As the EU’s Digital Operational Resilience Act (DORA) enters its first full year of supervision, testing and quality assurance teams at banks and financial services firms are confronted with a more stringent set of expectations for digital resilience and risk-management practices.
The landmark regime, effective since January 2025, is now shifting from implementation to active oversight, a transition that industry stakeholders say will demand deeper rigour in areas such as software change control, incident reporting and third-party integration testing.
“For the supervised institutions, especially less mature ones, implementing the new requirements may serve to discover unsuspected issues requiring remediation in their strategies, governing processes, operations or risk management,” explained José Manuel de Araluce, Director at Promontory España, IBM Consulting.
Underlining the practical implications of DORA’s transition from planning to execution, he said DORA’s comprehensive framework touches every aspect of banks’ digital operations, obliging firms not just to codify resilience principles but to demonstrate them in action.
This includes requirements for robust registers of ICT contractual arrangements, formalised incident classification and reporting processes, and thorough documentation of major failures, all of which intersect closely with software testing disciplines and quality assurance protocols.
“With the ‘training wheels’ now off, 2026 marks the first true test of DORA.”
– José Manuel de Araluce
“This marked the first anniversary of DORA’s application. While DORA was applied on day one, 2025 was essentially a transition year for both financial entities and supervisors,” Madrid-based de Araluce observed in a recent IBM analysis.
He noted that much of the initial phase involved completing implementation tasks and finalising Level 2 technical standards.
Now that the regulatory “training wheels” are off, financial institutions and critical third-party providers (CTPPs) alike can expect more probing supervisory reviews.
In 2026 the European Banking Authority’s work programme and the European Central Bank’s supervisory priorities outline a series of targeted actions that will test resilience frameworks against real-world operational risks.
De Araluce emphasised that the outcomes of this first full supervisory cycle will matter for bank testing teams and QA professionals, who are increasingly accountable for embedding resilience directly into development and operational lifecycles.
“With the ‘training wheels’ now off, 2026 marks the first true test of DORA, and both financial institutions and CTPPs will feel the difference,” he said.
Shift beyond checklist compliance
For QA teams, this evolution signals a need to shift beyond checklist compliance toward evidence-based assurance that digital systems can withstand cyber threats, third-party disruptions and unexpected outages.
As supervisors begin collecting best and worst practices during their reviews, the ability to demonstrate robust testing regimes and resilient software pipelines is likely to become a competitive differentiator, not just a regulatory obligation.
“Supervisors also used 2025 to take stock through ECB’s Supervisory Review and Evaluation Process (SREP) reviews and direct engagement with firms,” de Araluce stressed, pointing out that persistent weaknesses in ICT risk management have already emerged as a priority area for remediation.
As banks adapt to these intensified expectations, leaders in quality assurance and digital resilience are being tasked with aligning testing strategies to DORA’s operational resilience goals, a challenge that will define how well institutions manage technology risk in an increasingly interconnected financial ecosystem.
The impact on testing, QA and resilience strategies should not be underestimated, de Araluce concluded in his recent blog post.
DORA’s supervisory phase requires organisations to document, test and report digital risks with greater precision; embed resilience into software development lifecycles; and ensure that third-party dependencies do not compromise operational stability.
Teams that integrate these requirements into governance and testing practices early are better positioned to both satisfy supervisors and strengthen customer confidence in their digital services.
NEXT MONTH
THIS MAY
Why not become a QA Financial subscriber?
It’s entirely FREE
* Receive our weekly newsletter every Wednesday * Get priority invitations to our Forum events *
REGULATION & COMPLIANCE
Looking for more news on regulations and compliance requirements driving developments in software quality engineering at financial firms? Visit our dedicated Regulation & Compliance page here.
READ MORE
- Why real-time monitoring and scenario testing are becoming core QA disciplines
- BankDhofar takes an automated approach to strengthen QA
- Banks warned AI still fails on real-world software testing tasks
- SEC’s AI emphasis drives new QA and testing imperatives for US banks
- Inside the chaos: The new reliability discipline reshaping banking QA
WATCH NOW
QA FINANCIAL PODCASTS
