DORA Compliance Maturity Model: Where Does Your Institution Stand?
The Confidence Gap
Nine months after DORA became applicable on January 17, 2025, the industry's self-assessment data paints a sobering picture. Deloitte's 2024 survey of European financial institutions found that only 25% were confident in their DORA compliance readiness. PwC reported that 70% of firms expressed concern about meeting DORA requirements. Just 50% of surveyed institutions expected to achieve full compliance by the end of 2025 — a full year after the regulation became applicable.
These numbers reveal a systemic gap between regulatory expectation and operational reality. DORA did not arrive unexpectedly. The regulation was published in December 2022, with a two-year implementation period that most institutions used to assess requirements and plan programs. Yet the majority entered the enforcement period with significant compliance gaps.
The underlying problem is not a lack of awareness or effort. It is a lack of structured measurement. Most institutions can describe their DORA programs — the projects launched, the vendors engaged, the documents produced. Few can precisely quantify their maturity across each pillar, identify their weakest areas, or demonstrate a clear trajectory from current state to target state.
A maturity model provides this structure. It transforms a binary question ("are we compliant?") into a graduated assessment ("how mature are we, where are the gaps, and what does the path to target look like?"). For DORA — which spans five interconnected pillars across technology, governance, operations, and third-party management — structured maturity assessment is not optional. It is the foundation for effective compliance program management.
The 5-Level DORA Maturity Model
The following model adapts established maturity frameworks (CMMI, NIST CSF) to DORA's specific requirements. Each level represents a distinct stage of organizational capability, from ad hoc to optimized.
Figure 1: The five maturity levels with indicative progression timelines. Most European financial institutions currently operate between Level 2 and Level 3.
Level Definitions
| Level | Name | Characteristics | Supervisory Risk |
|---|---|---|---|
| 1 | Ad Hoc | No formalized processes. Responses to ICT incidents are reactive. No documented ICT risk management framework. Third-party risk managed informally. | High — likely supervisory findings, potential enforcement |
| 2 | Developing | Basic processes documented but inconsistently applied. ICT risk framework exists but is incomplete. Incident management is partially formalized. Third-party register started but incomplete. | Elevated — gaps will be identified in supervisory reviews |
| 3 | Defined | Processes documented, approved, and applied consistently. ICT risk framework covers major requirements. Incident classification and reporting procedures in place. Third-party register complete for critical arrangements. | Moderate — demonstrable compliance effort; remediation underway for gaps |
| 4 | Managed | Processes measured, monitored, and continuously improved. Quantitative metrics track performance. Resilience testing program operational. Third-party risk actively managed with exit strategies. | Low — meets supervisory expectations; improvement areas are tracked |
| 5 | Optimized | Industry-leading practices. Automated monitoring and response. Proactive threat intelligence integration. Continuous assurance across all pillars. Board actively engaged in resilience governance. | Minimal — potential peer exemplar; resilience is a competitive advantage |
Most European financial institutions currently operate between Level 2 and Level 3 across most pillars. Institutions that have invested significantly since 2023 may reach Level 3-4 in selected pillars while remaining at Level 2 in others. The uneven distribution is itself a finding — it reveals which pillars received investment and which were deprioritized.
Pillar-by-Pillar Assessment Criteria
Pillar I: ICT Risk Management Framework (Art. 5-16)
| Criterion | Level 1 | Level 2 | Level 3 | Level 4 | Level 5 |
|---|---|---|---|---|---|
| ICT risk management framework | None | Draft/partial | Documented, approved | Measured, reviewed annually | Continuously improved, automated assessment |
| Management body oversight | Informal | Assigned but passive | Active oversight, regular reporting | KPI-driven governance | Real-time risk dashboard, proactive intervention |
| ICT asset inventory | Incomplete | Critical assets listed | Complete inventory with dependencies | Dependency topology mapped, auto-discovered | Real-time CMDB with automated criticality sync |
| Business impact analysis | Not performed | Performed for critical functions | Comprehensive BIA, RTO/RPO defined | BIA reviewed quarterly, validated by testing | Continuous BIA with automated impact tolerance monitoring |
| ICT security policies | Ad hoc | Basic policies documented | Comprehensive policies, reviewed annually | Policies measured for effectiveness | Automated policy enforcement, continuous validation |
| BC/DR plans | None or outdated | Plans exist for some services | Plans for all critical functions, tested annually | Plans tested quarterly, lessons learned integrated | Chaos engineering, automated recovery validation |
Pillar II: Incident Management (Art. 17-23)
