Budgeting for DORA Compliance: What Financial Institutions Should Expect
The Budget Conversation Most Institutions Are Having Wrong
Across Europe's financial sector, a familiar conversation is playing out in board rooms and budget committees. The compliance team presents DORA as a regulatory obligation. The CFO asks for a number. The compliance team offers a range so wide it is effectively meaningless. The board approves a budget that is either grossly insufficient or defensively inflated, and the institution enters its DORA programme without a clear understanding of where money creates compliance value and where it creates compliance theatre.
This analysis attempts to provide honest, detailed cost estimates for DORA compliance across the five pillars, broken down by institution size and distinguishing between first-year implementation and ongoing operational costs. All figures are editorial estimates informed by industry benchmarks, consulting firm publications, and observed market pricing. They should be treated as indicative ranges, not quotations.
Cost Structure by DORA Pillar
Pillar I: ICT Risk Management Framework (Art. 5-16)
This is the foundational pillar and typically the largest single investment area. It encompasses governance structure, ICT asset inventory, business impact analysis, risk assessment methodology, and the overarching risk management framework that Articles 5 through 16 prescribe.
| Component | First Year | Ongoing/Year |
|---|---|---|
| Governance framework design and documentation | EUR 80,000 - 150,000 | EUR 20,000 - 40,000 |
| ICT asset inventory and dependency mapping | EUR 60,000 - 150,000 | EUR 30,000 - 60,000 |
| Business impact analysis (BIA) | EUR 40,000 - 100,000 | EUR 20,000 - 50,000 |
| Risk assessment methodology and initial assessment | EUR 50,000 - 120,000 | EUR 30,000 - 60,000 |
| Policy development (12-20 policies) | EUR 40,000 - 80,000 | EUR 15,000 - 30,000 |
| Management body training (Art. 5(4)) | EUR 15,000 - 30,000 | EUR 10,000 - 20,000 |
| Pillar I Total | EUR 285,000 - 630,000 | EUR 125,000 - 260,000 |
The wide range reflects institutional complexity. A mid-size bank with 500 ICT assets, 30 critical functions, and 200 third-party relationships will land in the middle. A Tier-1 institution with thousands of assets and complex interconnections will exceed the upper range.
Art. 5(4) deserves specific attention: it requires the management body to "maintain sufficient knowledge and skills to be able to understand and assess ICT risk." Board training is not optional — it is a regulatory requirement that auditors will verify through training records and demonstrated competency.
Pillar II: ICT Incident Management (Art. 17-23)
Incident management costs depend heavily on the institution's existing ITSM maturity. Institutions with mature incident processes need to add regulatory classification and reporting capabilities. Those without structured incident management face a larger build.
| Component | First Year | Ongoing/Year |
|---|---|---|
| Incident classification framework (Art. 18 criteria) | EUR 30,000 - 60,000 | EUR 10,000 - 20,000 |
| Regulatory reporting workflow (3-phase, Art. 19) | EUR 40,000 - 80,000 | EUR 15,000 - 30,000 |
| Post-incident review process (Art. 13) | EUR 20,000 - 40,000 | EUR 10,000 - 20,000 |
| Integration with existing ITSM | EUR 30,000 - 80,000 | EUR 15,000 - 30,000 |
| Tabletop exercises and training | EUR 15,000 - 30,000 | EUR 15,000 - 30,000 |
| NCA reporting templates and procedures | EUR 15,000 - 30,000 | EUR 5,000 - 10,000 |
| Pillar II Total | EUR 150,000 - 320,000 | EUR 70,000 - 140,000 |
The critical cost driver is the four-hour initial notification window under Art. 19(4)(a). Meeting this timeline requires not just process but tooling: automated classification against DORA materiality thresholds, pre-built regulatory report templates, and real-time impact assessment capabilities linked to the asset inventory from Pillar I.
