Regional Bank: DORA Compliance in 4 Months

Faced with DORA coming into force and the prospect of an ACPR inspection in 2026, a French regional bank launched an accelerated compliance programme. In four months, the institution raised its compliance rate from 41% to 87%, using ResiPlan to orchestrate the five pillars of the regulation.

Context

The organisation is a French regional mutualist bank operating in the south-west:

• 1,500 employees
• 320,000 retail and professional customers
• 98 branches and 3 operations centres
• Hybrid information system (sovereign core banking, cloud-based business applications)
• 250 ICT providers, 18 of them critical (public cloud, core banking vendor, shared computing centre)

In October 2025, the risk management function assessed DORA compliance at 41%, with significant gaps on the register of information, incident classification and exit strategy for critical providers.

Challenge

The bank had to meet three constraints at the same time:

1. Timeline: four months before the ACPR mission, twice the industry-average pace
2. Cross-functional scope: 12 departments involved, from legal and procurement to IT
3. Budget: capped envelope of €3.2M, covering tooling, advisory support and upskilling

The initial approach based on spreadsheets and SharePoint quickly proved unmanageable across 250 providers and more than 800 requirements derived from the RTS.

Four-phase approach

Phase 1: foundation and mapping (month 1)

ResiPlan deployed across the CMDB scope (ICT assets and critical functions). Import of 2,400 assets from the existing CMDB, enrichment by owners, linkage to 54 business processes. Training of 22 departmental coordinators.

Phase 2: third parties and contracts (month 2)

Population of the register of information for 250 ICT providers, in the ESA format. Procurement teams used ResiPlan templates to collect missing DORA clauses from suppliers. The 18 critical providers underwent a concentration analysis and received a formal exit strategy.

Phase 3: incidents and testing (month 3)

Rollout of the incident classification engine against the seven ESA criteria, with thresholds configured for the bank's size. Connection to the existing SIEM for automated ingestion. Annual resilience testing programme documented, including a first four-hour multi-function tabletop on a ransomware scenario targeting core banking.

Phase 4: reporting and steering (month 4)

Automated generation of the register of information in ESA format, reviewed by ExCo and validated by the board. DORA dashboards shared with risk management and internal audit. Simulated incident notification under real conditions to test the 4h / 72h / 1 month workflow.

Results

The ACPR mission, conducted in April 2026, confirmed the adequacy of the framework and issued three minor recommendations on formalising the annual review and enhancing the multi-year testing plan.

Lessons learned

What worked:

• Direct sponsorship from the CEO with fortnightly check-ins
• A single project lead with cross-functional authority
• Choosing one unified platform rather than assembling point tools
• Leveraging preconfigured DORA templates to save time
• Involving procurement from month one

What to prepare in advance:

• A clean CMDB inventory: initial data quality drives 60% of the timeline
• Formalised third-party governance before populating the register
• Business availability to validate BIA RTOs and RPOs
• A 15% budget envelope for change management

Learn more

ResiPlan supports banks, insurers and investment firms on their DORA journey. The platform covers the five pillars, generates ESA reports in the required format and integrates with existing SIEM and CMDB systems.

• DORA / NIS2 compliance solution
• DORA 2026 guide: obligations for financial entities
• Talk to an expert
• Pricing and demo

Case study anonymised with customer consent. Certain figures are rounded to preserve confidentiality.