A French Banking Group's EUR 100M DORA Programme: Lessons From the Largest Known Implementation

Programme Anatomy: Where EUR 100M Goes

The programme's budget allocation provides a revealing picture of the relative complexity and cost of each DORA pillar for a G-SIB.

Pillar IV — Third-Party Risk Management: ~35% of total spend (~EUR 35M). The largest single cost area was third-party risk management, consuming approximately 35% of the total programme budget. This reflects the fundamental challenge of DORA Art. 28-44 for a G-SIB: mapping, assessing, and documenting thousands of ICT service provider relationships, conducting pre-contractual assessments, negotiating enhanced contractual provisions, building the Register of Information, and establishing ongoing monitoring processes. The group reported having more than 2,000 ICT third-party service arrangements requiring documentation, with several hundred classified as supporting critical or important functions. Each critical arrangement required detailed risk assessment, contractual review, exit strategy documentation, and ongoing monitoring — a cumulative effort that demanded significant legal, procurement, IT, and risk management resources.

Technology platform: ~25% of total spend (~EUR 25M). Approximately a quarter of the budget was invested in technology platforms supporting DORA compliance — including ICT risk management tooling, register of information data management, incident classification and reporting systems, resilience testing orchestration, and audit trail infrastructure. The group evaluated build-versus-buy options and ultimately pursued a hybrid approach: adapting existing GRC platforms for some requirements while building custom tooling for DORA-specific needs (register data management, CTPP oversight integration).

Pillar III — Resilience Testing: ~15% of total spend (~EUR 15M). The resilience testing programme — including scenario design, execution, remediation tracking, and TLPT exercises — consumed approximately 15% of the budget. TLPT exercises for G-SIBs are particularly expensive given the scope and complexity of the systems tested.

Pillar I — ICT Risk Management Framework: ~15% of total spend (~EUR 15M). Establishing and documenting the comprehensive ICT risk management framework, including ICT asset inventory, business impact analysis, risk assessment, and board-level governance — required significant investment in process design, documentation, and organizational change.

Pillar II — Incident Management + Pillar V — Information Sharing: ~10% of total spend (~EUR 10M). These pillars required less incremental investment because the group's existing incident management and information sharing capabilities were relatively mature, requiring enhancement and DORA-specific documentation rather than ground-up construction.

People: ~40+ FTEs at peak. McKinsey's analysis confirmed that the programme required more than 40 full-time equivalent staff at peak — spanning compliance, risk management, IT, legal, procurement, and project management. The staffing challenge was amplified by the scarcity of professionals with expertise in both financial regulation and ICT risk management.

The Hundred-Million-Euro Question

When one of France's largest banking groups — a Global Systemically Important Bank (G-SIB) with operations across multiple continents, hundreds of thousands of employees, and thousands of ICT service relationships — assessed the full scope of DORA's requirements in early 2023, the initial programme estimate was startling: the total investment required for comprehensive DORA compliance across all five pillars would approach EUR 100 million.

This figure, subsequently confirmed through McKinsey analysis of large-bank DORA implementations and industry surveys, represented the largest known DORA compliance investment by any single financial institution. To contextualize: EUR 100 million exceeds the annual IT budgets of many medium-sized European banks. It is comparable to the cost of a major core banking system migration. It is not a compliance cost that any institution undertakes lightly — and its magnitude raised fundamental questions about the economics of operational resilience regulation.

The programme's scale was driven by several factors unique to G-SIB-level institutions:

All five pillars, simultaneously. Unlike smaller institutions that could prioritize specific DORA pillars based on their risk profile, a G-SIB must achieve comprehensive compliance across all five pillars simultaneously: ICT risk management framework (Pillar I), incident management (Pillar II), resilience testing (Pillar III), third-party risk management (Pillar IV), and information sharing (Pillar V). Each pillar required dedicated workstreams, governance, technology investment, and organizational change.

Geographic and organizational complexity. A French G-SIB operates across multiple EU member states (each with its own NCA interpretation of DORA requirements), non-EU jurisdictions (where DORA's extraterritorial implications must be managed), and multiple business lines (retail banking, corporate and investment banking, asset management, insurance, payments) — each with different ICT risk profiles and third-party dependency patterns.

Legacy integration challenge. The group's ICT estate included decades of accumulated technology — mainframes, client-server applications, cloud-native services, acquired bank systems, and vendor platforms. DORA's requirements for comprehensive ICT asset inventory, tested business continuity, and documented third-party arrangements had to be reconciled with this heterogeneous technology landscape.

Existing framework integration. The group already maintained compliance programmes for ISO 27001, PCI DSS, GDPR, BCBS 239, and French national regulations. DORA compliance could not be built as a standalone programme — it had to be integrated with these existing frameworks, leveraging what already existed while filling gaps specific to DORA's requirements.

Implementation Strategy and Key Decisions

The French banking group's DORA programme was structured as a 24-month transformation initiative with three phases, each aligned with DORA's staggered requirements and RTS/ITS adoption timeline.

Phase 1: Foundation (Months 1-8)

Gap assessment across all five pillars. The programme began with a comprehensive gap assessment comparing the group's existing capabilities — ISO 27001 certifications, BCBS 239 compliance, existing BCP frameworks, vendor management processes — against DORA's specific requirements. The gap assessment identified three categories of findings: (a) existing capabilities that met DORA requirements with minor adaptation, (b) capabilities requiring significant enhancement, and (c) entirely new requirements with no existing foundation.

