once a year. If you want to know more about crisis management exercises and training at Alcyconie.

Training in digital operational resilience

Digital resilience must also involve learning and capitalising on the entity’s experience . It is therefore planned that the entities will carry out post-incident reviews to determine the causes of the incidents and then the improvements to be implemented. Beyond that, employees and management will need to undergo training and awareness on operational resilience and IT security.

Communication in the context of risk management

In a rather short and imprecise article, the regulation refers to communication in the context of the risk management framework. It provides for responsible communication of incidents and vulnerabilities, both to customers and to the general public.

Several questions arise here for communicators. When IT teams are mobilized to solve the problem, how do you get the information they need to popularize a highly technical subject to the general public, while knowing how to interact with specialized and expert media? How can you communicate transparently and reassure your stakeholders without passing on valuable information to hackers? Having your communication teams support them in understanding these technical subjects will allow them to have an operational and pragmatic vision of their role, and will help them find their place and the most effective posture.

(Find our contribution to one of the analyses of Marc-Antoine Ledieu, who did us the honor of asking us about the subject here).

Incident management obligations

To manage IT incidents, the regulation requires the implementation of an IT incident management process that includes a risk management process. The idea is to know where to go and which path to follow during the crisis. The regulation specifies the content of this process:

  • Procedure for qualifying incidents according to criteria defined by the regulation
  • Role and responsibility to activate according to the scenarios
  • Internal and external communication plan
  • Incident escalation procedure
  • Management Notification Procedure
  • Computerized Response Procedure

Financial entities are now required to notify the authorities of major IT-related incidents using a specific template.

In the event of a crisis that may impact their interests and the service, financial entities will be obliged to communicate the situation to users and customers (in the event of an impact on their interests and the service).

What should we remember about DORA?

In short, DORA makes it mandatory to apply standards in terms of crisis management and business continuity in anticipation of cyber risks. DORA’s objective is to prevent a cyber crisis from impacting one or more financial players to the point of destabilizing the markets and the economy of the European Union.

To learn more about cyber crisis management, read our article “Preparing to manage a cyber crisis and communicating”.

Article co-written by Rayan Le Calloch and Jeanne Fantou.

Want to know more?

Come and discover our expertise

Information systems security (PACS) support and consulting provider qualified by the ANSSI.

Dive into our case studies

See the case studies

Contact us

Want to know more? To be contacted again? Click here!

See the training

Our news

Alcyconie in the press

View All

Read the article

Resilience in the era of AI: the delicate art of balance - Maddyness
Press

Resilience in the era of AI: the delicate art of balance - Maddyness

4 December 2025

Read the article

When cognitive psychology sheds light on cyber crisis management
Blog

When cognitive psychology sheds light on cyber crisis management

6 November 2025

Read the article

Ransomware, Confusion, and Critical Decisions: A Cyber Crisis Simulation Autopsy - Alliancy
Press

Ransomware, Confusion, and Critical Decisions: A Cyber Crisis Simulation Autopsy - Alliancy

1 September 2025

Suspicion of crisis? Alert our teams!