6 min read

As of 17 January 2025, DORA has become enforceable law. The EU’s Digital Operational Resilience Act (DORA) requires over 22,000 financial entities across the EU to implement uniform ICT risk management practices. Fifteen months after its entry into force, only half of the affected institutions had achieved full compliance by the deadline. The second Information Register submission is due in March 2026-and 46 percent of institutions identify this reporting requirement as their biggest challenge.

The Key Points at a Glance

How DORA Differs From Previous IT Regulations

Financial institutions are no strangers to regulation. MaRisk, BAIT, EBA guidelines-the list of frameworks for IT security and operational risk management is long. Yet DORA represents a paradigm shift, for three key reasons.

First: Direct applicability. DORA is an EU regulation, not a directive. It applies directly and without national transposition across all EU member states. There is no room for interpretation, no national dilution, and no further grace periods. What applied on January 17, 2025, remains in force today. National regulators such as Germany’s BaFin or Austria’s FMA enforce DORA directly, without requiring a separate national implementation act. For institutions previously operating mainly under national rules, this means a denser set of requirements coupled with tighter oversight.

Second: Coverage of the entire ICT supply chain. DORA does not stop at the financial institution itself. It explicitly includes all ICT third-party providers-cloud providers, SaaS platforms, data center operators, managed service providers. Financial firms must assess, document, and manage risks across their entire ICT supply chain. Contracts with third-party providers must include mandatory clauses on security, resilience, and exit capabilities.

Third: The Register of Information. DORA requires every financial institution to maintain a complete register of all ICT service contracts with third-party providers. This register must be made available to regulators upon request. The second submission is due in March 2026. What may sound like a mere documentation requirement is, in practice, an inventory exercise that pushes many organizations to the limits of their processes-because for the first time, they must fully map which external ICT services they actually use. Adding to the challenge, the format and granularity of the data submission are strictly defined by technical regulatory standards (RTS). A simple Excel spreadsheet will not suffice.

The Compliance Gap: 50 Percent Unprepared by Deadline

The Deloitte Wave 3 Survey on DORA implementation paints a sobering picture. Only 50 percent of financial institutions expected to achieve full compliance by the enforcement date in January 2025. Another 38 percent cited 2026 as their target. The remaining 12 percent had not yet established a concrete timeline at the time of the survey.

This does not mean half of all institutions were inactive. Many have already met individual requirements-establishing ICT risk management frameworks, defining incident reporting processes, initiating contract adjustments with third-party providers. But full compliance requires all five pillars to be in place simultaneously: ICT risk management, incident management, resilience testing, third-party risk management, and the information register. It’s the complete package that presents the challenge. Implementing individual pillars in isolation is insufficient-DORA demands an integrated framework where all components interlock and are subject to regulatory verification through auditable documentation.

Costs are not the primary bottleneck. Ninety-six percent of institutions have already calculated their compliance expenditures, with most estimates falling between 2 and 5 million Euro. For larger institutions, these are manageable amounts. The issue is not a lack of funding, but rather the organizational capacity to advance all workstreams in parallel.

A cross-sector pattern emerges: large systemically important institutions have greater resources but also higher complexity. They face additional requirements such as Threat-Led Penetration Testing and are directly supervised by European regulatory authorities. Smaller institutions experience less regulatory pressure but also have fewer specialized staff. Mid-sized organizations-regional banks, specialty insurers, asset managers-are most likely to fall into the compliance gap: too large to qualify for exemptions, yet too small to maintain dedicated DORA teams.

The key question for every executive board is no longer whether DORA compliance must be achieved-that is a given. The real question is whether the organization can turn compliance into a strategic advantage rather than treating it merely as a regulatory burden. Institutions that have made their ICT supply chains transparent and manageable gain the ability to respond faster to disruptions, switch providers more efficiently, and demonstrate higher resilience to customers and partners.

Where Implementation Fails: Three Bottlenecks

The Register of Information. Forty-six percent of financial institutions cite the ROI as the single biggest challenge in implementing DORA. The reason: Many organizations do not have full visibility into which ICT services they actually use. Shadow IT and fragmented procurement channels mean that contracts are scattered across different departments, often without central documentation. The ROI requires a level of documentation granularity that operational processes in many institutions simply cannot support.

