Diligence helps European financial institutions prepare and submit DORA reporting obligations — ICT third-party risk registers, major incident notifications, and threat intelligence reports — on time and in the correct format.
The Digital Operational Resilience Act (Regulation EU 2022/2554) entered into force on 17 January 2025. It applies to a broad scope of financial entities — banks, investment firms, payment institutions, insurance undertakings, crypto-asset service providers, and more — and introduces structured reporting obligations around ICT risk management and operational incidents.
Financial institutions must classify and notify major ICT-related incidents to their national competent authority (NCA) within defined timeframes. For banks and investment firms in France, the NCA is the ACPR. Notification follows a three-phase structure: initial notification within 4 hours of classification, intermediate report within 72 hours, and final report within one month of resolution.
The European Supervisory Authorities (EBA, ESMA, EIOPA) have defined common reporting templates. These templates use structured data fields rather than free text, and submissions must go through the standard supervisory reporting channels — ONEGATE for French entities.
Institutions must maintain a Register of Information (RoI) covering all contractual arrangements with ICT third-party service providers. The register must include provider details, service classification, criticality assessment, contractual references, and risk information for each arrangement. The full register must be submitted annually to the NCA in a specified structured format.
Significant institutions must conduct Threat-Led Penetration Tests (TLPT) at least every three years and report results to their NCA. The test scope, methodology, and findings must be documented and submitted in a structured format. TIBER-EU and national equivalents define the TLPT framework.
DORA also establishes a voluntary notification pathway for significant cyber threats that have not yet materialised into major incidents. Institutions may report these to their NCA on a voluntary basis; the NCA may share anonymised information with other competent authorities and ENISA.
For French banks, payment institutions, investment firms, and insurers, DORA obligations are supervised by the ACPR. Incident notifications and the ICT third-party register are submitted through ONEGATE or directly to ACPR through their designated secure channel.
Many DORA reporting obligations run in parallel with existing ACPR prudential reporting. Institutions that already use Diligence for COREP, FINREP, or ACPR prudential submissions have an existing ONEGATE connection and user access structure that can be extended to cover DORA notifications.
DORA operates as a lex specialis in relation to NIS2 (the Network and Information Security Directive). Financial entities subject to DORA are exempt from the corresponding NIS2 incident reporting obligations — DORA is the applicable framework for regulated financial institutions.
The Register of Information (RoI) is the most operationally significant new DORA obligation for many institutions. It covers all ICT third-party service providers — not just those deemed critical — and must be structured according to the templates defined by the ESAs.
The complete register must be submitted annually to the NCA. Institutions must also notify the NCA of any significant changes to a critical arrangement within defined timeframes. The register is a living document — institutions need a process to maintain it in real time, not just at annual submission.
French institutions already using Diligence for COREP or FINREP have an established ONEGATE connection, user structure, and submission workflow. Extending that infrastructure to cover DORA incident notifications avoids building a separate reporting channel for a new obligation.
DORA reporting templates use structured data fields. Diligence is purpose-built for structured regulatory data preparation and submission — the same principles that underpin XBRL reporting apply to DORA notification templates.
Managing COREP, FINREP, Solvency II, and DORA obligations in separate tools creates operational risk. Diligence's platform consolidates regulatory reporting into a single environment — one submission workflow, one audit trail, one ONEGATE connection.
DORA's technical standards are still being finalised and updated by the ESAs. Diligence tracks regulatory developments and updates the platform — the same commitment that keeps XBRL taxonomies current applies to DORA template evolution.
DORA applies to a broad scope of financial entities — banks, investment firms, payment institutions, e-money institutions, insurance undertakings, crypto-asset service providers, and others. The proportionality principle applies: some obligations (like TLPT) apply only to significant institutions, but ICT incident reporting and the third-party register apply broadly.
Initial notification: within 4 hours of classifying an incident as major. Intermediate report: within 72 hours of initial classification. Final report: within one month of incident resolution. These are tight timelines that require pre-built reporting workflows, not improvised responses.
DORA adds new reporting obligations on top of existing prudential and statistical reporting. It does not replace existing ACPR obligations. French institutions in scope must comply with both — DORA reporting routes through ACPR as the national competent authority.
Yes. Diligence's platform supports both the structured data preparation for the ICT third-party register and the notification workflows for major incidents. Institutions already using Diligence for COREP or FINREP can extend their existing ONEGATE setup to cover DORA obligations.
ICT incident notifications, third-party register submissions, ONEGATE integration — manage all DORA obligations in the same platform you use for COREP and FINREP.