ARTICLE
14 May 2025

DORA In 2025: Navigating Post-Deadline Challenges And The Road Ahead

AC
Ankura Consulting Group LLC

Contributor

Ankura Consulting Group LLC logo
Ankura Consulting Group, LLC is an independent global expert services and advisory firm that delivers end-to-end solutions to help clients at critical inflection points related to conflict, crisis, performance, risk, strategy, and transformation. Ankura consists of more than 1,800 professionals and has served 3,000+ clients across 55 countries. Collaborative lateral thinking, hard-earned experience, and multidisciplinary capabilities drive results and Ankura is unrivalled in its ability to assist clients to Protect, Create, and Recover Value. For more information, please visit, ankura.com.
Explore Firm Details
The Digital Operational Resilience Act (DORA) became fully applicable nearly four months ago, requiring financial organisations to enhance operational resilience across key areas like governance, risk, incident...
United States Finance and Banking
Ahsan Qureshi,Ryan Rubin, and Hakan Özbek

The Evolving Implementation Landscape

The Digital Operational Resilience Act (DORA) became fully applicable nearly four months ago, requiring financial organisations to enhance operational resilience across key areas like governance, risk, incident, and third-party management. Financial Institutions (FIs) are now navigating a landscape proving far more complex than anticipated. What was expected to be a straightforward transition has instead evolved into a dynamic, multi-phase journey marked by continued regulatory developments, varied supervisory maturity, and a rapidly adapting market ecosystem.

Non-compliance with DORA requirements, including those related to preventing and managing cybersecurity failures, carries the risk of significant penalties from competent authorities (such as national regulators and the European Supervisory Authority (ESA)), encompassing financial fines (potentially up to 2% of annual worldwide turnover), administrative measures, and possible criminal sanctions in extreme cases under national law.

In this article, we explore the key challenges FIs are facing as they navigate DORA requirements and outline strategic initiatives to help organisations build and maintain robust digital operational resilience under this new regime.

DORA Requirements Recap

DORA establishes a unified framework for FIs across the EU to strengthen Information & Communication Technologies (ICT) risk management and ensure their ability to withstand, respond to, and recover from ICT-related disruptions and threats. Its five core pillars mandate:

  1. Robust ICT risk management and governance frameworks;
  2. Comprehensive ICT-related incident management, classification, and prompt reporting to competent authorities, with specific timelines for major incidents;
  3. Rigorous third-party risk management, including detailed oversight of subcontractors and concentration risk;
  4. A digital operational resilience testing program requiring annual testing of all critical ICT applications and systems, and for designated critical entities, advanced Threat-Led Penetration Testing (TLPT) typically every three years; and
  5. Arrangements for sharing cyber threat information and intelligence.

Notably, DORA's requirements extend beyond FIs to their critical ICT providers, with a process for designation and ongoing direct supervisory oversight of these designated third parties commencing later this year.

The regulation applies to a wide array of financial sectors – from banking and insurance to investment firms and crypto-asset service providers – creating consistent and harmonised standards across previously fragmented national regimes.

The Regulatory Refinement Phase

The ESAs have remained active in refining DORA's implementation. Earlier this year, additional guidance on critical ICT providers and clarification on the treatment of certain non-ICT outsourcing arrangements were provided. Revised regulatory technical standards were also adopted following feedback on subcontracting rules. Meanwhile, the European Commission initiated infringement proceedings against a number of Member States that had not fully implemented the regulation. These developments underscore the evolving nature of DORA's regulatory landscape and the need for firms to remain adaptable and informed. This process of refinement and clarification is expected to continue over the coming months.

Supervisory Readiness: A Fragmented Landscape

The pace and rigour of supervisory engagement have varied across the EU. Countries such as France, Germany, and the Netherlands have taken early steps to align supervisory practices with DORA and have actively engaged with the financial sector to support implementation. Others have focused more on outreach and capacity-building, particularly in jurisdictions where regulatory infrastructure is still developing. These differences underscore the importance of institutions maintaining awareness of jurisdiction-specific expectations as supervisory maturity continues to evolve.

A Rapidly Adapting Market

In response to these regulatory developments, the market has seen a surge in innovation and collaboration. A large number of specialised tools have emerged to support automated vendor risk assessments, DORA Gap Assessments and supporting organisations with Register of Information (ROI) development and automation. Smaller institutions, often lacking internal expertise, are increasingly turning to managed compliance services. As regulatory expectations evolve, firms are continuing to assess how best to respond – whether by enhancing internal capabilities, rethinking governance and tooling, or engaging with advisors to build a sustainable approach towards compliance.

Five Core Challenges Financial Institutions Are Facing

1) Identifying Critical Processes and ICT Providers

A key implementation challenge for many institutions has been establishing which business processes qualify as 'critical or important' under DORA – a foundational step that requires cross-functional alignment and often exposes legacy system interdependencies. Compounding this is the widespread absence of structured approaches to mapping these processes, which is essential for understanding the ICT dependencies that underpin them.

Only with this process-centric foundation can institutions accurately classify ICT service providers in line with DORA's risk-based requirements. Practical interpretation continues to raise questions, particularly around:

  • Treatment of internal shared services/intra-group arrangements;
  • Legacy contracts lacking DORA-compliant provisions; and
  • Broader dilemmas about provider scoping.

Without this dual clarity – on both critical processes and their supporting providers – institutions struggle to assess operational risk in context, determine compliance scope, and prioritise remediation effectively. Many are now seeking supervisory clarification to ensure defensible approaches.

