Case Studies
Real-World DORA Compliance Transformations
How financial institutions across Europe are navigating operational resilience regulation — with measurable outcomes, honest lessons, and actionable insights.
The 2025 Iberian Blackout: DORA's First Real-World Stress Test
On April 28, 2025, a cascading power failure knocked out 15 GW across Spain and Portugal in five seconds, plunging 60 million people into darkness and crippling financial services infrastructure for hours — just three months after DORA became applicable.
People Affected
60 million
Spain + Portugal combined
Power Lost
15 GW in 5 seconds
60% of Spain's demand
Card Spending Drop
-41 to 42%
ECB Economic Bulletin data
E-commerce Spending Drop
-54%
ECB Economic Bulletin data
Blackout Duration
~10 hours
Full POS/ATM restoration next morning
Estimated GDP Losses
EUR 400M-1.6B
Broader impact EUR 2-3B
CrowdStrike/Microsoft Global Outage: The Concentration Risk DORA Was Designed to Prevent
On July 19, 2024, a faulty CrowdStrike Falcon sensor update crashed approximately 8.5 million Windows devices globally, disrupting banks, payment processors, and insurers worldwide.
Devices Affected
ION Trading Group Ransomware Attack: When a Critical Derivatives Infrastructure Provider Goes Dark
On January 31, 2023, the LockBit ransomware group attacked ION Trading Technologies, a Dublin-based provider of critical derivatives trading infrastructure, forcing 42 clients including major clearing firms to revert to manual processing.
Clients Affected
ECB Cyber Resilience Stress Test 2024: What 109 Banks Revealed About Recovery Gaps
In 2024, the European Central Bank conducted its first-ever cyber resilience stress test across 109 directly supervised banks, finding that while response frameworks exist, significant recovery capability gaps remain.
Banks Tested
DNB DORA Preparedness Survey: Why Dutch Financial Institutions Underestimated the Scope
De Nederlandsche Bank surveyed Dutch financial institutions on DORA readiness in 2024, finding widespread underestimation of the regulation's scope and complexity, particularly around ICT risk management frameworks and third-party oversight.
Institutions Supervised
ESMA Register of Information: The Art. 28(3) Data Challenge That Caught the Sector Off Guard
Financial entities across the EU faced their first mandatory submission of the register of information on ICT third-party arrangements under DORA Art. 28(3), revealing widespread data completeness challenges and operational complexity.
Data Tables in ITS
Travelex Ransomware Attack (2019): What DORA Would Have Required
On December 31, 2019, Travelex — a major foreign exchange services provider to global banks — was hit by REvil ransomware, taking systems offline for weeks, disrupting bank customers, and ultimately contributing to the company entering administration.
Systems Offline Duration
France's National Bank Account Database Breach: 1.2 Million Records and DORA's Incident Reporting Test
In February 2026, attackers exfiltrated 1.2 million records from FICOBA — France's national registry linking citizens to bank accounts — exposing the tension between centralized financial databases and DORA's incident reporting requirements.
Records Exfiltrated
Seedworm APT in US Bank Networks: Iranian Cyber Warfare Meets Financial Infrastructure
In March 2026, security researchers revealed that Seedworm (MuddyWater), an Iranian state-sponsored APT group, had infiltrated multiple US financial institution networks — raising urgent questions about nation-state threats to banking infrastructure.
Dwell Time (estimated)
US Banks on High Alert: Financial Sector Cyber Mobilization During the Iran War
In March 2026, US financial regulators and banks activated emergency cyber defense protocols as military conflict with Iran escalated — testing the financial sector's ability to coordinate defense against anticipated retaliatory cyberattacks.
Sector Alert Level
ASIC vs FIIG Securities: Australia's Landmark Cybersecurity Civil Penalty for Financial Services
In March 2026, the Australian Securities and Investments Commission (ASIC) obtained landmark civil penalties against FIIG Securities for cybersecurity failures — establishing a regulatory precedent with direct implications for DORA enforcement in Europe.
Client Assets Under Management
Capital One Days-Long Outage and Class Action: When Banking Infrastructure Fails
In January 2025, Capital One suffered a multi-day outage that locked customers out of accounts, delayed direct deposits, and triggered a class action lawsuit — demonstrating the legal and operational consequences of inadequate resilience.
Outage Duration
ECB Multi-Trillion Payment System Outage: When Europe's Financial Plumbing Breaks
In late February 2025, the European Central Bank's TARGET/T2 payment system — processing trillions of euros in interbank settlements daily — suffered outages that disrupted the financial backbone of the eurozone.
Daily Transaction Volume
NatWest Locks Out Millions: The June 2025 App Failure That Tested Mobile-Only Banking
In June 2025, NatWest's mobile banking app suffered a major failure that locked out millions of customers, reigniting the debate about the resilience of mobile-first banking strategies in the UK.