Governance establishment. DORA compliance was elevated to board-level governance with a dedicated programme steering committee chaired by the Group Chief Risk Officer. This governance elevation was itself a DORA requirement — Art. 5 mandates that the management body "shall define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework." The board governance structure ensured that programme decisions had the authority and visibility needed for cross-organizational coordination.

ICT asset inventory. One of the most time-consuming Phase 1 activities was the comprehensive ICT asset inventory required by Art. 5-6. The group's technology estate — spanning mainframes, distributed systems, cloud environments, and third-party platforms — had never been inventoried to the level of detail DORA requires. Mapping ICT assets to the business functions they support, classifying criticality levels, and documenting dependencies created the foundational data layer for subsequent DORA workstreams.

Phase 2: Build (Months 9-18)

Register of Information construction. The Register of Information (Art. 28(3)) was the most labor-intensive single deliverable. With 2,000+ ICT service arrangements, each requiring identification of the provider, service scope, criticality classification, data types, geographic processing locations, and subcontracting chains, the register construction effort consumed a significant portion of the Pillar IV budget and timeline.

Resilience testing programme design. Art. 24-27 requires a comprehensive testing programme including vulnerability assessments, network security testing, scenario-based testing, and TLPT. The group designed its testing programme to integrate with existing ISO 27001 testing activities while adding DORA-specific scenarios and TLPT exercises.

Incident management enhancement. While the group had existing incident management capabilities, DORA's specific classification criteria (Art. 17-18), reporting timelines (Art. 19), and NCA notification requirements necessitated enhancement of classification tools, reporting workflows, and NCA communication channels.

Phase 3: Operationalize (Months 19-24)

Technology platform deployment. The compliance technology platforms — register data management, incident classification, testing orchestration — were deployed and integrated with existing systems.

Training and organizational embedding. DORA compliance is not a project — it is an ongoing operational requirement. Phase 3 focused on embedding DORA processes into business-as-usual operations, training staff across risk management, IT, and business functions, and establishing the ongoing governance cadence for DORA compliance maintenance.

NCA engagement and validation. The group engaged with the ACPR (Autorite de controle prudentiel et de resolution) and AMF (Autorite des marches financiers) to validate its DORA implementation approach and resolve interpretive questions specific to the French regulatory context.

Programme Outcomes and Industry Implications

The French banking group's EUR 100M DORA programme produced outcomes that carry implications far beyond the individual institution, providing empirical evidence for the true cost of comprehensive DORA compliance at scale.

Programme Outcomes

Full 5-pillar compliance achieved. The group achieved comprehensive DORA compliance across all five pillars by the January 17, 2025 application date. The 24-month programme timeline was tight but achievable with the dedicated resources and board-level governance commitment.

Register of Information submitted. The group's Register of Information — documenting 2,000+ ICT service arrangements — was submitted to the ACPR during the April 2025 first submission window. The register became a strategic risk management asset, providing the first comprehensive view of the group's ICT third-party dependency landscape.

Resilience testing programme operational. The group's DORA-aligned resilience testing programme — including TLPT capabilities — was operational, with initial testing cycles completed and remediation tracking integrated into the group's risk management framework.

Ongoing run cost elevated. McKinsey's analysis confirmed the group's experience: 70% of large financial institutions expected permanently higher annual run costs as a result of DORA compliance. The ongoing costs of maintaining the register, conducting annual testing, monitoring third-party risk, and sustaining the incident management and reporting capabilities represent a structural increase in the group's compliance cost base.

Cost Allocation Insights

The 35% allocation to Pillar IV (third-party risk management) was the programme's most significant finding for the broader industry. For G-SIBs with complex vendor ecosystems, third-party risk management is not a supporting activity — it is the single largest cost driver in DORA compliance. This finding suggests that DORA's implementation investment is concentrated where the regulation identified the greatest systemic risk: the financial sector's dependency on ICT third-party providers.

The 25% technology platform investment reflects a strategic choice: building sustainable compliance infrastructure rather than relying on manual processes. Institutions that under-invest in technology platforms during initial DORA implementation may achieve short-term cost savings but face higher ongoing run costs for manual register maintenance, incident classification, and testing orchestration.

Implications for the Industry

1. DORA is not a compliance checkbox — it is a multi-year transformation. The EUR 100M investment and 24-month timeline demonstrate that comprehensive DORA compliance for a G-SIB is comparable in scale to other major regulatory transformation programmes (BCBS 239, GDPR, MiFID II). Institutions that approach DORA as a lightweight compliance exercise will discover the gap between expectation and reality during the first supervisory examination.

2. Pillar IV is the cost center. Third-party risk management (Art. 28-44) consumed 35% of the programme budget — more than any other single pillar. This concentration of cost reflects the operational complexity of mapping, assessing, and managing thousands of ICT service provider relationships to DORA standards.

3. Existing frameworks provide a head start, not a free pass. The group's existing ISO 27001, PCI DSS, and BCBS 239 compliance provided a foundation that reduced the DORA-specific investment. Institutions without existing framework investments face a steeper climb — and a higher total cost — for DORA compliance.

4. Board governance is not optional. Art. 5's requirement for management body accountability was not merely a documentation requirement — it was essential for securing the cross-organizational coordination and resource commitment that a EUR 100M programme demands.

5. The investment pays forward. Despite the significant upfront cost, the group's assessment was that the DORA programme created lasting value: a comprehensive ICT risk management framework, tested resilience capabilities, and a strategic register of information that improved both compliance posture and operational risk management quality.