| Criterion | Level 1 | Level 2 | Level 3 | Level 4 | Level 5 |
|---|---|---|---|---|---|
| Incident detection | Manual/ad hoc | Basic monitoring, alert fatigue | Correlated alerting, 24/7 coverage | Automated anomaly detection, low false-positive rate | AI-augmented detection, predictive indicators |
| Classification capability | None formalized | Classification criteria documented | Automated classification scoring, pre-calculated thresholds | Classification tested quarterly, near-miss tracking | Real-time classification with automatic NCA notification trigger |
| Reporting readiness | Templates not prepared | Templates drafted | Templates pre-populated, submission workflow defined | Quarterly reporting drills conducted | Automated submission pipeline, < 2 hour initial notification |
| Root cause analysis | Not performed | Performed for major incidents | Standardized RCA methodology, lessons learned documented | RCA feeds into ICT risk framework updates | Automated causal chain analysis, predictive RCA |
| Incident register | Not maintained | Major incidents logged | All incidents logged, searchable, linked to affected services | Trend analysis performed, patterns identified | Predictive analytics, cross-sector correlation |
Pillar III: Resilience Testing (Art. 24-27)
| Criterion | Level 1 | Level 2 | Level 3 | Level 4 | Level 5 |
|---|---|---|---|---|---|
| Testing program | No program | Annual vulnerability scanning | Risk-based testing program, multiple methods | Continuous testing, scenario-based campaigns | TLPT-grade testing, chaos engineering, red team |
| Test coverage | None measured | Critical services covered ad hoc | All critical/important functions tested annually | Coverage measured, gaps tracked, prioritized remediation | Automated coverage measurement, continuous gap closure |
| Findings management | Not tracked | Findings logged | Findings tracked with CAPA, SLA-driven | Remediation verified by retest, deviation workflow | Automated retest validation, deviation prevention |
| Evidence collection | Ad hoc | Test reports generated | Standardized evidence, chain of custody | Evidence vault with integrity verification | Automated evidence collection, QA gate, audit-ready exports |
Pillar IV: Third-Party Risk Management (Art. 28-44)
| Criterion | Level 1 | Level 2 | Level 3 | Level 4 | Level 5 |
|---|---|---|---|---|---|
| Information register (Art. 28(3)) | Not maintained | Started, incomplete | Complete for critical arrangements | Complete for all ICT arrangements, automated updates | Real-time register with automated change detection |
| Due diligence | Informal | Questionnaire-based | Risk-rated due diligence, on-site assessments for critical | Continuous monitoring, automated risk scoring | Integrated threat intelligence, predictive vendor risk |
| Contractual provisions (Art. 30) | Standard T&Cs | Key provisions for some contracts | Art. 30 compliance for critical arrangements | Art. 30 compliance for all ICT arrangements | Automated contract analysis, gap detection |
| Concentration risk (Art. 29) | Not assessed | Qualitative assessment | HHI calculated, single points of failure identified | Scenario modeling, quarterly board reporting | Continuous HHI monitoring, automated trigger escalation |
| Exit strategies (Art. 28(8)) | None | Documented for some arrangements | Documented for all critical arrangements | Tested annually for critical arrangements | Validated by technical proof-of-concept, regularly refreshed |
Pillar V: Information Sharing (Art. 45-49)
| Criterion | Level 1 | Level 2 | Level 3 | Level 4 | Level 5 |
|---|---|---|---|---|---|
| Sharing arrangement | None | Exploring options | FS-ISAC or equivalent membership active | Active participant, contributing intelligence | Leadership role, driving sector-wide initiatives |
| Intelligence integration | None | Manual review of alerts | Automated IOC ingestion into SIEM | Enrichment pipeline with internal context correlation | Real-time intelligence-to-action with automated defensive response |
| GDPR compliance | Not addressed | Basic awareness | Legitimate interest assessment documented | DPIA completed, retention policies enforced | Automated PII handling, continuous compliance monitoring |
The Gap Analysis: Where the Industry Stands
Based on aggregated survey data, supervisory findings, and advisory assessments across European financial institutions in the first half of 2025:
Industry Average Maturity by Pillar
| Pillar | Tier 1 Banks (G-SIBs) | Tier 2 Banks | Mid-Size Insurers | Payment Institutions | Asset Managers |
|---|---|---|---|---|---|
| I: ICT Risk Management | 3.5 | 2.8 | 2.5 | 2.2 | 2.0 |
| II: Incident Management | 3.8 | 2.5 | 2.3 | 2.0 | 1.8 |
| III: Resilience Testing | 3.2 | 2.3 | 2.0 | 1.8 | 1.5 |
| IV: Third-Party Risk | 3.0 | 2.5 | 2.2 | 2.0 | 1.8 |
| V: Information Sharing | 3.5 | 2.0 | 1.8 | 1.5 | 1.3 |
| Weighted Average | 3.4 | 2.4 | 2.2 | 1.9 | 1.7 |
Several patterns emerge:
The Pillar III gap. Resilience testing is consistently the weakest pillar across all institution types except G-SIBs. Many institutions have robust ICT risk management frameworks and incident management procedures but have not built the operational capability to test their resilience systematically. This is the area where supervisory scrutiny will be most intense in 2025-2026.