Customers Affected
Cloudflare Outage Cascades Into DeFi: When Internet Infrastructure Concentration Meets Finance
In November 2025, a Cloudflare outage cascaded into decentralized finance protocols and traditional fintech services, demonstrating that even "decentralized" financial systems depend on concentrated internet infrastructure.
Cloudflare Global Traffic Share
Iranian Strikes on Data Centers: A Legal Analysis Under International Law and DORA
In March 2026, legal scholars analyzed the implications of Iranian retaliatory strikes potentially targeting data centers in the Gulf region — raising unprecedented questions about the intersection of armed conflict, international law, and digital operational resilience.
Gulf Data Center Growth
The UK-EU Critical Third-Party MoU: Post-Brexit Regulatory Cooperation on Cloud Oversight
In January 2026, the Bank of England and EU supervisory authorities signed a memorandum of understanding on the oversight of critical third-party technology providers — the first concrete post-Brexit regulatory cooperation mechanism for cloud and ICT infrastructure oversight.
Regulatory Frameworks Coordinated
ECB Annual Report on Supervisory Activities 2025: What the Numbers Reveal About Digital Resilience
The ECB's March 2026 annual report on supervisory activities provided the first comprehensive post-DORA dataset on digital resilience across eurozone banks — revealing significant gaps between compliance documentation and operational reality.
Institutions Assessed
Microsoft's Concentration Risk Framework: A Cloud Provider Writes Its Own DORA Compliance Guide
In February 2026, Microsoft published a comprehensive framework for managing cloud concentration risk and exit strategies under DORA — the first major cloud provider to proactively address its own systemic importance.
Framework Scope
AWS Officially Confirms Bahrain Region 'Disrupted' Following Drone Activity
On March 24, 2026, Reuters exclusively reported that AWS officially confirmed service disruptions to its Bahrain cloud region (me-south-1) following military drone activity in the Gulf — the first confirmed case of a major cloud region disrupted by armed conflict.
Cloud Region Status
India's Data Center Boom: How the Gulf Strikes Accelerated South Asia's Cloud Ambitions
Following military strikes near Gulf data centers in March 2026, India emerged as the primary beneficiary of cloud workload migration — with financial institutions rapidly shifting critical infrastructure to Indian cloud regions perceived as geopolitically safer.
Cloud Migration Demand Surge
Goldman at 30% Recession Odds: When Geopolitical Conflict Creates Systemic Financial Stress
On March 25, 2026, Goldman Sachs raised its US recession probability to 30% amid Iran conflict-driven oil price shocks — demonstrating how geopolitical events create cascading stress across financial systems that operational resilience must withstand.
Recession Probability
White House Cybercrime Executive Order 2026: Implications for Financial Institutions
On March 24, 2026, the White House issued an executive order strengthening cybercrime enforcement and cross-sector cybersecurity requirements — with direct implications for financial institutions operating in or connected to the US financial system.
Regulatory Frameworks
HSBC Digital Banking Outage: When a Global Bank's App Goes Silent
In August 2025, HSBC experienced a significant digital banking outage affecting mobile and online banking services for customers across multiple markets.
Customers Served
TD Bank System Failure: The November 2025 Outage That Hit North American Banking
In November 2025, TD Bank experienced a system failure that disrupted banking services for millions of customers across the US and Canada.
Customers Affected
Bangladesh Central Bank Server Failure: Digital Banking Disruption in an Emerging Market
In December 2025, Bangladesh Bank experienced a critical server failure disrupting digital banking services across the country.
Mobile Money Accounts
Santander Online Banking Down: Another Day, Another Major Bank Outage
In March 2025, Santander online banking went down — adding to the pattern of recurring major bank outages in the first months of DORA applicability.
EU Bank Outages (Jan-Mar 2025)
Astaroth Banking Trojan: How WhatsApp Became a Vector for Financial Malware in Brazil
In January 2026, the Astaroth banking trojan was distributed through WhatsApp in Brazil, demonstrating how messaging platform dependencies create novel attack vectors.
Customers Targeted
BPI and the 2026 National Cybersecurity Strategy: Banking Industry's Response to Evolving Threats
On March 6, 2026, the Bank Policy Institute published its response to the 2026 National Cybersecurity Strategy, closely aligning with DORA principles.
BPI-DORA Alignment
NYT Analysis: How U.S. Tech Giants in the Gulf Became Military Targets
The New York Times analyzed how US technology infrastructure concentration in the Gulf created a novel military target category with implications for financial institutions.
US Tech Investment
Iranian Drone Strikes Test the Gulf's Trillion-Dollar AI Dream
Rest of World analyzed how Iranian strikes threatened the Gulf states' AI and data center investments with cascading implications for financial AI.
Gulf AI Investment
Iran Warns U.S. Tech Firms: 'You Could Become Targets'
WIRED reported Iran's explicit warning to US tech companies that their Gulf infrastructure could become military targets — first public state-actor threat to civilian technology infrastructure.
