DORA at One Year: The Definitive State of Play
One Year, Five Pillars, 22,000 Entities
January 17, 2026 marks the first anniversary of DORA's application — the point at which the EU's most ambitious operational resilience regulation moved from legal text to lived reality for approximately 22,000 financial entities across 27 member states. One year is enough time to assess what changed, what remains unchanged, and what the trajectory tells us about the years ahead.
This is not a retrospective in the conventional sense. It is a scorecard: evidence-based, pillar-by-pillar, informed by the regulatory milestones, the industry data, and the real-world incidents that tested DORA's thesis before the regulation had finished its first year.
The Regulatory Milestones: What Was Built
DORA's first year produced a remarkable volume of regulatory construction:
| Date | Milestone | Significance |
|---|---|---|
| Jan 17, 2025 | DORA becomes applicable | Legal obligations take effect |
| Apr 11, 2025 | Register of Information deadline | First mandatory data submission; supervisors gain visibility |
| Jun 2025 | TLPT RTS published | Advanced testing framework finalized |
| Jul 2025 | TLPT RTS enter into force | Testing obligations enforceable |
| Jul 15, 2025 | ESAs oversight guide published | Practical manual for CTPP supervision |
| Aug 2025 | BaFin guidance published | Germany sets detailed supervisory expectations |
| Oct 2025 | DLA Piper penalty analysis | 27 enforcement regimes mapped; divergence documented |
| Nov 18, 2025 | 19 CTPPs designated | Direct oversight of technology providers activated |
| Nov 2025 | Joint Committee 2026 Work Programme | Enforcement shift formalized |
| Dec 2025 | ESAs Art. 58 Joint Report | Auditor inclusion assessment submitted |
| Jan 17, 2026 | Art. 58 review deadline reached | Commission must now decide on scope expansion |
This is an extraordinary pace of regulatory development. In 12 months, DORA moved from initial application through data collection, framework publication, guidance issuance, and entity designation to the threshold of active enforcement. By comparison, GDPR's first year produced far fewer concrete supervisory outputs.
The Incident Landscape: Reality Validated the Regulation
DORA's thesis — that the European financial sector's dependence on ICT infrastructure creates systemic risks requiring regulatory intervention — was validated repeatedly during Year One by incidents that the regulation could not have caused but was designed to address:
The Iberian blackout. A cascading electrical grid failure across Spain and Portugal tested financial sector business continuity at an infrastructure level. Recovery timelines ranged from 3 to 24 hours. The incident validated Art. 11-12's business continuity requirements and demonstrated that many institutions' BCPs had not been tested against infrastructure-level failure scenarios.
The AWS October 2025 outage. A 15-hour disruption generating 17 million user reports across 60 countries, affecting financial services including Coinbase, Robinhood, and Capital One. The incident validated Art. 29's concentration risk requirements — institutions with single-cloud architectures had no failover option.
Azure's global outage. An 8-hour disruption with an estimated economic impact of $4.8-16 billion, affecting institutions that relied on Azure Active Directory for authentication. The incident validated Art. 28-30's third-party risk management requirements — institutions could not access their own systems because of a third-party identity service failure.
158 UK banking failures. The UK financial sector experienced 158 reported banking outages during 2025, affecting customer access to accounts, payments, and transactions. While these occurred under the UK's PS 16/24 framework rather than DORA, they demonstrated the frequency and customer impact of operational resilience failures.
100+ cloud outages in 12 months. The aggregate: AWS, Azure, and Google Cloud collectively experienced more than 100 documented service outages between August 2024 and August 2025 — approximately two per week. The data validated DORA's concentration risk framework and its requirement for exit strategies.
NoName057(16) takedown. Europol dismantled a pro-Russian hacktivist group responsible for 1,500+ DDoS attacks against European targets, including Italian banks. The takedown validated Art. 45-49's information sharing requirements — the intelligence pipeline that enabled the operation flowed through exactly the kind of cross-border networks DORA mandates.
The Industry Scorecard: Pillar by Pillar
Pillar I — ICT Risk Management (Art. 5-16): Grade B-
Pillar I benefited from the strongest pre-existing regulatory foundation. EBA Guidelines on ICT risk, national supervisory expectations, and Basel Committee principles had already established the core requirements. Most institutions had some form of ICT risk management framework before DORA.
What's working: Board-level awareness of ICT risk (Art. 5) has increased significantly. ICT risk management frameworks exist at most institutions. Asset identification (Art. 8) has improved through the Register of Information exercise.
