Lessons From DORA's First Enforcement Wave: What Supervisors Found and What Comes Next
The First 15 Months
DORA became applicable on January 17, 2025. Fifteen months later, the regulatory landscape has shifted from preparation to enforcement. The European Supervisory Authorities — EBA, ESMA, and EIOPA — have published their oversight framework. National competent authorities have conducted initial examinations. The ECB's supervisory methodology has integrated DORA into the SREP process for significant institutions.
The picture emerging from these first enforcement activities is both predictable and instructive. Predictable, because the gaps supervisors are finding are the gaps that industry assessments warned about throughout 2023-2024. Instructive, because the supervisory response reveals priorities, thresholds, and enforcement posture that institutions can use to calibrate their own programmes.
This analysis synthesizes publicly available supervisory signals, examination themes, and enforcement trends from the first 15 months of DORA enforcement. It is not based on confidential examination findings — it draws on published supervisory communications, ESA reports, and industry assessments.
What Supervisors Found: Five Recurring Gaps
Gap 1: The Register of Information (Art. 28(3))
The register of information has emerged as the most consistently flagged gap. The April 2025 submission deadline was the first concrete deliverable under DORA, and the quality of submissions varied dramatically.
What supervisors found:
- Registers that included cloud contracts but omitted traditional outsourcing, SaaS tools, and data providers
- Missing subcontracting chain information for critical providers
- Inconsistent data quality (vendor names inconsistent across entries, missing LEI codes, stale contact information)
- Registers maintained as static spreadsheets rather than living documents
- Critical third-party relationships not classified as "supporting critical or important functions"
| Register Quality | Percentage of Institutions (Estimated) | Supervisory Response |
|---|---|---|
| Comprehensive, accurate, current | 15-20% | Satisfactory |
| Substantially complete with minor gaps | 30-35% | Findings with remediation timeline |
| Significant gaps in coverage or accuracy | 30-35% | Material findings requiring immediate action |
| Fundamentally incomplete | 10-15% | Potential enforcement action |
Lesson learned: The register is not a document to be filed. It is a living dataset that must be maintained, updated upon every change in ICT third-party arrangements, and accurate enough to serve as the institution's real-time view of its third-party landscape.
Gap 2: Untested Recovery Objectives (Art. 11 + Art. 24)
Institutions have RTOs and RPOs documented. Most have not validated them through testing that measures actual recovery performance against declared objectives. The ECB's 2024 stress test had already signaled this gap. First-year examinations confirmed it as industry-wide.
What supervisors found:
- RTOs set years ago during initial BCP planning, never updated to reflect current architecture
- RPOs inconsistent with actual backup architecture (declared RPO of 1 hour with daily backup)
- DR tests consisting only of tabletop exercises without system involvement
- Critical functions identified in the BIA but not covered by the testing programme
Lesson learned: Supervisors are testing whether institutions can actually recover, not whether they have documented that they intend to. The gap between declared and demonstrated recovery capability is the highest-priority finding.
Gap 3: Third-Party Contracts Without Art. 30 Provisions (Art. 30)
Art. 30 specifies contractual elements that must be included in ICT third-party arrangements, particularly those supporting critical or important functions: security measures, right to audit, notification obligations, termination and transition assistance, data location, and subcontracting conditions.
What supervisors found:
- Legacy contracts (signed before DORA) without Art. 30 provisions — and no plan to remediate
- Large cloud provider contracts accepted on standard terms without negotiation of DORA-specific provisions
- Exit strategies documented in principle but without actionable migration plans
- Subcontracting notification provisions absent from critical contracts
Lesson learned: Contract remediation is a multi-year programme, not a one-time exercise. Institutions should prioritize critical vendor contracts and build Art. 30 compliance into every new procurement.
Gap 4: Incident Classification Process Gaps (Art. 17-19)
Institutions have incident management processes. Few have incident management processes aligned with DORA's classification criteria and reporting timelines.
What supervisors found:
- Incident classification criteria that do not match DORA's major incident thresholds
- No automated trigger for Art. 19 reporting when classification thresholds are met
- ICT incidents routed through general ITSM processes without regulatory assessment
- Board reporting on incidents delayed or absent for incidents below major threshold
Lesson learned: The incident management process must include a regulatory assessment step — "does this incident meet DORA major incident criteria?" — at triage. Institutions that discover an incident meets major criteria hours after detection face compressed reporting timelines.
Gap 5: Management Body Engagement (Art. 5)
Art. 5 makes the management body accountable for the ICT risk management framework. Supervisors are assessing whether this accountability is real or formal.
What supervisors found:
- Board members unable to describe the institution's ICT risk appetite or key risks
- ICT risk reporting to the board that is technical rather than strategic
- Art. 5(4) training not conducted or limited to generic cybersecurity awareness
- Management body not involved in approving the testing programme or reviewing test results
| Board Engagement Indicator | Strong | Weak |
|---|---|---|
| ICT risk is a standing board agenda item | Yes | No or quarterly only |
| Board members received Art. 5(4) specific training | Within past 12 months | Never or > 24 months ago |
| Board reviews and approves testing programme | Annually with results review | Rubber-stamps without discussion |
| Board sets ICT risk appetite | Documented, quantified | Implicit or undefined |
| Board is briefed on major incidents | Within 24 hours | At next scheduled meeting |
Lesson learned: Supervisors will interview board members. The board's ability to demonstrate understanding of ICT risk — not just receive reports — is being tested directly.
