DORA at Six Months: What Financial Firms Have Learned So Far

The Digital Operational Resilience Act (DORA) became fully applicable across the EU on 17 January 2025. Six months on, it is clear that for many financial institutions, the journey from compliance planning to operational reality has been harder — and more revealing — than anticipated.

What DORA Actually Demands

DORA applies to over 22,000 financial entities and ICT third-party service providers operating in the EU. Its five pillars — ICT risk management, incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing — require institutions to overhaul how they think about technology risk. This is not a tick-box exercise. DORA demands live, evidenced, continuous compliance.

The Early Pain Points

Third-party ICT risk has emerged as the biggest operational challenge. Institutions are discovering that mapping all material ICT dependencies — and obtaining the contractual provisions DORA requires from vendors — is enormously time-consuming. Many large banks have hundreds of ICT third-party relationships. Obtaining DORA-compliant clauses from all of them is proving a multi-year task in practice, even with enforcement now live.

Incident classification and reporting timelines have also created operational pressure. DORA mandates an initial notification to the competent authority within 4 hours of classifying a major ICT incident, and a final report within one month. Firms that did not build automated classification and escalation workflows before January 2025 are now scrambling to do so under live regulatory scrutiny.

Threat-Led Penetration Testing (TLPT)

Significant financial entities are required to conduct TLPT at least every three years. Regulators across the EU are now actively scoping which firms will be called first. Institutions that have not yet identified their critical functions for TLPT scope, selected a qualified tester, or engaged their competent authority are already behind the curve.

How Surety Supports DORA Compliance

Surety's platform provides a structured, auditable environment for managing DORA obligations across all five pillars. Our configurable workflow maps DORA articles to your internal obligations, assigns ownership, tracks completion, and generates the evidence trail regulators expect. DORA is already available in Surety — contact us to see a live demonstration.