• DORA took effect on 17 January 2025, but full compliance remains elusive
• 43% of firms admitted they wouldn’t meet the deadline
• Mid-sized firms reported only 45% implementation by January
• Third-party risk management is a major obstacle
• Integrating DORA into existing processes is proving difficult
• Regulators are focused on incident reporting and third-party oversight
• Post-deadline sustainability is the real compliance test
• Automation and AI can support real-time monitoring and response
• Cross-team collaboration and centralised systems are essential
• Cloud-based infrastructure and automated reporting boost resilience

Three months after the EU’s Digital Operational Resilience Act (DORA) officially took effect, many financial institutions still find themselves scrambling to meet its demands.

Originally enacted on 17 January 2025, DORA was designed to hardwire digital resilience into the heart of the financial sector. But new data suggests that for many, compliance remains a work in progress.

A survey conducted in the lead-up to the deadline found that 43 percent of organisations admitted they would not be fully compliant for at least another three months.

That window has now passed, and the reality is sobering. Midsize financial institutions reported only about 45 percent implementation by the January deadline, with none expecting full compliance on time.

Most firms anticipated somewhere between 30 and 90 percent completion, with an average around two-thirds.

Among the most significant roadblocks are third-party risk management and operational integration.

Under DORA, financial firms are required to maintain detailed registers of all IT service providers. These records must be updated regularly and made available to regulators upon request.

But building such comprehensive registers, especially in larger organizations with sprawling vendor networks, is proving far more complex than anticipated.

Renegotiating contracts, embedding resilience expectations into service agreements, and integrating DORA requirements into daily business operations without disrupting workflows has also presented serious challenges.

The sheer breadth of DORA’s scope is testing even the most prepared compliance teams.

Regulators, meanwhile, are ramping up scrutiny. Particular focus is being given to two areas: incident reporting and third-party oversight.

DORA mandates that significant operational incidents must be reported within four hours of classification, with full reporting required within 72 hours and a final account within one month.

The clock is ticking fast, and institutions must now prove they can meet these expectations in real-time.

But the real challenge isn’t just checking boxes. Post-deadline, the emphasis is shifting toward continuous compliance – ongoing monitoring, proactive reporting, and dynamic risk management.

Institutions that have embraced automation and AI are already seeing advantages. Automated systems offer real-time monitoring, immediate alerting, and streamlined reporting processes backed by clear audit trails.

Centralized risk platforms are improving transparency across departments, while cloud-based infrastructure supports integration with evolving IT and compliance ecosystems.

Cross-functional collaboration is becoming just as important. Tools that connect compliance, IT, risk, and legal teams help institutions respond more quickly and consistently to emerging threats and enable a unified front when dealing with regulators or crisis events.

The stakes are high. Without sustained and strategic compliance, financial institutions risk more than just fines.

Operational disruptions, reputational fallout, and regulatory penalties await firms that fall behind. DORA was never about a one-time deadline – it’s about long-term resilience.

To stay ahead, banks must move beyond the basics. That means empowering leadership with DORA fluency, engaging in scenario planning, and actively testing systems and response capabilities.

With evolving threats and rising regulatory expectations, firms that treat compliance as a static checklist will be left behind in a dynamic risk environment.