In response, institutions are developing criticality assessment methodologies using criteria like availability, data sensitivity, substitutability, reputational damage, and non-compliance. However, these efforts remain constrained without systematic business process mapping – the crucial link between ICT services and the operations they enable. This process-centric perspective is now recognised as the prerequisite for meaningful risk differentiation.

2) Reassessing Third-Party Risk Practices

While third-party risk management is a longstanding concern, DORA raises the bar by requiring more structured and continuous oversight, especially for critical ICT providers. Yet the extent to which firms have reoriented their third-party frameworks remains uneven. Many are still in the early stages of adapting due diligence processes, particularly when it comes to monitoring subcontractor chains or negotiating appropriate audit and access rights within contracts. DORA requires firms to retain the ability to conduct audits and inspections of critical ICT providers—an expectation that can be challenging to fulfil, particularly with major cloud providers offering limited contractual flexibility or imposing operational constraints.

While there is growing interest in enhancing third-party oversight—such as through improved contract clauses or risk-based controls—these approaches remain emergent. In reality, many institutions continue to rely on manual processes, generic tick-box questionnaires, fragmented data, and inconsistent oversight. The result is often superficial assessments that fall short of capturing nuanced risk exposure. Scaling third-party risk management to meet DORA's expectations remains a significant and ongoing challenge across the sector.

3) Operational Resilience Testing and Threat-Led Penetration Testing Readiness

DORA introduces a range of requirements around operational resilience testing, of which Threat-Led Penetration Testing (TLPT) is only one component. Institutions must regularly test the robustness of ICT systems supporting critical or important functions, including through scenario-based exercises, continuity tests, and simulations. In many cases, these exercises are expected to involve third-party service providers, adding additional complexity around coordination, access, and accountability.

Smaller and mid-sized institutions, in particular, face challenges in implementing proportionate and resource-efficient testing strategies. Many are beginning with prioritised, risk-based approaches focused on the most critical systems and services, often leveraging a mix of internal and external support. Establishing structured testing plans that meet supervisory expectations while accommodating operational realities is a key focus for many firms in 2025.

4) Supervisory Divergence Across Jurisdictions

While DORA applies uniformly across the EU, the approach to supervision and implementation can vary between Member States. Differences in regulatory focus, timelines, and engagement models have emerged, influenced by local institutional contexts and existing supervisory frameworks. These variations may affect how DORA is interpreted and enforced in practice. Institutions should continue to monitor regulatory developments across jurisdictions and remain prepared to adapt their compliance strategies accordingly.

5) Moving from Paper Compliance to Operational Resilience

Perhaps the most difficult transition is from documented compliance to embedded operational resilience. Many institutions continue to struggle with aligning policies and procedures to real-world response capabilities. Risk assessments often remain static, and contingency plans go untested.

Leading firms are raising the bar by embedding automation into evidence collection processes, integrating DORA controls into enterprise risk dashboards, and conducting regular resilience testing that exceeds minimum compliance thresholds.

Strategic Priorities for 2025–2026

  • Focus on What Matters Most: Firms should prioritise DORA compliance based on their most important business services, processes and the ICT capabilities that support them. Rather than attempting to address every requirement at once, institutions should focus efforts where operational impact would be greatest in the event of disruption. DORA's definitions of critical and important functions, along with internal business continuity planning, can help guide these decisions.
  • Strengthen the Foundations: Map Processes, Link Risks: Developing a clear view of how ICT systems support business operations is fundamental. Institutions should invest in business process mapping to identify ICT dependencies underpinning critical functions. This supports meaningful risk assessment, prioritisation, and traceability in third-party oversight and resilience planning.
  • Mature Third-Party Risk Practices: DORA elevates expectations for oversight of ICT third parties. Institutions should move beyond static due diligence and tick-box exercises, developing dynamic monitoring approaches and embedding these into procurement, onboarding, and exit strategies to maintain continuity and regulatory alignment.
  • Engage Proactively with Regulators: Open engagement with regulators is increasingly vital. Firms should participate in consultations, working groups, and seek pre-examination dialogue where available. This fosters alignment and builds institutional readiness.
  • Operationalise Continuous Compliance: DORA compliance must evolve into a continuous discipline. Ongoing controls testing, automated evidence collection, and integrated risk reporting help firms identify control gaps and demonstrate maturity to supervisors.

Resilience as a Strategic Imperative

DORA implementation is not a one-off compliance exercise – it marks a shift in how operational risk is managed across the financial sector. Institutions that embed resilience into their operations, anticipate regulatory shifts, and invest in sustainable compliance models will be best placed to adapt. The next 12–18 months will separate those who take a tactical view from those building long-term resilience advantage.

How We Can Help: We work with financial institutions across Europe to turn regulatory complexity into practical action. Our support spans the full implementation lifecycle – from developing governance frameworks and mapping business processes to designing scalable third-party risk models and embedding operational resilience practices. We bring deep domain expertise and sector-specific insights, supported by technology-enabled tools that help automate compliance workflows. Through our partnerships with legal advisers and specialist providers, we offer a holistic view of risk, operations, and regulatory engagement to ensure our clients are confident, compliant, and forward-looking in the face of DORA's evolving requirements.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Ahsan Qureshi
Ahsan Qureshi
Photo of Ryan Rubin
Ryan Rubin
Photo of Hakan Özbek
Hakan Özbek
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More