What's not working: Detection capabilities (Art. 10) remain inconsistent. Many institutions can identify and classify assets but cannot demonstrate real-time detection of anomalous activity across their ICT estate. Recovery capabilities (Art. 11-12) — as the ECB stress test and Iberian blackout both demonstrated — are the weakest area within Pillar I.
Pillar II — Incident Management (Art. 17-23): Grade C+
Incident management was an area of significant process change for many institutions. The prescribed reporting timelines (4h/72h/1m) and classification criteria (Art. 18) required formalization that many institutions had not achieved under previous frameworks.
What's working: Most institutions have established incident classification procedures aligned with Art. 18 criteria. NCA reporting channels are established. Management body notification procedures exist.
What's not working: The 4-hour initial notification deadline is challenging for incidents that require time to assess and classify. Classification consistency across the industry remains low — the same incident type may be classified as "major" by one institution and "significant" by another. Root cause analysis quality varies widely, with many institutions producing descriptive narratives rather than the causal analysis that Art. 13 requires.
Pillar III — Resilience Testing (Art. 24-27): Grade C
Testing formalization has been a major compliance effort. Institutions routinely conduct security tests, but few had the kind of structured, documented, governance-approved testing programme that Art. 24-25 require.
What's working: Institutions are establishing formal testing policies and governance structures. Testing is increasingly linked to risk assessment (Art. 24(1) requires testing "proportionate to the risk profile"). TLPT-designated entities are engaging with the framework.
What's not working: Many testing programmes remain narrowly focused on technical security testing rather than the broad operational resilience testing DORA envisions. The gap between "we conduct penetration tests" and "we have a risk-based testing programme that covers ICT systems, processes, and interdependencies" remains wide. Testing evidence management — producing the documented results that supervisors will review — is immature at many institutions.
Pillar IV — Third-Party Risk Management (Art. 28-44): Grade D+
Pillar IV remains the weakest area. This is not surprising — it contains the most novel requirements and the largest implementation effort.
What's working: The Register of Information has been submitted. Most institutions have at least a basic inventory of their ICT third-party relationships. Awareness of concentration risk has increased dramatically.
What's not working: Register completeness and accuracy remain concerns. Sub-outsourcing chain visibility is limited. Art. 30 contractual provisions require mass renegotiation that is far from complete. Exit strategies for critical providers range from thin documents to non-existent. Concentration risk assessments are often qualitative rather than quantitative. The CTPP designation has created urgency but not yet capability.
| Pillar IV component | Industry readiness | Key blocker |
|---|---|---|
| Register of Information | 60% | Sub-outsourcing data gaps, classification inconsistency |
| Art. 30 contractual compliance | 30% | Provider resistance to renegotiation, especially cloud/SaaS |
| Exit strategies | 20% | Lack of identified alternatives, untested migration procedures |
| Concentration risk assessment | 35% | Quantitative methodology gaps, sub-outsourcing opacity |
| CTPP engagement management | 25% | New capability with no precedent |
Pillar V — Information Sharing (Art. 45-49): Grade D
Information sharing is the least developed pillar. Art. 45's permissive language ("may exchange") has contributed to limited uptake. Few institutions have established formal information sharing arrangements, and threat intelligence participation remains concentrated among the largest institutions.
What's working: Awareness of the information sharing framework exists. Some institutions participate in ISACs and sectoral threat intelligence communities. The NoName057 takedown provided a compelling case study for the value of shared intelligence.
What's not working: Formal Art. 45 arrangements are rare. TLP-compliant handling procedures are not widely implemented. Threat intelligence consumption is passive (receiving feeds) rather than active (contributing and collaborating). Smaller institutions are largely excluded from information sharing due to resource constraints.
The Survey Data: What the Industry Says
The two most cited surveys from Year One paint a consistent picture:
Deloitte survey: 25% confident. Only one in four financial institutions expressed confidence in their DORA compliance posture. The remaining 75% acknowledged gaps ranging from "minor adjustments needed" to "fundamental programme required."
EMEA survey: 96% not resilient enough. Nearly all surveyed financial firms acknowledged that their operational resilience is not where it needs to be. This figure captures not just DORA compliance but broader operational resilience capability.
46% identified the Register as the hardest challenge. The Register of Information was the single most labor-intensive deliverable, requiring cross-functional data collection, criticality assessment, and format compliance.
22% called for simplification. One in five respondents advocated for simplification of DORA requirements, reflecting proportionality concerns — particularly among smaller entities where compliance costs represent 2-5% of revenue.
The Enforcement Landscape: Grace Period Ending
The most significant non-event of Year One was the absence of public enforcement actions. No supervisor imposed a DORA penalty. No institution was publicly cited for non-compliance. No CTPP received a formal recommendation.