Threat Status
Destructive Attacks on Financial Institutions Surge 13%: The 2025 Cybersecurity Report
Infosecurity Magazine reported a 13% surge in destructive cyberattacks against financial institutions in 2025.
Destructive Attack Growth
Barclays Three-Day Mainframe Outage: GBP 12.5M in Compensation and the Case for DORA Art. 11
On January 31, 2025, a software problem in Barclays' UK mainframe locked millions of customers out of their accounts for three days — coinciding with payday and the UK tax deadline.
Outage Duration
AWS October 2025 Global Outage: 17 Million Reports, Banking Disruption, and DORA's Concentration Thesis Proven
A malfunctioning internal subsystem in AWS northern Virginia triggered one of the largest internet outages on record, suspending trading on Coinbase and locking customers out of Lloyds and Bank of Scotland.
User Reports
AWS Dubai AZ Outage 2026: When DORA's CTPP Framework Meets Gulf Financial Infrastructure
An availability zone failure in AWS's UAE region (me-central-1) disrupted financial services workloads across the Gulf — testing DORA's extraterritorial reach and the cloud concentration assumptions of an entire region.
Cloud Concentration
Marquis Software Solutions: One Vendor, 74 Banks, 672,000 People Exposed — The DORA Third-Party Risk Nightmare
The Akira ransomware group exploited a single SonicWall firewall vulnerability to breach one vendor and compromise customer data across 74 US banks.
Vendor-to-Bank Ratio
Azure Front Door Global Outage: $4.8B-$16B in 8 Hours and the Multi-Cloud Reality Check
A configuration change in Azure Front Door cascaded into an approximately 8-hour global disruption, impacting Barclays, Lloyds, and Bank of Scotland — with estimated losses in the billions.
Outage Duration
Evolve Bank & Trust: $11.85M Settlement After BaaS Supply Chain Breach — The DORA Subcontracting Warning
LockBit ransomware compromised Evolve Bank, exposing 18 million individuals through the Synapse Financial Technologies BaaS chain — resulting in the largest US banking breach settlement of 2025.
Individuals Affected
Santander/Snowflake Breach: When Your Cloud Data Platform Becomes the Entry Point
Stolen Snowflake credentials obtained via infostealer malware exposed Santander customer data across three countries — part of a broader campaign that compromised over 160 organizations.
Countries Affected
Register of Information: What the First Submission Taught 22,000 Financial Entities About Their Own Supply Chains
The April 2025 Register of Information submission was the first time most financial entities attempted to comprehensively document their ICT third-party arrangements — and the results revealed systemic blind spots.
Entities Submitting
The 19 CTPPs: How ESA Designation Changed the Cloud Provider-Bank Relationship Forever
On November 18, 2025, the ESAs designated 19 Critical Third-Party Providers — including AWS, Google, Microsoft, Oracle, and SAP — subjecting them to direct EU supervisory oversight for the first time.
Providers Designated
Nordic Banks DORA Implementation: How Scandinavian Financial Institutions Built a Shared Resilience Framework
Facing DORA's requirements with lean compliance teams, Nordic financial institutions pooled resources, shared testing infrastructure, and developed common frameworks — achieving faster compliance at lower cost.
Cost Reduction
A French Banking Group's EUR 100M DORA Programme: Lessons From the Largest Known Implementation
One of Europe's largest financial groups invested nearly EUR 100 million in its DORA compliance programme — the most expensive known implementation. Here's what they learned.
Total Programme Investment
DDoS Campaigns Against Italian Financial Infrastructure: NoName057, Geopolitics, and DORA's Information Sharing Response
Pro-Russian hacktivists launched over 1,500 DDoS attacks across Europe, repeatedly targeting Italian banks and financial infrastructure — until Europol dismantled the operation in July 2025.
Total Attacks
Lloyds, Halifax, TSB, Nationwide — All Down on Payday: The Multi-Bank Outage DORA Was Designed to Prevent
On February 28, 2025, four major UK banks simultaneously failed to process transactions on payday — the single most critical day of the month for consumer banking.
Banks Affected
Deutsche Bank India Deepfake CEO Fraud: EUR 120K Lost and the DORA Training Requirement That Could Have Prevented It
A senior Deutsche Bank India executive transferred EUR 120,000 after a deepfake video call impersonating the CEO — demonstrating how AI-powered social engineering bypasses technical controls.
Amount Lost
DORA Penalty Framework: How 27 Member States Created a Patchwork of Enforcement — And What It Means for Cross-Border Institutions
Despite DORA being a directly applicable EU Regulation, member states created dramatically different penalty regimes — from EUR 2 million in Czech Republic to EUR 20 million in Italy and 10% of turnover in Sweden.
Highest Absolute Penalty
Facing similar challenges?
Valendir is the Operational Resilience OS used by regulated financial institutions to govern, test, prove, and report their DORA compliance — continuously, not annually.