DORA Year One: What Changed, What Didn't, and What Comes Next
The Promise and the Reality
January 17, 2025 was the date the financial sector had circled for three years. DORA — the Digital Operational Resilience Act — became applicable across the European Union, bringing 22,000 financial entities under a single operational resilience framework for the first time. The regulation promised to transform how banks, insurers, investment firms, and financial market infrastructure manage ICT risk.
Eleven months in, it is possible to assess what that transformation looks like in practice. The answer is nuanced: significant structural progress coexists with persistent gaps, ambitious frameworks are deployed alongside immature implementations, and a supervisory regime designed for enforcement has spent its first year primarily observing.
What Changed: The Structural Milestones
The Register of Information (April 2025)
The first mandatory data submission under DORA — the Register of Information required by Art. 28(3) — was completed by the April 11, 2025 deadline. For many institutions, this was the hardest deliverable of Year One. The 46% of respondents in the initial compliance survey who identified the Register as their biggest challenge were not exaggerating: mapping every ICT third-party service relationship, classifying criticality, documenting sub-outsourcing chains, and producing the data in the EBA's prescribed format required months of cross-functional effort.
The Register submissions gave supervisors their first comprehensive view of the financial sector's ICT dependency landscape. The data revealed patterns that informed subsequent supervisory priorities: the concentration of critical services on a small number of cloud providers, the opacity of sub-outsourcing chains, and the prevalence of contracts that predate DORA and lack Art. 30's mandatory provisions.
TLPT RTS (June-July 2025)
The Regulatory Technical Standards for Threat-Led Penetration Testing under Art. 26 were published in June 2025 and entered into force in July. The TLPT framework — modeled on the TIBER-EU methodology — established the most demanding testing standard in DORA's toolkit: live-system penetration testing conducted by authorized threat intelligence and red team providers, with NCA oversight of the entire process.
The TLPT RTS clarified scope, methodology, and reporting requirements. Critically, they also established the proportionality boundaries: TLPT applies only to financial entities identified by their competent authority, based on systemic importance and risk profile. This gave smaller institutions clarity that TLPT was not their immediate obligation.
19 CTPPs Designated (November 2025)
The designation of 19 Critical Third-Party Providers under Art. 31 was DORA's most structurally significant milestone. For the first time, EU financial regulators gained direct oversight authority over technology companies — including hyperscale cloud providers (AWS, Google Cloud, Microsoft, Oracle), enterprise software companies (SAP), financial data providers (Bloomberg), and financial technology platforms (FIS, Temenos).
The designation activated the full oversight machinery of Art. 31-44: Lead Overseer assignment, Joint Examination Team authority, information request powers, and the penalty framework. Non-EU CTPPs were given 12 months to establish EU subsidiaries.
| Year One milestone | Date | Significance |
|---|---|---|
| DORA becomes applicable | January 17, 2025 | Legal obligations take effect for 22,000 entities |
| Register of Information deadline | April 11, 2025 | First mandatory data submission; supervisor visibility into ICT dependencies |
| TLPT RTS published | June 2025 | Advanced testing framework defined |
| TLPT RTS in effect | July 2025 | Testing obligations enforceable |
| ESAs oversight guide published | July 15, 2025 | Practical manual for CTPP supervision |
| BaFin guidance published | August 2025 | Germany's supervisor sets detailed expectations |
| 19 CTPPs designated | November 18, 2025 | Direct regulatory oversight of technology providers activated |
What Didn't Change: The Persistent Gaps
The Confidence Deficit
The numbers are sobering. Deloitte's survey found only 25% of financial institutions confident in their DORA compliance posture. A broader EMEA survey revealed that 96% of top financial firms acknowledge their resilience is not where it needs to be. These figures, collected at different points during 2025, paint a consistent picture: the industry knows what DORA requires, but most institutions have not yet achieved it.
The confidence deficit is not uniform across pillars. Pillar I (ICT Risk Management Framework) — which maps most closely to pre-existing regulatory requirements (EBA Guidelines on ICT risk, national supervisory expectations) — shows the highest compliance rates. Pillar IV (Third-Party Risk Management) — which introduces the most novel requirements (Register of Information, CTPP oversight, concentration risk assessment, exit strategies) — shows the widest gaps.
| DORA Pillar | Industry readiness (estimated) | Key gap |
|---|---|---|
| Pillar I: ICT Risk Management | 60-70% | Art. 8 asset identification completeness; Art. 10 detection capability gaps |
| Pillar II: Incident Management | 50-60% | Art. 19 reporting timeline compliance; classification consistency |
| Pillar III: Resilience Testing | 40-50% | Testing programme formalization; TLPT readiness for designated entities |
| Pillar IV: Third-Party Risk | 30-40% | Register completeness; Art. 30 contractual gaps; exit strategy credibility |
| Pillar V: Information Sharing | 20-30% | Few formal Art. 45 arrangements; limited threat intelligence participation |
The Contract Problem
Art. 30's mandatory contractual provisions created a mass contract renegotiation requirement that the industry has not completed. Existing contracts with ICT service providers — many signed before DORA was even proposed — frequently lack provisions for audit rights (Art. 30(2)(e)), subcontracting notification (Art. 30(2)(a)), data access and return (Art. 30(3)), and termination assistance (Art. 30(2)(f)).
Renegotiating these contracts with large, powerful technology providers is not a simple matter. Cloud providers, in particular, have standardized terms that they modify reluctantly. The negotiation dynamic between a mid-sized bank and a hyperscale cloud provider is asymmetric. DORA shifts some of this power balance — particularly now that cloud providers are designated CTPPs under direct regulatory oversight — but contract renegotiation remains a multi-year programme for most institutions.
