DORA's Real Test Starts Now: IBM's One-Year Assessment and What It Reveals
DORA's Real Test Starts Now: IBM's One-Year Assessment and What It Reveals
One year after DORA's application date of January 17, 2025, IBM published what may be the most significant independent assessment of the regulation's real-world impact. Released on February 5, 2026, the report draws on data from over 200 European financial institutions across banking, insurance, payment services, and market infrastructure.
The headline finding is sobering: 78% of institutions report that they have achieved formal DORA compliance, but only 23% can demonstrate that their resilience capabilities are tested, operational, and effective. The 55-point gap between documentation and demonstrated capability is the defining challenge for DORA's second year.
The Paper-Reality Gap: Five Systemic Weaknesses
IBM's assessment identified five systemic weaknesses that separate institutions with genuine operational resilience from those with compliance documentation.
1. Testing Maturity: The Biggest Gap
Only 31% of surveyed institutions had conducted DORA-compliant resilience testing within the first year. Of those, only 12% had tested scenarios beyond basic disaster recovery — the "advanced testing" that Articles 26-27 require for significant financial entities through threat-led penetration testing (TLPT).
| Testing Maturity Level | Percentage of Institutions | DORA Requirement |
|---|---|---|
| No formal resilience testing conducted | 28% | Non-compliant with Art. 24 |
| Basic DR testing only (failover/restore) | 41% | Partially compliant — insufficient scenario breadth |
| Scenario-based testing (multiple scenarios) | 19% | Compliant with Art. 25 |
| TLPT conducted or scheduled | 12% | Compliant with Art. 26-27 (where applicable) |
The testing gap is particularly concerning because testing is the mechanism through which theoretical resilience becomes proven resilience. A business continuity plan that has never been tested under realistic conditions is an assumption, not a capability.
IBM noted that the most common barrier to testing was not budget but organizational willingness to accept the risk of testing: "Institutions fear that testing will expose weaknesses that create regulatory liability. This fear creates a paradox where the act of compliance — testing — is avoided precisely because of compliance concerns."
2. Third-Party Visibility: The Blind Spot
DORA Article 28 requires a comprehensive register of information on ICT third-party arrangements. IBM found that while 82% of institutions had created a register, the quality of information varied dramatically:
The most common gap was visibility into the subcontracting chain. Institutions knew their direct cloud provider but could not identify the underlying infrastructure providers, cable operators, or fourth-party dependencies. This blindness was dramatically exposed when the Gulf crisis revealed dependencies that no institution had mapped.
3. Incident Reporting Speed: The 4-Hour Challenge
IBM tested incident reporting readiness by asking institutions to simulate a major incident classification and notification process. The results were revealing:
| Metric | Target (DORA Art. 19) | Actual (IBM Test) | Gap |
|---|---|---|---|
| Time from detection to classification | Not specified (implicit: rapid) | Average 14 hours | Classification criteria unclear |
| Time from classification to initial notification | 4 hours | Average 6.2 hours | Process bottlenecks |
| Completeness of initial notification | All required fields | Average 62% of fields completed | Template/process gaps |
| Time to intermediate report | 72 hours | Average 84 hours | Evidence collection delays |
The 4-hour initial notification requirement proved to be the hardest operational challenge. Most institutions had the technical capability to submit a notification within 4 hours but lacked the organizational processes to classify an incident, obtain management approval for the classification, and prepare the notification content within that timeframe.
4. Board Engagement: Checking the Box
DORA Article 5(2) places responsibility for the ICT risk management framework on the management body. IBM found that while 89% of boards had formally approved their DORA framework, the depth of board engagement varied significantly:
- Active governance (18%): Board receives quarterly ICT risk briefings with metrics, challenges testing results, and questions third-party concentrations.
- Informed oversight (35%): Board receives annual ICT risk reports, approves the framework, but does not actively interrogate its effectiveness.
- Formal compliance (36%): Board has approved the framework document but delegates all operational aspects without meaningful oversight.
- Absent (11%): No board-level DORA governance in place.
The distinction between formal compliance and active governance is critical. DORA Article 14 requires the management body to "define, approve, oversee and be responsible for the implementation" of the ICT risk management framework. "Approve and forget" does not meet this standard.
5. Evidence Management: The Hidden Challenge
IBM identified evidence management as a weakness that few institutions had anticipated. DORA requires demonstrable compliance — not just documentation of policies, but evidence of their implementation, testing, and effectiveness.
The evidence management challenge is compounded by the regulation's requirement for traceability. Under DORA, every risk decision, test result, incident response action, and third-party assessment must be traceable and auditable. Institutions that manage compliance through spreadsheets and email threads cannot produce this level of traceability.