Pillar III: Digital Operational Resilience Testing (Art. 24-27)
Testing costs are the most variable and the most frequently underestimated. The annual baseline testing programme (Art. 25) is a standing cost. TLPT (Art. 26), required every three years for designated entities, is the single largest line item in many DORA budgets.
| Component | First Year | Ongoing/Year |
|---|---|---|
| Testing programme design and governance | EUR 30,000 - 60,000 | EUR 10,000 - 20,000 |
| Vulnerability assessments and scanning | EUR 40,000 - 80,000 | EUR 40,000 - 80,000 |
| Penetration testing (Art. 25) | EUR 60,000 - 120,000 | EUR 60,000 - 120,000 |
| Scenario-based testing | EUR 30,000 - 60,000 | EUR 30,000 - 60,000 |
| TLPT cycle (annualised over 3 years) | EUR 80,000 - 170,000 | EUR 80,000 - 170,000 |
| Test evidence management and reporting | EUR 20,000 - 40,000 | EUR 15,000 - 30,000 |
| Remediation of testing findings | EUR 50,000 - 150,000 | EUR 50,000 - 150,000 |
| Pillar III Total | EUR 310,000 - 680,000 | EUR 285,000 - 630,000 |
Remediation is the hidden cost. Testing that discovers control gaps without remediating them is worse than useless — it creates documented evidence of known deficiencies. Budget for fixing what you find, not just for finding it.
Pillar IV: ICT Third-Party Risk Management (Art. 28-44)
Pillar IV is the most operationally intensive pillar for institutions with large vendor portfolios. The contract remediation effort alone — reviewing and amending hundreds of agreements against Art. 30 requirements — can consume significant legal and procurement resources.
| Component | First Year | Ongoing/Year |
|---|---|---|
| Third-party register and classification (Art. 28(3)) | EUR 40,000 - 80,000 | EUR 20,000 - 40,000 |
| Contract review and remediation (Art. 30) | EUR 80,000 - 200,000 | EUR 30,000 - 60,000 |
| Concentration risk analysis (Art. 29) | EUR 30,000 - 60,000 | EUR 15,000 - 30,000 |
| Exit strategy documentation | EUR 30,000 - 60,000 | EUR 10,000 - 20,000 |
| Ongoing vendor due diligence | EUR 20,000 - 50,000 | EUR 40,000 - 80,000 |
| Pillar IV Total | EUR 200,000 - 450,000 | EUR 115,000 - 230,000 |
Institutions with 200+ ICT vendor relationships should expect contract remediation at the upper end. The legal cost of amending contracts with resistant vendors — particularly large technology providers — can exceed initial estimates significantly.
Pillar V: Information Sharing (Art. 45-49)
Pillar V has the lowest direct compliance cost, as requirements are primarily about establishing frameworks for voluntary threat intelligence sharing.
| Component | First Year | Ongoing/Year |
|---|---|---|
| Information sharing framework and policies | EUR 15,000 - 30,000 | EUR 5,000 - 10,000 |
| Threat intelligence community participation | EUR 10,000 - 30,000 | EUR 10,000 - 30,000 |
| Pillar V Total | EUR 25,000 - 60,000 | EUR 15,000 - 40,000 |
Cross-Cutting Costs
Technology and Tooling
| Component | First Year | Ongoing/Year |
|---|---|---|
| Operational resilience platform | EUR 50,000 - 200,000 | EUR 40,000 - 150,000 |
| Integration and configuration | EUR 30,000 - 80,000 | EUR 10,000 - 30,000 |
| Existing tool adaptation/enhancement | EUR 20,000 - 60,000 | EUR 10,000 - 30,000 |
| Tooling Total | EUR 100,000 - 340,000 | EUR 60,000 - 210,000 |
The build-vs-buy decision is consequential here. Generic GRC platforms require extensive customization to support DORA's specific requirements — deterministic workflows, evidence integrity, regulatory scoring, and board-level reporting. Purpose-built operational resilience platforms reduce customization costs but require evaluation against the institution's existing technology landscape.
