Fourteen months since the enforcement of the Digital Operational Resilience Act, Europe’s financial institutions face challenges in compliance. The regulation began on January 17, 2025, aiming to advance digital risk management in the EU, but revealed significant gaps in firms’ readiness.
A McKinsey survey indicated that only a third of major European financial institutions were confident in meeting all DORA requirements by January 2025. Deloitte’s research echoed this, with 50% expecting full compliance by the end of 2025 and 38% delaying until 2026. Nearly half (46%) cited the Register of Information as the most challenging requirement.
These aren’t mere theoretical issues but represent active regulatory risks, with potential fines reaching 2% of annual worldwide turnover and personal penalties up to EUR1 million for non-compliant senior managers.
**What DORA Requires**
DORA covers more entities than expected, including banks, insurers, payment institutions, electronic money and crypto-asset service providers, investment firms, and their ICT service providers. The European Supervisory Authorities estimate over 22,000 entities are affected, alongside hundreds of technology vendors.
The regulation is built on five pillars: ICT risk management, incident reporting, digital operational resilience testing, third-party risk oversight, and information sharing. Each comes with technical standards, reporting obligations, and supervisory expectations. The regulatory push toward structured oversight is growing.
Uniquely, DORA focuses on continuity, not just point-in-time certification. It demands ongoing operational resilience, real-time monitoring, and compliance proof, marking a significant shift for teams used to annual audits.
**March 2026: The Register of Information Test**
The 2026 focus is the second Register of Information submission under Article 28 of DORA, requiring documentation of all ICT third-party contracts by March 31 annually. The reference date is December 31, 2025. Deadlines vary: Germany’s BaFin from March 9-30, Netherlands’ DNB and AFM on March 20, Malta’s MFSA by March 21, and Luxembourg’s CSSF opened submissions on February 11 through March 31.
The 2025 pilot round showed significant friction, with many firms lacking centralized views of ICT vendor relationships. Data quality issues included incomplete records and inconsistent service classifications against the ESA’s taxonomy. Deloitte found 46% of financial entities considered the Register of Information the hardest DORA requirement.
**The 19 Providers Under Direct EU Oversight**
In November 2025, the ESAs listed 19 critical ICT third-party providers like Amazon Web Services, Google Cloud, Microsoft, Oracle, SAP, and Deutsche Telekom for direct oversight. Criteria included potential failure impact, reliance concentration, and substitutability. These providers face annual risk assessments, reporting requirements, and inspections by ESAs.
Financial institutions relying on these providers must assess and mitigate concentration risk, mapping critical functions on these platforms and proving contingency plans for outages. For firms with single-cloud infrastructures, this necessitates extensive remediation.
**Mandatory Penetration Testing**
DORA requires significant institutions to conduct threat-led penetration testing (TLPT) on live systems at least every three years. The Regulatory Technical Standards dictate external threat intelligence and red teams for every third test. Tests target critical functions and third-party providers.
TLPT simulates real-world cyberattacks to assess detection and response capabilities, imposing significant costs and operational risks.
**Costs of Compliance**
Deloitte found 96% of institutions estimated DORA compliance costs, mostly between EUR2 million and EUR5 million. McKinsey adds that 70% anticipate permanently higher technology costs. Non-compliance is costlier, with possible repeated penalties and loss of licenses.
National enforcement varies, but 2026 marks a shift to active enforcement, requiring real-time evidence of resilience and ICT risk control.
**Role of Automation**
Compliance automation is growing due to gaps between DORA’s demands and manual capabilities. Platforms centralizing evidence collection and continuous monitoring are rising in demand. The space includes US companies expanding in Europe and EU-native platforms like Copla, focusing on DORA and other regulations.
This trend reflects a structural shift in compliance execution, with early adapters embedding automation into operations.
**Future Directions**
DORA is evolving, with updates to critical ICT providers and additional standards forthcoming. The first full Register of Information cycle will provide a comprehensive view of ICT concentration risk, potentially leading to stricter controls.
For financial institutions, DORA compliance is an ongoing capability demanding investment and infrastructure, essential not only to avoid fines but also to manage operational disruptions efficiently.