Menu
A combination lock rests on a computer keyboard, symbolizing online security in the era of AI regulation. The brass lock displays "0909," while nearby, two gold-colored credit cards with visible chips highlight data protection under the newly approved AI Act.

DORA Exposes Digital Resilience Gaps in EU Finance

Fourteen months after the Digital Operational Resilience Act became enforceable, most EU financial institutions remain materially exposed. Despite DORA applying from 17 January 2025, surveys show that only a minority of firms were ready on day one, with many pushing full compliance into 2026. These delays now carry real regulatory risk, as DORA allows fines of up to 2 percent of global annual turnover and personal penalties of up to €1 million for senior management. What was initially treated as a transition exercise is now firmly within the enforcement phase.

DORA’s breadth continues to be underestimated. It covers not only banks and insurers, but also payment institutions, investment firms, crypto-asset service providers, and their ICT suppliers. More than 22,000 financial entities fall within scope. The regulation imposes continuous obligations across ICT risk management, incident reporting, resilience testing, third‑party oversight, and information sharing. Compliance is not episodic; firms must maintain evidence and controls that can be demonstrated to supervisors at any time.

In 2026, the central operational test is the second annual submission of the Register of Information. Financial entities must provide a complete inventory of all ICT third‑party contracts in force as of 31 December 2025, with national authorities forwarding the data to the European Supervisory Authorities by 31 March. The first submission cycle revealed widespread data gaps, fragmented vendor records, and inconsistent service classification. Nearly half of institutions identify the register as the most difficult DORA requirement, particularly where hundreds of vendors operate across multiple jurisdictions.

Supervisory pressure is also increasing through direct EU oversight of designated critical ICT providers and the rollout of mandatory threat‑led penetration testing for significant institutions. These measures force firms to confront concentration risk, cloud dependency, and real‑world cyber resilience. Compliance costs commonly range between €2 million and €5 million, with long‑term increases in operating expenses. As regulators move from framework reviews to proof‑based supervision, many institutions are turning to compliance automation to sustain continuous oversight. DORA is no longer a compliance project; it is an operating model for managing digital risk.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *