.svg)
Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA) became applicable across EU member states on January 17, 2025. As we enter the second year of application, how has the regulation transformed the operational resilience of the financial sector in Europe?
DORA was introduced in the EU due to sector fragmentation and misalignment in the day-to-day interactions of ICT third-party providers, and was designed to address the growing vulnerability in the financial ecosystem with its increasing reliance on digital infrastructure and third-party ICT providers without fully understanding the systemic risks it created. It aimed to standardise ICT risk management and resilience across the EU financial sector.
When it was implemented, it not only brought every regulated financial entity within its scope but also included every third-party ICT provider to these entities, creating a shared responsibility for operational resilience between the parties. Although DORA is an EU regulation, it affects contracts that include third-party providers outside the EU, with implications that reach far beyond EU member states.
Industry Preparedness and Initial Challenges
It has now been over a year since DORA became applicable within the European Union, and the teething problems of application have become apparent. Financial entities have underestimated the work required to become DORA compliant, with some entities being time-poor and resource-light in their implementation of DORA and in ensuring operational resilience in their business.
Across the sector, from payment institutions and crypto-asset service providers to investment firms and banks, there has been a struggle to implement DORA, as demonstrated in the Malta Financial Services Authority’s (MFSA) “Dear CEO” letter published in September 2025. The letter highlighted deficiencies and recurring gaps in entities' implementation of DORA, ranging from ICT risk management frameworks and ICT-related incident management to digital operational resilience testing and the management of ICT third-party risk, and stressed the need for continued focus and improvement.
To improve DORA compliance, financial entities should gain an understanding and knowledge of the full architecture of their IT infrastructure, including their suppliers, SaaS and third-party providers. Understanding their infrastructure will allow them to tailor their policies and implement solutions that will effectively deal with their operational resilience requirements.
As noted by the MFSA, there has not been a full grasp of risk management by financial entities in relation to their digital operational resilience in Malta. In July 2025, the Central Bank of Ireland (CBI) also published Cross-Industry Guidance on Operational Resilience, aimed at addressing existing vulnerabilities and weaknesses and mitigating further risks in the financial system, suggesting again that there was a need to provide further clarification to obliged entities. The observations made by the MFSA and the CBI are not just localised to Malta and Ireland, with other component authorities throughout the member states also releasing further guidance and advice.
Initially, financial entities believed DORA to be a compliance task that could be solved by simply putting together policy documents and statements about how an entity, in theory, would apply operational resilience within its business. As the first year progressed, however, entities realised that DORA is actually about the practical application of operational resilience policies.
National Regulatory Response
The sentiment of competent authorities is that DORA is not solely about implementation but also about application. Regulators are now interested in the actual practical implementation of operational resilience and not just the policies that obliged entities have put in place. Competent authorities want to see how the different functions within an organisation implement their ICT risk management, how their ICT-related incident management processes apply in practice, how they manage the risks presented by third-party ICT providers and how obliged entities conduct their digital operational resilience testing. If the testing of these policies does not take place, how then will these entities know whether or not the policies they have developed work and hold up in different scenarios.
According to Horizon Scanning data, of the guidance that the relevant authorities published throughout 2024 and 2025, 20 percent was related to the application of operational resilience, helping entities to ensure that they were in line with the obligations set out in DORA. The Belgian Financial Services and Markets Authority, in September 2024, published educational documents on DORA to help financial entities understand its key provisions and obligations. The Dutch Authority for the Financial Markets published a guidance series on the application of DORA in 2024 and Luxembourg’s Commission de Surveillance du Secteur Financier published multiple circulars in 2025 on ICT and security risk management, as well as on the use of ICT third-party services.
Prior to and since the application of the regulation, the competent authorities have sought to help obliged entities comply with the requirements of DORA to better protect the financial ecosystem. Now that a year has passed, the honeymoon period could be over. Entities have had enough time to ensure that they are in compliance with DORA, not only just on paper but also in practice, with the tone from competent authorities seeming to be shifting from conciliatory to more stringent supervision. For example, in the Netherlands, the Authority for the Financial Markets (AFM) set out in its 2026 agenda that it plans to “intensify its supervision of digital resilience”. In 2026 and beyond, enforcement actions are likely to come for those entities that have not succeeded in their application of DORA obligations. Competent authorities have the right to administer administrative fines of up to 10 percent of an entity's annual turnover, depending on the jurisdiction, which should act as a significant deterrent to non-compliance.
The Future of DORA
Moving into the next phase of DORA, obliged entities now have to plan beyond just being compliant, to being sustainable and being strategically operationally resilient. Many entities have become reliant on a small number of non-European IT suppliers for their outsourced activities, a reliance that could lead to concentration and systemic risks, as noted by the Dutch Central Bank and the AFM in a joint report published in October 2025. For firms to mitigate these risks and become strategically operationally resilient, especially in relation to third-party provider risk, entities are encouraged to establish multi-vendor solutions, diversify their suppliers and conduct end-to-end testing. But before entities can do this, as noted above, they first need to have a complete understanding of their IT architecture.
As the supervision of DORA also enters into a new phase, the approach by competent authorities is likely to change. We are likely to see:
- A transition from warnings to enforcement action.
- More scrutiny of policies and their implementation.
- More scrutiny on new licence applicants in relation to their operational resilience, as DORA compliance and operational resilience become more embedded in licensing requirements related to IT risk policies and measures.
- More testing and thematic reviews of entities’ operational resilience policies, as competent authorities in member states such as France and Finland confirm that operational resilience will be a topic of their thematic reviews and audits in 2026 and beyond.
Firms should now focus on:
- Executing, testing and approving their policies on a continuous basis.
- Improving their succession and business continuity plans and testing them regularly.
- Move beyond “paper compliance” to active, tested, and board-accountable resilience.
- Identify and document the key responsible people across the business and the functions.
- Embed operational resilience into day-to-day operations by:
- Identifying the critical services customers rely on and prioritising work based on customer impact and not just technical severity if systems were to be impacted.
- Integrating resilience into change management by embedding resilience checks into vendor onboarding and any transformation projects.
- Managing third-party and supply chain risk by continuously monitoring critical suppliers, having competent exit strategies by planning for substitutions or failures and aligning third-party resilience with their own impact tolerances.
- Making operational resilience the operating model of the business, having regular reviews, continuous improvement loops and learning from incidents and near misses.
- Identify and document their critical third-party providers.
- Ensure DORA addendums are added to their current critical third-party contracts if not done so already.
A year of implementation may not be enough time to see the impact that DORA has had on the financial ecosystem with regard to making it more digitally operationally resilient; however, it is evident that entities have struggled to implement it satisfactorily. As we move further into 2026, the second year of DORA, implementation gives way to application and enforcement, with competent authorities shifting their focus from “are policies and procedures in place?” to “do they actually work?”. A core objective of DORA is the monitoring and testing of a business’ operational resilience, and those that fall short are likely to find themselves on the receiving end of enforcement action from competent authorities.
Digital operational resilience is not merely a regulatory requirement but a fundamental pillar of trust, stability and competitiveness in the financial sector. As such, DORA compliance is not just the responsibility of a financial entity’s compliance function but that of multiple teams, including legal, technology and product, with the ultimate responsibility lying with the board. Financial institutions should make operational resilience a core priority, as those that treat it as a strategic differentiator will be better able to withstand disruptions, protect customers and markets, and maintain trust in an increasingly complex and uncertain risk environment. Financial entities that get DORA compliance right in Europe will be better served and prepared as operational resilience frameworks are created across the world, as more and more jurisdictions outside Europe develop their own, as seen, for example, in Australia, the United Arab Emirates and Singapore.
