DORA and NIS2: impact on KYC frameworks in 2026
DORA: digital operational resilience becomes mandatory
The Regulation (EU) 2022/2554, known as DORA (Digital Operational Resilience Act, the EU regulation on digital operational resilience for the financial sector), published in the EU Official Journal on December 27, 2022, has been applicable since January 17, 2025. It imposes on every regulated financial entity (banks, fintechs, insurers, asset managers, crypto CASPs — Crypto-Asset Service Providers, etc.) a uniform framework of digital operational resilience, that is, the ability to keep operating in the event of a cyberattack or major ICT outage.
The scope covered by DORA is broad. It targets not only financial entities themselves but also their critical third-party ICT providers (the IT and telecom providers whose failure would seriously disrupt financial services). An eIDV provider integrated into the KYC journey of a bank or fintech may, on that basis, qualify as a critical third-party provider within the meaning of DORA article 28.
::: callout-info In brief
- Regulation (EU) 2022/2554, applicable since January 17, 2025
- Sanctions: up to 1% of daily global turnover for critical providers
- 5 pillars: ICT risk management, incident reporting, testing, third-party management, information sharing
- TLPT (Threat-Led Penetration Testing): mandatory for systemic entities
- Direct EBA supervision (European Banking Authority) for designated critical providers
:::
DORA organizes its obligations around five coherent pillars.
1. ICT risk management framework: a formalized policy, identification of critical assets, regular testing, continuity plans. The mapping of dependencies must include every eIDV provider integrated into the KYC framework.
2. Incident reporting: obligation to notify within strict deadlines (24 hours for the initial classification, 72 hours for the intermediate report, 1 month for the final report) in the event of a major incident. The EBA position published in March 2025 has clarified the classification thresholds.
3. Resilience testing: regular testing for all entities. TLPT tests (realistic penetration tests) are mandatory for systemic entities every three years, with potential involvement of critical providers.
4. Third-party risk management: mandatory ICT provider registry, minimum contractual clauses (DORA article 30), upfront risk assessment, exit strategies.
5. Cyber-threat information sharing: encouragement to share information between financial entities. Not mandatory but incentivized.
NIS2: cybersecurity extended to fintechs and critical providers
The Directive (EU) 2022/2555 known as NIS2 (Network and Information Security 2, the second-generation EU cybersecurity framework) has replaced the NIS1 directive. It broadens the scope of entities subject to cybersecurity obligations and tightens sanctions.
In France, transposition was carried out through the law of October 30, 2024 (Law No. 2024-947) and its implementing decrees published during Q1 2025. The ANSSI (Agence nationale de la sécurité des systèmes d'information, the French cybersecurity agency) is the competent authority for supervision and inspection.
NIS2 distinguishes two categories of regulated entities.
Essential entities include banks, financial market infrastructures, large-scale digital service providers (cloud, datacenter, DNS), providers of qualified trust services within the meaning of eIDAS (the European-level recognized electronic signature and identity), and online platform operators. A fintech or an eIDV provider that reaches the thresholds (250 employees or €50M in turnover) falls within this scope.
Important entities cover a broader scope: intermediate operators, ICT subcontractors, digital supply chains. The thresholds are more accessible.
NIS2 imposes a baseline of obligations consistent with DORA but broader:
- Documented cyber risk management, under the direct responsibility of the executive officer
- Incident reporting: early warning within 24 hours, report within 72 hours, final report within 1 month
- Technical measures: strong authentication (MFA), encryption, access management, backups, training
- Supply-chain monitoring: assessment of critical ICT subcontractors
- Personal liability of executives: individual sanctions possible
::: callout-info NIS2 and DORA sanctions: what stacks
- NIS2 essential entity: up to €10M or 2% of global turnover
- NIS2 important entity: up to €7M or 1.4% of global turnover
- DORA critical provider: 1% of daily global turnover (serious breaches)
- Cumulative with ACPR sanctions under AML/CFT rules (10% of turnover) and CNIL sanctions under GDPR (the EU's personal data law, 4% of turnover)
:::
Consequences for eIDV providers integrated into a KYC journey
The DORA/NIS2 articulation creates a complete redefinition of the contract between an AML/CFT-regulated entity and its eIDV provider. Three immediate consequences.
An eIDV provider whose failure would interrupt customer onboarding (the account opening process) at a bank, a fintech, or an insurer may be qualified as a critical third-party ICT provider within the meaning of DORA. The designation is made by the EBA, on the proposal of national authorities, after a criticality analysis: number of dependent financial entities, market concentration, possibility of substitution.
At the end of 2025, the EBA had not yet published the final list of designated critical providers. The first designations are expected during the second half of 2026.
DORA article 30 sets the mandatory minimum clauses in every contract with a critical ICT provider:
- Precise description of the services provided and service levels (SLAs, the quality and availability commitments)
- Location of the data and servers (sovereignty clauses)
- Extended audit right for the financial entity and the supervisor (ACPR, EBA)
- Incident reporting obligations aligned with those of the financial entity
- Documented exit strategy with provider cooperation
- Commitment to cooperate in TLPT tests
- Clauses on business continuity and recovery time / maximum data loss objectives (RTO/RPO)
All existing contracts must be brought into compliance by 2026.
