Treezor in the DORA era: towards enhanced compliance

The rapid digitization of the European financial sector is opening up new opportunities, but it is also amplifying risks: increasingly sophisticated cyberattacks, greater reliance on information technology and the concentration of critical service providers on a global scale. To meet these challenges and guarantee the digital sovereignty of the European Union, a common framework was needed.

It was in this context that the Digital Operational Resilience Act (DORA – EU 2022/2554), the European regulation on digital resilience, was born. It came into force on January 16, 2023, and has been fully applicable since January 17, 2025, to all financial entities and their IT service providers. Treezor, an electronic money institution approved by the ACPR and a subsidiary of Societe Generale, is a key player in this ecosystem with a dual challenge of trust: ensuring its own compliance and enabling its customers—fintechs and financial platforms, including those supporting companies or sectors subject to NIS2—to also achieve their security and continuity objectives.

From PUPA to DORA: ensuring the continuity, availability and security of our customers’ digital services and the stability of financial systems

Digital resilience, as introduced by DORA, represents a fundamental evolution that broadens the traditional approach of France’s PUPA (Emergency and Business Continuity Plan). While PUPA has historically focused on the company’s ability to resume its own activities after a major failure, DORA requires thinking in terms of end-to-end resilience of the service provided to the end customer and, by extension, contribution to the stability of the financial system.

This is a major shift in perspective: the question is no longer simply “How do we restart our systems?”, but rather “How do we ensure that our critical customer and market services continue to function acceptably, even in the event of a major disruption, including all our partners and service providers?“

Here’s how DORA orchestrates this expansion:

1. From Internal Process to “Vital Process” for the Customer

The traditional PUPA approach focuses on internal business processes. DORA, and the Societe Generale group’s resulting methodology, introduces the concept of “Vital Processes”.

A process is considered vital not because of its importance to the internal organization, but because of its critical importance to customers and the functioning of the market. Resilience is no longer a purely technical or internal organizational issue; it is becoming an essential component of the service promise made to the customer.

2. From the Company to the Entire Digital Ecosystem

PUPA limits its focus to the company’s scope. DORA, on the other hand, assumes that a financial entity is just one link in a complex digital chain. The resilience of a service therefore depends on the resilience of each link in that chain.

This is why DORA places such a strong emphasis on managing risks related to ICT service providers (suppliers, but also agent/distributor customers who are “Essential Outsourced Service Providers”). Financial institutions are now responsible for ensuring that their entire digital ecosystem is resilient. Strict contractual requirements and the need to carry out end-to-end testing involving these third parties are a perfect illustration of this.

3. From Business Continuity to Incident Tolerance

The vocabulary is changing, and this is not insignificant.

• Disaster recovery aims to “resume” or “continue” business after an outage. The goal is to restart.
• DORA refers to “resilience,” i.e., the ability of the service to absorb a shock, continue to operate in a degraded but acceptable mode for customers and the market and to return to normal. This concept of “impact tolerance” is at the heart of the regulation and must be defined for each critical service.

In conclusion, digital resilience according to DORA does not replace PUPA, but encompasses and extends it considerably. It requires adopting a “customer-centric” and “systemic” vision where the continuity of your business is no longer an end in itself, but a means of ensuring the stability and reliability of the services that the financial institution operates within the financial ecosystem.

Resilience according to DORA

The DORA regulation aims to strengthen the ability of financial players and their service providers to deal with digital risks. The goal is to strengthen prevention, detection, response and operational continuity in the face of incidents, particularly cyber incidents. This requires better control of critical service providers and more reliable exit plans. DORA thus establishes a common set of standards at the European level to increase the collective resilience of the financial system.

A major development is the extension of the financial entity’s responsibility to its entire digital value chain. DORA requires detailed records to be kept of ICT (Information and Communication Technology) service providers, giving regulators a clear view of dependencies so they can better assess systemic risks.

DORA’s approach is based on five interdependent pillars:

1. ICT governance and risk management: Each institution must implement a comprehensive risk management framework, under the direct responsibility of its management body. This framework, proportionate to the size and risk profile of the entity, aims to anticipate threats, manage ICT assets and service developments and identify vulnerabilities.

2. ICT third-party provider management: Contracts with suppliers must be strictly regulated and their performance continuously monitored. Requirements in terms of service levels, reversibility and substitutability are significantly strengthened to ensure continuity in the event of a failure.

3. Incident management and reporting: Standardized procedures are required to quickly detect, analyze and report major incidents in order to limit their impact and improve collective prevention.

4. Information sharing: The circulation of data on threats, vulnerabilities and best practices is encouraged to promote a collective and proactive response across the sector.

5. Operational resilience testing: Regular and progressive exercises are mandatory, ranging from backup restoration tests to standardized penetration tests (TLPT) for the most critical players, in order to verify the effectiveness of defenses.

Article 30 of DORA is central: it imposes strict and uniform contractual clauses for all ICT service providers, whether European or non-European. These clauses, which are reinforced for services supporting critical functions, cover all the pillars of DORA. They include, in particular, a precise description of services (SLA), data localization, incident support, audit rights for the financial entity as well as reversibility and termination conditions.

Internally, DORA is transforming processes and corporate culture. It requires closer collaboration between security teams (CISO), business continuity teams (BCP) and IT departments. Incident management procedures must be adapted to strict notification deadlines. Resilience is becoming a strategic lever, promoting investment and involving employees and business managers more closely in cybersecurity.

Ultimately, DORA directly benefits the customer. Its main objective is to ensure the continuous availability of financial services and data protection. This translates into more transparent communication in the event of an incident and the strengthening of visible security measures, such as multi-factor authentication (MFA).

In this context, Treezor, as a regulated institution and BaaS service provider, positions itself as a strategic partner. By complying with DORA for its own operations, Treezor offers its customers a robust infrastructure that facilitates their own compliance and transforms this regulatory constraint into a sustainable competitive advantage based on trust and resilience.