ICT Third-Party Management. DORA demands not just an inventory, but active risk assessments of all third-party providers and the contractual enforcement of resilience standards. For an average financial institution with 50 to 200 ICT service providers, this is a cross-functional project involving procurement, legal, IT, and risk management simultaneously. Thirty-nine percent of institutions have assigned 5 to 7 full-time employees exclusively to DORA compliance. Eight percent haven’t even estimated their staffing needs yet.

Resilience Testing. DORA mandates regular testing of digital operational resilience, including Threat-Led Penetration Testing (TLPT) for systemically important institutions. These tests require specialized expertise that is rarely available in-house. The capacity of qualified external testers is limited, and lead times are long. Many institutions now face a situation where they understand their testing obligations-but lack the internal or external resources to meet them on time.

The Liability Question: Personal and Potent

DORA intensifies liability across all levels. The sanctions regime is multi-tiered, affecting both institutions and responsible individuals.

Financial institutions may face fines of up to 2 percent of their global annual turnover. For a mid-sized bank with €2 billion in revenue, this equates to a potential penalty of €40 million. On top of that comes personal liability: senior management can be held personally liable for fines of up to €1 million if compliance failures are proven.

Of particular relevance for IT strategy: even critical third-party ICT providers can be directly sanctioned. Lead overseers may impose fines of 1 percent of the average daily global turnover-per day of non-compliance. This creates a new dynamic in negotiations with cloud providers and platform vendors: DORA compliance is no longer just a concern for financial institutions, but for the entire supply chain.

Under DORA, supervisory authorities have extensive powers: access to documents and data, on-site inspections, and the ability to order remedial measures. Member states may additionally introduce criminal penalties. Enforcement is no longer theoretical-it has already begun. The first audits are underway, regulators are actively expanding their capacities, and member states’ sanctioning frameworks are being progressively clarified.

What pragmatic institutions are doing now

Institutions systematically closing their compliance gap follow a three-phase approach.

Phase 1: Prioritize the Register of Information. The ROI is the most visible compliance deliverable and the single biggest hurdle. Delivering it signals operational capability to regulators. The pragmatic approach: don’t wait for complete perfection-start with the existing contract inventory, document gaps, and present a clear, traceable plan for completion. Regulators assess progress, not just the current state.

Phase 2: Tier third-party contracts by criticality. Not all 200 ICT service providers carry the same risk profile. Efficient institutions prioritize by classifying vendors according to criticality and begin contract adjustments with Tier-1 providers-cloud infrastructure, core banking systems, payment processing. Tier-2 and Tier-3 providers follow on a defined schedule. This reduces parallel workloads and frees up capacity for the most complex negotiations.

Phase 3: Don’t delay resilience testing. Threat-Led Penetration Testing (TLPT) requires lead time, specialized personnel, and internal preparation. Institutions that only begin planning in 2026 will face capacity bottlenecks with external testing providers. The pragmatic solution: secure framework agreements with TLPT vendors now and begin scoping-even if actual testing occurs later. Preparation is half the battle in compliance.

Across all three phases, one principle holds: DORA compliance is not a project with an end date, but a permanent operating model. The Register of Information must be updated annually, resilience tests must be conducted regularly, and ICT risk management must continuously adapt to evolving threat landscapes. Institutions treating DORA as a one-off IT compliance project will fail their next audit.

One aspect frequently underestimated in implementation discussions is the cultural dimension. DORA requires that ICT risk management be recognized as a leadership responsibility. Accountability does not rest solely with the IT department, but with the executive body of the financial institution. Senior executives must approve the ICT risk strategy, review it regularly, and be prepared to justify its adequacy to regulators. This demands a level of ICT expertise at the leadership level that many institutions still need to build.

The honest assessment: DORA is no paper tiger. The combination of personal liability, third-party liability, and direct applicability makes it the most impactful IT regulation the European financial sector has ever seen. Treating it as a mere IT department compliance exercise underestimates its strategic significance. DORA is transforming how financial institutions manage their entire ICT landscape-from procurement to incident response.

Frequently Asked Questions

Header Image Source: Pexels / Christian Wasserfallen (px:7327875)