The TLPT tests organized by systemic financial entities may include the eIDV provider. This requires:
- Capability to isolate a test environment representative of production
- Simulated incident protocols without disrupting real service
- Cooperation with the red teams (the ethical attackers commissioned to simulate a realistic cyberattack) appointed by the financial entity
- Documentation of results and remediation plans
::: callout-info 5 new obligations for an eIDV provider in 2026
- Complete mapping of critical assets and dependencies
- Contractual clauses aligned with DORA article 30
- Harmonized 24h/72h incident reporting
- TLPT tests on request from financial-entity clients
- Documented and tested exit strategy
:::
Compliance timeline: obligations in force and upcoming
The combined DORA/NIS2 regulatory timeline articulates several near-term deadlines.
| Date | Milestone | Text |
|---|---|---|
| October 17, 2024 | NIS2 transposition deadline (EU) | Directive (EU) 2022/2555 |
| October 30, 2024 | French NIS2 transposition law | Law No. 2024-947 |
| January 17, 2025 | Direct application of DORA in all Member States | Regulation (EU) 2022/2554 |
| 2025-2026 | First EBA designations of critical providers | DORA, art. 31 |
| 2025-2026 | First ACPR/ANSSI inspections on ICT resilience | DORA + NIS2 |
| 2026-2027 | Full compliance of provider contracts | DORA, art. 30 |
| From 2027 | Regular cycle of TLPT tests for systemic entities | DORA, art. 26 |
ACPR position published in its DORA guide of January 2025: inspections will primarily focus on three axes — mapping of ICT dependencies, quality of critical provider contracts, and capacity to report incidents within 24 hours.
Practical cases: three compliance scenarios
An online bank depends on a single eIDV provider for its onboarding. A 4-hour unavailability during peak hours interrupts several hundred account openings. The contract does not provide for an automatic fallback. Under DORA, the absence of a multi-vendor strategy (several providers to avoid single-vendor dependency) or of a continuity plan qualifies as a breach of article 11 (ICT risk management). Potential ACPR sanctions add up to commercial losses.
A cloud subcontractor of an eIDV provider suffers a massive data leak. Under NIS2, the reporting obligation cascades from the subcontractor to the eIDV provider, then to the client financial entity, and then to the regulators (CNIL for GDPR, ACPR for prudential, ANSSI for cybersecurity). The 24-hour early warning deadline applies at every link of the chain.
A large bank organizes a TLPT test including its eIDV provider. The provider refuses, citing operational constraints. Under DORA article 26, this obstruction can justify contract termination by the financial entity, or even direct EBA intervention if the provider is designated as critical.
Over the 12 months following DORA's application, the first disputes observed have essentially concerned the quality of existing contracts with ICT providers. The majority of 2020-2023 contracts do not meet the requirements of article 30.
How Euroleads is preparing and supports its clients
We designed our eIDV framework to meet DORA and NIS2 requirements by construction. Three axes structure this compliance, and we put them at your service:
- Multi-source resilient architecture: no single critical dependency. Convergence across 4,000 worldwide sources (transactional, government, telecom) removes the risk of a single point of failure tied to one provider or one technology.
- DORA-aligned client contracts: our standard contractual clauses already integrate the requirements of DORA article 30, including extended audit rights, exit strategies, 24h/72h incident reporting, and cooperation in TLPT tests.
- Harmonized reporting: reporting interfaces compatible with the standardized EBA, ACPR, and ANSSI templates, with no extra development for your teams.
A multi-source eIDV provider is intrinsically more resilient than a single-source biometric or document-based provider, because there is no single point of attack. That is precisely the foundation you can document to a supervisor.
::: cta Audit your KYC chain against DORA and NIS2: we do it in 10 days. Discuss your project :::
Frequently asked questions about DORA, NIS2, and KYC frameworks
Is my eIDV provider automatically qualified as a critical provider? No. The designation is made by the EBA on the proposal of national authorities, after a criticality analysis (number of dependent financial entities, market concentration, substitutability). At the end of 2025, the list was not yet public.
What incident reporting deadlines apply? 24 hours for the initial classification of the incident, 72 hours for the intermediate report, 1 month for the final report. EBA position published in March 2025.
Do existing eIDV provider contracts need to be amended? Yes, systematically. DORA article 30 sets mandatory minimum clauses that generally do not appear in pre-2024 contracts.
Are TLPT tests mandatory for every entity? No. They are mandatory for designated systemic entities (large banks, market infrastructures). Other entities may use them voluntarily. Minimum regular cycle of 3 years.
Can NIS2 and DORA apply to my company simultaneously? Yes. A fintech subject to DORA may also fall under NIS2 if it crosses the essential-entity thresholds. DORA article 1.2 articulates the two regimes: DORA prevails on the obligations it specifically covers, NIS2 applies to the rest.
In summary: 12 months to transform the KYC ICT chain
DORA and NIS2 are not just two more cybersecurity texts. They redefine the chain of responsibility for KYC frameworks and their eIDV providers. Anticipating means winning two quarters ahead of the first complete ACPR/ANSSI inspections, and it also makes your framework immediately attractive to the large banks and fintechs that now require DORA-aligned providers from the first RFP. Competition among eIDV providers today is decided as much on proven resilience as on acceptance rates.
To go further, consult our KYC/eIDV compliance pillar for France, our KYC pillar, our eIDV pillar, our article on how to implement a KYC framework, and our comparison KYC vs eIDV. For a direct conversation, contact our experts.