This was deliberate, but it is ending. Multiple regulatory signals — the ESAs' 2026 Work Programme, national supervisory guidance (BaFin, CBI, AMF), and the operational readiness of JET examination frameworks — indicate that 2026 marks the transition from observation to interventionist supervision.
The enforcement trajectory is likely phased: remediation demands (Q1-Q2 2026), supervisory measures (Q2-Q3 2026), and financial penalties (H2 2026 onward). The first enforcement targets will be clear-cut, well-documented deficiencies: Register incompleteness, incident reporting timeline failures, and Art. 5 governance gaps.
The Art. 58 Question: Scope Expansion
DORA's review clause (Art. 58) reached its first milestone on January 17, 2026. The ESAs submitted their Joint Report on auditor inclusion in December 2025. The European Commission must now decide whether to bring statutory auditors and audit firms within DORA's scope.
The question is significant beyond its immediate subject. Art. 58 is the mechanism through which DORA's scope can expand. If auditors are included, the precedent extends to other financial ecosystem participants: credit rating agencies, financial advisors, data analytics providers, RegTech vendors. The Commission's decision will signal how aggressively the EU intends to extend operational resilience requirements.
The Global Context: DORA as Standard-Setter
DORA does not exist in isolation. The UK's operational resilience framework (PS 16/24, effective January 2025) provides a parallel regime with a different philosophical approach (outcome-based vs. prescriptive). GCC financial centers (CBUAE, SAMA) are developing cloud-focused resilience frameworks influenced by DORA. APAC regulators (MAS, HKMA) are watching DORA's implementation closely.
The evidence from Year One suggests DORA is becoming the de facto global reference framework for financial sector operational resilience. Its prescriptive detail provides a concrete implementation standard that other jurisdictions can adapt. Its CTPP oversight regime is the first direct supervisory mechanism for technology providers serving the financial sector. Its testing framework (particularly TLPT) sets the bar for resilience validation.
| Jurisdiction | Framework | Relationship to DORA |
|---|---|---|
| EU (27 states) | DORA (EU 2022/2554) | Primary framework — 22,000 entities in scope |
| UK | PS 16/24 (FCA/PRA) | Parallel regime — outcome-based, effective same month |
| GCC (UAE, Saudi) | CBUAE/SAMA cloud guidelines | Influenced by DORA — cloud resilience focus |
| APAC (Singapore, HK) | MAS TRM, HKMA OR framework | Watching DORA — convergence likely over time |
| US | OCC/FFIEC guidance | Fragmented — no single DORA equivalent |
| Morocco | BAM PCA/PRA | Cross-Mediterranean alignment with DORA |
The Year Two Agenda
Year Two's agenda is clear, driven by the convergence of enforcement readiness and persistent compliance gaps:
For supervisors: Transition from observation to enforcement. Conduct first JET examinations of designated CTPPs. Issue first remediation demands and supervisory measures. Establish enforcement precedents that define the regime's operational parameters.
For large institutions: Complete contract renegotiation programmes. Validate exit strategies through testing. Mature testing programmes from technical security testing to comprehensive operational resilience testing. Build CTPP engagement management capabilities.
For mid-size institutions: Close Pillar IV gaps (Register accuracy, exit strategies, concentration risk). Formalize testing programmes. Establish incident reporting procedures that consistently meet timeline requirements.
For small institutions: Leverage Art. 4 proportionality and Art. 16 simplified framework. Focus on core Pillar I and Pillar II requirements. Consider shared service approaches to manage compliance costs.
For CTPPs: Prepare for first JET examinations. Establish EU subsidiaries (12-month deadline from November 2025 designation). Build regulatory engagement capabilities. Develop financial-sector-specific operational resilience documentation.
The Verdict at One Year
DORA's first year was a construction year — building frameworks, collecting data, establishing oversight mechanisms, and observing. The regulation's thesis — that the financial sector's ICT dependency creates systemic risks requiring regulatory intervention — was validated by every major incident of 2025. The regulatory infrastructure for enforcement is in place. The industry data shows persistent gaps that enforcement will need to address.
The 25% who are confident in their compliance have a head start. The 96% who acknowledge their resilience is insufficient have a clear mandate. And the 22,000 entities in scope have one inescapable reality: DORA's grace period is over. Year Two is the year that compliance becomes operational and enforcement becomes real.
This analysis reflects DORA Regulation (EU) 2022/2554 milestones, supervisory publications, industry survey data, and real-world incidents through January 17, 2026 — the first anniversary of DORA's application.