The $181 Billion Question: Why DORA Compliance Spending Will Transform RegTech
The Compliance Cost Landscape
The financial sector's compliance spending has reached industrial scale. Industry estimates peg annual compliance costs at approximately $181 billion globally — a figure that encompasses regulatory reporting, risk management technology, compliance personnel, legal advisory, audit fees, and the technology infrastructure that supports all of these activities.
DORA adds to this burden, but it also restructures it. Unlike previous financial regulations that primarily affected back-office reporting (MiFID II transaction reporting, GDPR data protection), DORA's requirements cut across technology infrastructure, operational processes, third-party relationships, governance structures, and testing programmes. This breadth creates demand across multiple technology categories simultaneously — and the market is responding.
The GRC (Governance, Risk and Compliance) market, which captures the core technology platforms for DORA compliance, is projected to grow from USD 21 billion in 2025 to USD 42 billion by 2031, representing a 12.3% compound annual growth rate. Gartner projects that compliance functions will increase their GRC platform spending by 50% by 2026. And McKinsey's survey of financial institutions found that 70% expect permanently higher compliance run costs — not a temporary spike followed by a return to baseline, but a structural increase in the cost of doing business in regulated finance.
DORA's specific contribution to this spending wave is estimated at USD 3-4 billion in incremental RegTech investment between 2025 and 2028. This figure captures technology spending directly attributable to DORA requirements — over and above what institutions would have spent on general compliance technology in the absence of the regulation.
Where the Money Goes
DORA compliance spending distributes unevenly across five investment categories. Understanding this distribution is essential for institutions planning their budgets and for technology vendors positioning their products.
| Investment category | Share of DORA spend | Key activities | Timeline |
|---|---|---|---|
| Technology platforms | ~35% | GRC platforms, risk management tools, evidence management, testing infrastructure | Year 1-2 (implementation) + ongoing licensing |
| People | ~25% | Compliance officers, ICT risk managers, testing specialists, third-party risk analysts | Permanent headcount increase |
| Professional services | ~20% | Gap assessments, framework design, contract renegotiation, TLPT providers, legal advisory | Year 1-2 (peak) tapering to advisory |
| Licensing and subscriptions | ~10% | Software licenses, threat intelligence feeds, testing tools, monitoring platforms | Annual recurring |
| Ongoing operations | ~10% | Continuous monitoring, testing execution, register maintenance, audit preparation | Annual recurring |
The distribution reveals a pattern familiar from GDPR implementation: a significant upfront investment in technology and professional services (Years 1-2), followed by a permanent increase in operational costs (ongoing licensing, people, and continuous monitoring). McKinsey's finding that 70% expect permanently higher run costs reflects this structural shift.
The Cost Variation by Institution Size
DORA compliance costs vary dramatically by institution size, creating proportionality pressures that Art. 4 was designed to address:
| Institution tier | Annual revenue range | Estimated DORA compliance cost | Cost as % of revenue |
|---|---|---|---|
| Tier 1: GSIBs and large banks | EUR 10B+ | EUR 50-100M | 0.05-0.1% |
| Tier 2: Large regional banks | EUR 1-10B | EUR 5-20M | 0.2-0.5% |
| Tier 3: Mid-size institutions | EUR 100M-1B | EUR 2-5M | 0.5-2% |
| Tier 4: Small institutions | EUR 10-100M | EUR 500K-2M | 2-5% |
| Tier 5: Micro-entities | < EUR 10M | EUR 100-500K | 3-10% |
The regressive cost structure is evident: large institutions absorb DORA compliance as a marginal cost increase, while smaller entities face compliance costs that represent a material percentage of revenue. This is the proportionality problem that 22% of survey respondents cited when calling for DORA simplification.
The RegTech Categories Poised for Growth
DORA creates demand across specific RegTech categories. The categories experiencing the most significant DORA-driven growth are:
1. Third-Party Risk Management (TPRM) Platforms
Art. 28-44 created the largest new compliance workstream: the Register of Information, ongoing due diligence, contractual compliance monitoring, concentration risk assessment, exit strategy documentation, and CTPP engagement management. Institutions need purpose-built technology to manage these requirements at scale.
The TPRM category is expected to grow fastest among DORA-adjacent technology segments. Platforms that combine vendor register management, contractual compliance tracking, concentration risk analytics (HHI calculation, single-point-of-failure detection), and exit strategy documentation are seeing significant demand increases.
2. ICT Risk Management and GRC Platforms
Art. 5-16 require a comprehensive ICT risk management framework that integrates asset identification, risk assessment, control management, and board reporting. Traditional GRC platforms are expanding to address DORA's specific requirements: ICT asset registries (Art. 8), protection and prevention controls (Art. 9), detection capabilities (Art. 10), and recovery management (Art. 11-12).
The integration requirement — that ICT risk management connects to testing (Art. 24), incident management (Art. 17), and third-party risk (Art. 28) — favors platform vendors over point solutions. Institutions are increasingly seeking unified platforms that manage DORA compliance across pillars rather than separate tools for each requirement.
3. Testing and Vulnerability Management
Art. 24-27 formalize testing requirements and introduce TLPT for systemically important institutions. The testing technology market encompasses: automated vulnerability scanning, penetration testing platforms, TLPT coordination tools, threat intelligence feeds, and testing evidence management.