Staffing
DORA compliance requires dedicated personnel. The exact headcount depends on institutional size, but most mid-tier institutions need:
| Role | FTE | Annual Cost (Fully Loaded) |
|---|---|---|
| DORA Programme Lead | 1.0 | EUR 120,000 - 180,000 |
| ICT Risk Analyst | 1.0 - 2.0 | EUR 80,000 - 140,000 each |
| Third-Party Risk Analyst | 0.5 - 1.0 | EUR 80,000 - 120,000 |
| Resilience Testing Coordinator | 0.5 - 1.0 | EUR 90,000 - 140,000 |
| Staffing Total (2-5 FTEs) | EUR 280,000 - 720,000/year |
External consulting support during the first year typically adds EUR 150,000-400,000 depending on scope and firm tier.
Total Cost Summary
For a Tier-2 European bank (EUR 5-50B in assets, 500-2000 employees):
| Category | First Year | Ongoing/Year |
|---|---|---|
| Pillar I: ICT Risk Management | EUR 285,000 - 630,000 | EUR 125,000 - 260,000 |
| Pillar II: Incident Management | EUR 150,000 - 320,000 | EUR 70,000 - 140,000 |
| Pillar III: Testing | EUR 310,000 - 680,000 | EUR 285,000 - 630,000 |
| Pillar IV: Third-Party Risk | EUR 200,000 - 450,000 | EUR 115,000 - 230,000 |
| Pillar V: Information Sharing | EUR 25,000 - 60,000 | EUR 15,000 - 40,000 |
| Technology/Tooling | EUR 100,000 - 340,000 | EUR 60,000 - 210,000 |
| Staffing (2-5 FTEs) | EUR 280,000 - 720,000 | EUR 280,000 - 720,000 |
| External consulting | EUR 150,000 - 400,000 | EUR 50,000 - 150,000 |
| Grand Total | EUR 1.5M - 3.6M | EUR 1.0M - 2.4M |
These figures align with industry estimates from major consulting firms, which place first-year DORA compliance costs for mid-tier institutions in the EUR 1-3M range, with ongoing costs of EUR 500K-1.5M annually.
The Cost of Non-Compliance
DORA Art. 50-56 empower competent authorities to impose administrative penalties and remedial measures, including:
- Administrative fines proportionate to severity, duration, and impact of non-compliance
- Public censure through identification of the entity and the nature of the infringement
- Cease-and-desist orders potentially affecting business operations
- Suspension of management body members in severe cases
- Criminal referral for intentional or grossly negligent breaches
Beyond formal penalties, non-compliance creates:
- Supervisory scrutiny: failed examinations trigger enhanced supervision, more frequent audits, and mandatory remediation plans — all of which consume resources
- Reputational damage: public censure in the financial sector carries significant reputational cost with counterparties, clients, and investors
- Operational risk materialisation: the controls DORA requires exist because operational resilience failures cause real financial losses. A major incident at an institution with inadequate risk management costs far more than the compliance programme
Optimising Spend: Where to Invest, Where to Economise
Invest heavily in: ICT asset inventory and dependency mapping (the foundation everything else builds on), testing programme maturity (where compliance value and operational value align), and evidence management (the single factor that determines audit outcomes).
Economise on: Policy documentation (adapt existing frameworks rather than building from scratch), Pillar V (proportionate investment — this pillar has the lightest supervisory scrutiny), and external consulting (use consultants for gap assessment and programme design, not for ongoing operations that should be internalised).
Avoid false economies on: TLPT (cutting scope or using unqualified testers saves money once and creates findings forever), contract remediation (partial Art. 30 compliance is non-compliance), and tooling (the cost of managing DORA compliance in spreadsheets is measured in person-years, not euros — purpose-built platforms like Valendir pay for themselves within the first audit cycle through reduced manual effort and audit preparation time).
The institutions that budget realistically, invest in capabilities over theatre, and treat DORA as an operational improvement rather than a compliance tax will spend less in the long run — and sleep better before their first examination.
All cost figures in this analysis are editorial estimates based on industry benchmarks, consulting firm publications, and market observation. Actual costs vary significantly based on institutional size, existing maturity, geographic scope, vendor portfolio complexity, and regulatory jurisdiction. Institutions should conduct their own detailed cost assessments before committing budgets.