Sector-Specific Findings
IBM's assessment broke down findings by sector, revealing significant maturity differences:
| Sector | Formal Compliance | Demonstrated Capability | Key Gap |
|---|---|---|---|
| G-SIBs and D-SIBs | 95% | 42% | Testing scope insufficient |
| Mid-tier banks | 81% | 22% | Third-party visibility |
| Insurance companies | 72% | 18% | Incident reporting processes |
| Payment institutions | 68% | 15% | Board governance |
| Asset managers | 61% | 12% | ICT risk framework maturity |
| Trading venues | 88% | 35% | Evidence management |
Systemically important banks had the highest compliance rates but still showed a significant gap between documentation and demonstration. Their advantage was primarily in testing maturity, reflecting pre-DORA investment in business continuity and disaster recovery testing.
Smaller institutions — payment companies, asset managers, fintech firms — showed the largest gaps. The proportionality principle in DORA was intended to calibrate requirements to institutional size and complexity, but IBM found that many smaller institutions interpreted proportionality as an exemption rather than a calibration.
What the Assessment Means for Year Two
IBM's assessment paints a picture of an industry that has taken DORA seriously on paper but has not yet internalized its operational requirements. The year-two agenda is clear:
1. Move from Documentation to Demonstration
The 55-point gap between compliance documentation (78%) and demonstrated capability (23%) must close. Supervisory authorities will increasingly expect institutions to demonstrate — not just document — their resilience capabilities. The EBA and national competent authorities will use on-site inspections and scenario-based assessments to test whether documented capabilities are real.
2. Close the Testing Gap
Testing maturity must increase dramatically. The 28% of institutions with no formal resilience testing are in clear regulatory jeopardy. Even the 41% conducting basic DR testing need to expand their scenario repertoire to include the kinds of multi-vector threats that the 2026 geopolitical landscape has demonstrated.
3. Deepen Third-Party Visibility
The register of information must go beyond listing direct providers. The subcontracting chain, geographic dependencies, and concentration risk dimensions must be mapped. The Gulf crisis has made this urgently practical, not just regulatory.
4. Professionalize Incident Reporting
The 4-hour notification requirement demands pre-built processes, pre-authorized classifications, and pre-populated templates. Institutions that rely on ad-hoc processes during a crisis will consistently miss the timeline. Simulation exercises — the equivalent of fire drills for incident reporting — should become routine.
5. Invest in Evidence Infrastructure
The transition from spreadsheet-based compliance to evidence-managed resilience requires tooling. Audit-ready evidence chains — linking risk assessments to control implementations to test results to incident responses — cannot be maintained manually at scale. Institutions that invest in evidence management infrastructure now will have a significant advantage in supervisory examinations.
Conclusion
IBM's one-year assessment confirms what many practitioners suspected: DORA compliance and operational resilience are not the same thing. Compliance is achieved by documenting policies, appointing responsible persons, and creating registers. Resilience is achieved by testing those policies under stress, demonstrating that they work, and maintaining evidence that proves it.
The 55-point gap is not a failure of the regulation — it is a feature of any regulatory framework in its first year. Institutions prioritize documentation first because that is what supervisors can most easily verify. Operational capability follows as supervisory expectations mature.
The good news is that the foundation is in place. With 78% of institutions having created the formal compliance structure, the hard part — building genuine operational resilience on top of that structure — can now begin.
The bad news is that the geopolitical environment of 2026 is not waiting for institutions to close the gap. The Gulf crisis, the Seedworm campaign, and the French banking breach are testing resilience capabilities that many institutions have documented but not yet demonstrated. DORA's real test starts now.
Voir aussi: DORA One-Year Retrospective | ECB Supervisory Priorities 2026-28 | DORA Enforcement Outlook 2026
Resume en francais
Le 5 fevrier 2026, IBM a publie son evaluation complete d'un an de DORA, basee sur les donnees de plus de 200 institutions financieres europeennes. Le constat principal est un ecart de 55 points entre la conformite documentaire (78%) et la capacite operationnelle demontree (23%). Cinq faiblesses systemiques sont identifiees : maturite des tests (28% n'ont realise aucun test formel), visibilite sur les tiers (seuls 15% ont des registres complets avec sous-traitants), vitesse de signalement d'incidents (moyenne de 6,2h vs 4h requis), engagement du conseil d'administration (seuls 18% pratiquent une gouvernance active), et gestion des preuves (seuls 12% disposent de chaines d'evidence prets pour l'audit). L'agenda de la deuxieme annee est clair : passer de la documentation a la demonstration, combler le deficit de tests, approfondir la visibilite sur les tiers, professionnaliser le signalement d'incidents et investir dans l'infrastructure de gestion des preuves.