Most European Financial Firms Fail DORA Compliance
▼ Summary
– The Digital Operational Resilience Act (DORA) has exposed a significant compliance gap, with many European financial institutions struggling to meet its requirements by the 2025 deadline and beyond.
– DORA’s broad scope covers over 22,000 financial entities and their ICT providers, mandating continuous operational resilience across five key pillars rather than point-in-time certification.
– A major immediate challenge is the annual Register of Information submission, which many firms find difficult due to decentralized contract data and poor data quality.
– The regulation introduces stringent new obligations, including mandatory threat-led penetration testing for significant institutions and direct EU oversight for 19 designated critical ICT providers.
– Compliance is costly and non-compliance carries severe penalties, driving a structural shift toward automation and continuous evidence-based risk management.
With the enforcement deadline for the Digital Operational Resilience Act now in the rearview mirror, a stark reality confronts Europe’s financial sector. Most institutions are struggling to achieve full compliance, facing significant operational hurdles and the looming threat of severe penalties. This sweeping regulation demands a continuous, evidence-based approach to managing digital risk, a shift that many firms are finding difficult to implement within the required timeframe.
Recent surveys underscore the widespread challenge. Research indicates only about a third of major financial institutions felt ready to meet all DORA obligations by the January 2025 effective date. A separate study reveals just half expected to reach full compliance by the end of 2025, with over a third pushing their targets into 2026. Nearly half of the firms surveyed pinpointed the Register of Information—a mandatory inventory of all ICT third-party contracts—as their most formidable obstacle. These are not minor gaps but serious regulatory exposures, with potential fines reaching up to two percent of annual global turnover and personal penalties for senior managers.
The regulation’s breadth is extensive, applying to a vast network of over 22,000 entities including banks, insurers, crypto-asset services, investment firms, and their critical technology vendors. DORA is built on five core pillars: ICT risk management, incident reporting, resilience testing, third-party risk oversight, and information sharing. Unlike past frameworks, DORA requires demonstrating ongoing operational resilience through real-time monitoring and documented evidence, moving far beyond an annual audit cycle.
A critical test arrives in March 2026 with the second annual submission of the Register of Information. This register must comprehensively document every active ICT third-party contract as of December 31, 2025. The initial pilot round revealed major difficulties, as many organizations lacked a centralized view of vendor relationships, grappling with scattered contracts and poor data quality. For firms managing thousands of vendor agreements, manually compiling an accurate, audit-ready register within the tight submission window is a massive undertaking.
Adding another layer of complexity, European authorities have identified 19 critical ICT third-party providers for direct oversight. This list includes major cloud providers like Amazon Web Services, Microsoft Azure, and Google Cloud. Financial institutions relying on these designated providers must now rigorously assess and document their concentration risks, proving they have viable fallback plans to maintain operations during a major outage. For mid-sized firms built on a single cloud platform, this necessitates extensive remediation work.
Furthermore, DORA mandates threat-led penetration testing for significant institutions. These are not routine scans but sophisticated, intelligence-driven simulations of real-world attacks on live production systems, required at least every three years. The associated costs, coordination efforts, and operational risks are substantial, pushing many firms to develop entirely new internal processes.
The financial stakes of compliance are high. Most institutions estimate their costs falling between two and five million euros, with a majority expecting permanently elevated technology control expenses. Non-compliance carries even heavier consequences, including recurring daily penalties and the potential suspension of operating licenses. While 2025 served as a transitional period, 2026 marks a clear shift toward active enforcement, with regulators demanding tangible proof of resilience.
This gap between regulatory demands and manual capabilities is fueling a surge in compliance automation. A growing market of platforms now helps firms centralize evidence, automate control mapping, and manage the arduous Register of Information process. This reflects a structural shift in compliance methodology; when regulations require continuous evidence and involve hundreds of vendors, spreadsheets and manual processes are no longer viable.
Looking ahead, DORA will continue to evolve. The list of critical providers will be updated annually, and new technical standards are forthcoming. The data gathered from the first full submission cycle will give regulators an unprecedented view of ICT concentration risks across Europe, potentially leading to stricter future controls on cloud architecture and provider selection. The clear message for financial institutions is that DORA compliance is not a one-time project but an enduring operational capability. Building the necessary infrastructure and mindset is essential not only to avoid penalties but to genuinely bolster resilience against the digital disruptions the regulation aims to address.
(Source: The Next Web)