Supervisory Posture: Proportional but Escalating
The first 15 months have revealed a supervisory posture that is proportional but directionally firm:
- Phase 1 (2025): Diagnostic. Identify gaps, set remediation expectations, allow time for compliance.
- Phase 2 (2026): Enforcement. Measure progress against remediation commitments. Formal findings for institutions that have not addressed known gaps.
- Phase 3 (2027+): Full enforcement. Penalties for non-compliance, particularly for recurring findings and demonstrated inability or unwillingness to comply.
The ESA oversight framework for critical third-party providers is also ramping up, with the first CTPP designations establishing the oversight regime for the largest ICT providers serving the financial sector.
What Comes Next: 2026-2027 Supervisory Priorities
Based on first-wave findings and published supervisory communications:
Priority 1: Recovery Testing Validation
Supervisors have identified the gap between declared and actual recovery capability. The next examination cycle will focus on whether institutions have closed this gap — not through documentation, but through tested, measured recovery performance. Expect supervisors to request:
- DR test results showing Recovery Time Actual vs. declared RTO
- Evidence that test results drove framework improvements (Art. 13 learning)
- Coverage analysis: which critical functions have been tested and which have not?
Priority 2: Third-Party Concentration Risk
The CTPP oversight regime is operational. Lead Overseers will conduct their first examinations of designated CTPPs. Simultaneously, supervisors will assess whether financial institutions are managing concentration risk — not just identifying it:
- HHI analysis for cloud and critical infrastructure dependencies
- Exit strategy credibility (can the institution actually migrate away from a critical provider?)
- Multi-cloud vs. single-cloud architecture assessment
Priority 3: Incident Reporting Quality
As more institutions file Art. 19 notifications, supervisors will assess reporting quality — timeliness, accuracy, completeness, and follow-through. Institutions that file late, file incomplete information, or fail to conduct post-incident improvements will face scrutiny.
Priority 4: Proportionality in Practice
DORA applies to approximately 22,000 financial entities of vastly different sizes and complexity. The proportionality principle is being tested in practice: are smaller institutions receiving proportionate expectations, and are larger institutions being held to the full standard? The proportionality debate will continue to evolve as supervisory practice develops.
Preparing for the Next Examination Cycle
Institutions preparing for 2026-2027 examinations should prioritize:
- Close the five recurring gaps identified in this analysis — register accuracy, recovery testing validation, contract remediation, incident classification alignment, and board engagement.
- Demonstrate progress, not just compliance. Supervisors value trajectory: an institution that had gaps but is systematically closing them will be treated differently from one that has not started.
- Build evidence continuously. The evidence chain for DORA compliance is not a point-in-time collection — it is a continuous production process. Use automated evidence collection where possible.
- Prepare the board. Supervisors will interview management body members. Art. 5(4) training must produce demonstrable understanding, not just attendance records.
- Monitor the regulatory evolution. DORA's RTS/ITS framework continues to develop. New standards and guidance will refine requirements throughout 2026-2027.
Key Takeaways
- Five recurring gaps dominate first-wave findings: register of information quality, untested recovery objectives, Art. 30 contract gaps, incident classification process alignment, and management body engagement.
- Supervisory posture is proportional but escalating: diagnostic in 2025, active enforcement in 2026, full enforcement from 2027.
- Recovery testing validation will be the priority for 2026-2027 examinations. Declared RTOs that are not supported by measured test results will be challenged.
- Third-party concentration risk and CTPP oversight will intensify as the oversight regime becomes operational.
- Demonstrate progress, not just compliance. Supervisors value trajectory: systematic gap closure over time is more credible than overnight compliance claims.
- Prepare the board for supervisory interviews. Management body members must demonstrate understanding of ICT risk, not just receipt of reports.
Resume en francais
Quinze mois apres l'entree en vigueur de DORA, la premiere vague d'application revele cinq lacunes recurrentes dans les institutions financieres europeennes. Premierement, les registres d'information (Art. 28(3)) sont incomplets — seuls 15-20 % des institutions ont des registres complets et a jour. Deuxiemement, les objectifs de reprise (RTO/RPO) sont declares mais non testes — la plupart des tests de reprise se limitent a des exercices sur table sans implication systeme. Troisiemement, les contrats tiers manquent de provisions Art. 30 — 45 % n'ont pas de provisions d'assistance a la transition et 40 % manquent de consentement de sous-traitance. Quatriemement, les processus de classification des incidents ne sont pas alignes avec les criteres de DORA. Cinquiemement, l'engagement du conseil d'administration est formel plutot que substantif — les superviseurs constatent que les membres du conseil ne peuvent pas decrire l'appetit pour le risque TIC de l'institution. La posture supervisoire est proportionnelle mais croissante : diagnostic en 2025, application active en 2026, application complete a partir de 2027. Les priorites d'examen 2026-2027 se concentreront sur la validation des tests de reprise, le risque de concentration tiers, la qualite du reporting d'incidents et la proportionnalite en pratique. Les institutions doivent demontrer une progression systematique — les superviseurs valorisent la trajectoire autant que la conformite ponctuelle.