The TLPT requirement specifically is driving demand for specialized testing service providers and the platforms that coordinate TLPT engagements (threat intelligence provider management, red team coordination, NCA reporting).
4. Incident Management and Reporting
Art. 17-23 require formalized incident classification, timeline-driven reporting (4h/72h/1m), and root cause analysis. Technology platforms that automate incident classification against Art. 18 criteria, manage reporting timelines, and produce NCA-formatted notifications are seeing DORA-driven demand.
5. Evidence and Audit Management
DORA's implicit evidence requirements — testing must produce evidence, recovery plans must be tested with documented results, governance decisions must be traceable — create demand for evidence management platforms. These platforms manage the lifecycle of compliance evidence: collection, quality assurance, integrity verification, storage, and production during examinations.
6. Continuous Compliance Monitoring
The shift from annual compliance checks to continuous assurance — driven by Art. 6(5)'s requirement for regular framework review and the operational reality of 100+ cloud outages in 12 months — creates demand for real-time compliance monitoring platforms. These platforms ingest data from operational systems, assess it against compliance rules, and alert on deviations.
The Build vs. Buy Decision
Institutions face a strategic choice: build DORA compliance capabilities internally or buy purpose-built platforms. The economics differ by institution size:
| Factor | Build (internal development) | Buy (platform vendor) |
|---|---|---|
| Upfront cost | Higher (development, integration) | Lower (subscription model) |
| Time to value | 12-24 months | 3-6 months |
| Customization | Full control | Vendor roadmap dependency |
| Ongoing cost | Variable (maintenance, updates) | Predictable (subscription) |
| Regulatory updates | Institution must track and implement | Vendor incorporates updates |
| Best fit for | Tier 1 institutions with existing platforms | Tier 2-5 institutions seeking rapid compliance |
For most institutions, the answer is a hybrid: retain existing enterprise platforms for core risk management while augmenting with DORA-specific tools for novel requirements (TPRM, TLPT coordination, incident reporting automation, evidence management).
The Market Dynamics: Consolidation Ahead
The DORA compliance technology market is in its early growth phase, characterized by a proliferation of point solutions and niche vendors. The market dynamics suggest consolidation over the next 3-5 years:
Platform vendors expanding. Major GRC platforms (ServiceNow, Archer, MetricStream) are adding DORA-specific modules. Their advantage: existing enterprise relationships and integration with broader risk management ecosystems.
Niche DORA specialists. Purpose-built DORA compliance platforms offer depth in specific areas (TPRM, testing, evidence management) but face scalability and integration challenges as institutions seek unified solutions.
RegTech acquisitions. Established compliance technology vendors are acquiring DORA-specialist startups to accelerate capability development. This pattern mirrors the post-GDPR acquisition wave in privacy technology.
Cloud provider compliance tools. AWS, Azure, and Google Cloud are developing compliance tools that help their financial sector customers meet DORA requirements — specifically for cloud-related provisions (Art. 29 concentration risk, Art. 28(8) exit strategies). This creates an interesting dynamic where the entities designated as CTPPs also provide tools to manage the risks their designation creates.
The ROI Framework
For CFOs and compliance leaders justifying DORA technology investment, the ROI framework encompasses three dimensions:
Direct cost avoidance. Penalties under national transposition regimes range from EUR 2 million (Czech Republic) to EUR 20 million (Italy) in absolute terms, and up to 10% of turnover (Sweden) in percentage terms. Our penalty analysis maps the full divergence across 27 member states. Technology that prevents penalty-triggering deficiencies provides direct cost avoidance.
Operational efficiency. Manual compliance processes — spreadsheet-based registers, email-driven incident reporting, document-folder evidence management — consume person-hours that technology can reduce by 60-80%. For a mid-sized institution spending EUR 1 million per year on manual compliance operations, a platform that automates 70% of the workload pays for itself within 18-24 months.
Incident cost reduction. Institutions with mature operational resilience capabilities recover faster from disruptions, reducing customer impact, reputational damage, and compensation costs. Barclays paid GBP 12.5 million in IT failure compensation over two years. Technology that improves recovery capabilities can be valued against the avoided incident costs.
The $181 Billion Reallocation
The $181 billion in annual compliance spending is not new money — it is being reallocated. Financial institutions are shifting compliance budgets from labor-intensive, manual processes toward technology-driven automation. DORA accelerates this reallocation by requiring capabilities that cannot be achieved manually: real-time concentration risk monitoring, automated incident classification and reporting, continuous evidence management, and formalized testing programmes with documented results.
The RegTech vendors that capture the largest share of this reallocation will be those that: address DORA requirements comprehensively (across pillars, not in silos), integrate with existing enterprise risk management platforms, provide regulatory update automation (as RTS/ITS evolve), and demonstrate measurable ROI through efficiency gains and risk reduction.
For financial institutions, the question is not whether to invest in DORA compliance technology — the regulation makes that mandatory. The question is how to invest efficiently: selecting platforms that minimize implementation risk, reduce ongoing operational burden, and provide the evidence trail that supervisors — led by the EBA and national competent authorities — will increasingly demand.
This analysis reflects industry market data from Mordor Intelligence, Gartner, McKinsey, and Deloitte as of Q4 2025. Market projections are estimates and subject to market conditions.