The Testing Gap
Art. 24-27 require formal testing programmes with results that feed into the ICT risk management framework. While institutions routinely conduct penetration tests, vulnerability assessments, and disaster recovery exercises, few had formalized these activities into the kind of structured, documented, evidence-producing testing programme that DORA envisions.
The gap is not about testing capability — it is about testing governance. An institution may conduct 50 security tests per year but lack: a formal testing policy approved by the management body, a risk-based methodology for selecting test scope, documented evidence linking test results to risk assessment updates, and a process for tracking remediation of identified vulnerabilities to closure.
What Year One Taught Us
Lesson 1: Compliance is Not Resilience
The institutions that treated DORA as a compliance exercise — filling in templates, producing documents, ticking boxes — discovered that documentation without operational substance is brittle under stress. The Iberian blackout, the AWS October outage, and the multiple Azure disruptions during 2025 tested operational resilience in ways that compliance documentation cannot simulate.
The institutions that fared best during these events were those that had invested in genuine operational capabilities: tested business continuity plans, practiced incident response procedures, multi-region cloud architectures, and information sharing arrangements that provided early warning. These investments predated DORA in many cases but aligned with its requirements.
Lesson 2: Third-Party Risk is the Hardest Pillar
The Register of Information was the most labor-intensive deliverable. Contractual renegotiation with powerful providers is the slowest. Exit strategy development for deeply embedded technologies is the most uncertain. And concentration risk assessment — quantifying the systemic exposure created by dependence on a small number of providers — requires analytical capabilities that most institutions had not developed.
Pillar IV's difficulty reflects its novelty. While ICT risk management (Pillar I) and incident management (Pillar II) had regulatory precursors in EBA Guidelines and national supervisory expectations, Pillar IV's comprehensive third-party risk framework was genuinely new for most institutions.
Lesson 3: Supervisors Are Building, Not Enforcing
No public enforcement actions were taken during 2025. This was deliberate. Supervisors spent the year building examination capacity, training staff, analyzing Register data, publishing guidance, and establishing coordination mechanisms with the ESAs. The July 2025 oversight guide and the November CTPP designations were products of this capacity-building phase.
The absence of enforcement should not be confused with the absence of supervision. NCAs conducted desk-based reviews, issued thematic inquiries, and held bilateral discussions with institutions. The supervisory intelligence gathered during 2025 will inform the enforcement priorities of 2026. Institutions that mistook the quiet year for permanent leniency are miscalibrated.
Lesson 4: The Industry Needs Time — But Not Unlimited Time
The 22% of survey respondents who called for simplification of DORA requirements reflect a genuine concern: the regulation's scope and detail impose significant costs, particularly on smaller entities. Art. 4's proportionality principle and Art. 16's simplified framework provide some relief, but the practical application of proportionality remains inconsistent.
Supervisors have implicitly acknowledged this by adopting an observation-first approach in 2025. But this accommodation is finite. The shift to interventionist supervision in 2026 signals that the industry's adjustment period is ending.
What Comes Next: The 2026 Enforcement Shift
The signals from supervisors across the EU point in one direction: 2026 marks the transition from observation to enforcement.
The Central Bank of Ireland has established a dedicated DORA supervision team and conducted initial thematic reviews.
AMF (France) has published sector-specific guidance and increased engagement with financial market infrastructure operators.
BaFin (Germany) published its most detailed guidance in August 2025, with explicit supervisory expectations for concentration risk and third-party management.
Consob/Banca d'Italia have signaled heightened focus on incident reporting compliance, driven partly by Italy's experience as a primary target of hacktivist DDoS campaigns.
CSSF (Luxembourg) has engaged with the fund management sector on third-party risk management and proportionality for smaller entities.
The ESAs' JET framework is operational under Delegated Regulation 2025/420. Register of Information data is available to supervisors. The 19 CTPPs are under direct oversight. The infrastructure for enforcement is in place. What remains is the decision to use it.
Expected First Enforcement Targets
Based on the supervisory signals from Year One, the most likely first enforcement areas are:
Register of Information deficiencies. Institutions that submitted incomplete or inaccurate registers — particularly those that failed to document sub-outsourcing chains or misclassified function criticality — are the most transparent enforcement targets. The supervisory data exists; the deficiency is documented.
Incident reporting failures. An institution that experiences a major ICT incident and fails to report within Art. 19's timelines provides a clear enforcement case with identifiable harm. The increasing frequency of cloud outages and cyber incidents means these cases will arise organically.
Governance obligations. Art. 5's management body obligations — framework approval, training, reporting — are verifiable through documentation. An institution whose board has not approved an ICT risk management framework or whose directors have not completed ICT risk training has a demonstrable compliance gap.
The Year Two Imperative
DORA's first year established the framework. Year Two will test it. The institutions that enter 2026 with genuine operational resilience capabilities — tested, documented, and integrated into daily operations — will navigate the enforcement shift with confidence. Those that enter 2026 with compliance documentation but untested capabilities will discover the gap between paper and practice at the worst possible moment.
The 96% who admit their resilience is not where it needs to be have one more year — but only one — before the distinction between aspiration and achievement becomes an enforcement matter.
This analysis reflects DORA Regulation (EU) 2022/2554 milestones through November 2025, supervisory publications, and industry survey data from Deloitte and EMEA financial sector assessments.