Since its implementation on January 17 of this year, the EU’s Digital Operational Resilience Act (DORA) has fundamentally transformed how banks and financial services firms across Europe manage their digital operational risks.
This landmark regulation was designed to create a unified framework for managing ICT and software risks, incident reporting, third-party oversight, and resilience testing.
Its overarching goal is to ensure that financial entities can withstand, respond to, and recover from ICT-related disruptions and cyber threats effectively, thereby safeguarding the stability of the European financial ecosystem.
DORA’s scope is expansive, covering more than 22,000 financial entities across the European Union. This includes traditional banks, payment institutions, fund managers, insurance companies, fintech firms, and crowdfunding platforms.
Notably, the regulation also extends to ICT third-party service providers deemed critical to these financial institutions, reflecting the sector’s growing reliance on external technology vendors.
The rules mandate a comprehensive ICT risk management framework, requiring firms to embed robust governance structures, policies, and procedures that address the full spectrum of digital operational risks.
The financial sector’s increasing dependency on technology has heightened its vulnerability to cyber attacks and operational disruptions.
DORA aims to harmonise rules across member states, closing regulatory gaps and creating a level playing field. This harmonisation is intended to enhance the sector’s overall resilience and protect the integrity of the internal market, especially as digital transformation accelerates and cyber threats become more sophisticated.
Since DORA came into force, financial institutions have made significant strides toward compliance, though the journey remains complex and ongoing. A recent survey conducted by EY in early 2025 revealed that nearly all financial entities expect to be fully compliant with the Regulatory Technical Standards (RTS) governing ICT third-party policies.
However, compliance levels vary across different requirements. For example, while three-quarters of firms anticipate meeting the Digital Operational Resilience Testing (DORT) mandates, fewer have fully addressed subcontracting rules and the Register of Information obligations. These areas have proven more challenging, underscoring the need for continued focus and resource allocation.
Compliance
Despite the progress, some delegated regulations under DORA are still under review or pending finalisation, which complicates the full realisation of compliance.
Meanwhile, enforcement actions have begun to take shape. The European Commission has initiated infringement procedures against thirteen member states for delays in transposing the DORA Directive into national law, signaling a firm regulatory stance on timely implementation.
Voices from the industry paint a picture of cautious optimism mixed with realism about the scale of the transformation DORA demands.
At a February 2025 event hosted by EY, which featured representatives from the Central Bank of Ireland and several major financial institutions, a senior risk officer remarked that DORA has shifted the mindset from a mere compliance checklist to embedding resilience as a core strategic priority.
“It requires clear roles across the organisation, not just IT, and a continuous journey toward sustainable technology and data solutions,” he explained.
This sentiment reflected a broader recognition that digital operational resilience is now inseparable from business strategy and competitive positioning.
From the perspective of ICT third-party providers, the pressure to meet DORA’s rigorous oversight framework is palpable.
One executive from a leading cloud services provider shared that their firm is making substantial investments to align with DORA’s expectations, fully aware that supervisory scrutiny will intensify.
This dynamic is reshaping vendor relationships, with financial institutions demanding greater transparency, risk assessments, and contractual safeguards to manage third-party risks effectively.
Operational impact
The operational impact of DORA is wide-ranging. Financial firms have had to overhaul their ICT risk management frameworks, investing heavily in governance, policies, and technological solutions to meet the new standards.
Incident management has become more structured, with mandatory classification, documentation, and timely reporting of major ICT incidents to regulators and, where appropriate, clients. This increased transparency is designed to foster accountability and improve sector-wide awareness of emerging threats.
Digital operational resilience testing has become a cornerstone of the new regime. Firms, especially those deemed systemically important, are conducting regular and advanced independent tests, including threat-led penetration testing, to identify vulnerabilities before they can be exploited. This proactive approach is driving continuous improvement in cyber defenses and operational robustness.
Perhaps one of the most transformative aspects of DORA is its emphasis on ICT third-party risk management. Financial institutions are now required to conduct thorough risk assessments of their ICT service providers, implementing enhanced contractual requirements and ongoing oversight.
Critical third parties are subject to direct regulatory supervision, a move that underscores the sector’s recognition of the outsized risks posed by dependencies on external technology vendors.
Since the regulation’s rollout, data indicates that the majority of financial entities have established the foundational elements required by DORA. Many have reported ICT incidents under the new classification system, contributing to a richer understanding of operational risks across the sector.
Digital operational resilience testing programs have grown in sophistication, and third-party risk management has become a focal point of internal audits and supervisory reviews.
Outlook for 2026
Looking ahead, industry experts emphasise that DORA compliance is not a one-off project but a multi-year journey toward operational maturity.
EY’s outlook for 2026 and beyond highlights the importance of embedding resilience by design, expanding enterprise-wide strategies that integrate operational, digital, and third-party risk management into a cohesive framework.
Firms are encouraged to conduct independent reviews of their DORA programs, enhance subcontractor oversight, secure adequate budgets, and prepare for increased supervisory scrutiny as the regulatory landscape evolves.
In conclusion, since January 2025, DORA has catalysed a fundamental shift in how European banks and financial services firms approach digital operational resilience. It has driven significant investments in ICT risk governance, incident management, resilience testing, and third-party oversight.
While challenges remain, particularly around subcontracting and information registers, the regulation is fostering a culture of continuous improvement and strategic resilience embedding.
Industry voices reflect a pragmatic understanding that DORA is far more than a regulatory burden, it is a business imperative essential to safeguarding operational stability in an increasingly digital and interconnected financial ecosystem.
As firms navigate this complex and evolving landscape, DORA stands as a pivotal framework shaping the future of financial sector resilience across Europe.
Why not become a QA Financial subscriber?
It’s entirely FREE
* Receive our weekly newsletter every Wednesday * Get priority invitations to our Forum events *
REGULATION & COMPLIANCE
Looking for more news on regulations and compliance requirements driving developments in software quality engineering at financial firms? Visit our dedicated Regulation & Compliance page here.
READ MORE
- Leapwork engineering head: Why test automation so often fails to deliver
- World Economic Forum warns financial sector must strengthen AI risk controls
- How Banca Progetto is hard-wiring quality into Italy’s digital banking space
- How Wealthsimple builds quality into the product, not around it
- Digital revamp puts spotlight on internal controls at China Construction Bank
WATCH NOW
QA FINANCIAL PODCASTS
Listen to Sudeepta Guchhait on Nasdaq’s new Mimic AI testing platform
QA Financial sits down with Sudeepta Guchhait, Senior Director of Product Framework & Quality Engineering at Nasdaq
——–
Listen to Wesley Scheffel and Robin Rain on Schroders’ DevOps strategy
We catch up with Wesley Scheffel, Head of Cloud Platform and Product Engineering at Schroders, and Robin Rain, Head of Cloud Platform Architecture
——–
Listen to Citi’s Jason Morris on Lightspeed and the future of continuous delivery
Jason Morris, Head of Developer Pipelines for Securities Markets and Banking at Citi, talks about Lightspeed