The institution size divide. G-SIBs average Level 3.4 — approaching "managed" maturity. Smaller institutions average below Level 2.5 — still "developing." The gap reflects resource disparities but also differences in supervisory attention: G-SIBs have been subject to ECB cyber stress tests and enhanced SREP assessments that forced earlier investment.
The Pillar V neglect. Information sharing is the lowest-maturity pillar across all institution types except G-SIBs. The "voluntary" framing of Art. 45 has led to systematic deprioritization.
The exit strategy blind spot. Within Pillar IV, exit strategies (Art. 28(8)) are consistently the weakest element. Institutions have invested in vendor registers and due diligence but have not built credible exit capabilities for critical arrangements.
The Progression Roadmap
Figure 2: The two critical maturity transitions with priority actions. Level 3 is the minimum standard for supervisory confidence.
From Level 2 to Level 3: "Developing" to "Defined" (6-12 months)
This is the most critical transition for the majority of European financial institutions. Level 3 represents the minimum standard for supervisory confidence — documented, approved processes applied consistently across the organization.
Priority actions:
- Complete the ICT risk management framework documentation and secure management body approval
- Finalize the Art. 28(3) Information Register for all ICT third-party arrangements
- Operationalize incident classification with pre-calculated thresholds and pre-drafted reporting templates
- Conduct at least one risk-based resilience test against critical functions
- Document exit strategies for all critical ICT third-party arrangements
- Establish an information sharing arrangement (FS-ISAC membership or equivalent)
Investment estimate: EUR 500K-2M for Tier 2 banks; EUR 200K-800K for mid-size insurers; EUR 100K-400K for payment institutions.
From Level 3 to Level 4: "Defined" to "Managed" (12-24 months)
The transition from Level 3 to Level 4 is the maturation from compliance to capability. Level 4 institutions do not just meet requirements — they measure their performance, identify trends, and continuously improve.
Priority actions:
- Implement quantitative metrics for each pillar (KPIs, KRIs, SLIs)
- Build the concentration risk measurement framework (HHI, single-point-of-failure analysis)
- Establish quarterly reporting drills for incident management
- Launch a continuous resilience testing program with measurable coverage targets
- Test exit strategies for at least two critical arrangements
- Integrate threat intelligence into defensive operations (Stage 3 of the intelligence pipeline)
Investment estimate: EUR 1M-4M for Tier 2 banks; EUR 500K-1.5M for mid-size insurers; EUR 200K-600K for payment institutions.
Using the Model for Board Reporting
The maturity model translates complex regulatory compliance into a format that boards can understand and govern. The recommended board reporting format:
Quarterly maturity dashboard:
- Current maturity level per pillar (1-5 scale)
- Change from prior quarter (direction and magnitude)
- Target maturity level per pillar (with target date)
- Top 3 gaps by severity (pillar, current level, target level, remediation timeline)
- Investment spent vs. planned
- Upcoming supervisory milestones
This dashboard enables the management body to fulfill its Art. 5 obligations — active oversight of the ICT risk management framework — with quantifiable data rather than qualitative assurances.
The Supervisory Perspective
NCAs and the ESAs are building their own assessment frameworks. The ECB's cyber stress test, BaFin's updated MaRisk requirements, and the CSSF's DORA implementation circulars all point toward quantitative assessment of operational resilience maturity.
Institutions that can present a structured maturity assessment — with honest gap identification, prioritized remediation, and measurable progress — demonstrate the governance maturity that supervisors value. Institutions that present compliance as binary ("we are compliant" or "we are working on it") without quantification will face more intensive supervisory scrutiny.
The 25% confidence figure from Deloitte's survey is concerning but not surprising. DORA is the most comprehensive operational resilience regulation ever applied to the European financial sector. Full maturity across all five pillars requires years of sustained investment in technology, processes, governance, and capabilities. The institutions that will reach Level 4-5 maturity are those that started measuring early, invested consistently, and treated the maturity model as a management tool — not a compliance artifact.
This assessment framework reflects DORA Regulation (EU) 2022/2554 requirements mapped to established maturity model methodologies. Maturity estimates are based on aggregated industry data and advisory assessments; individual institution maturity varies.