Why DORA Matters More Than Most Institutions Currently Realise

The Comfortable Assumption That Will Not Hold

A significant number of financial institutions treated January 17, 2025 — the date DORA became enforceable — as a finish line. Frameworks were documented, policies were signed off, checklists were submitted. The compliance project was closed.

That thinking misunderstands what DORA is. It is not a one-time certification exercise. It is a permanent shift in how the EU expects financial institutions to govern, test, and prove their operational resilience — on an ongoing basis, not just at the moment an auditor asks.

Regulators have been clear: 2025 is a transition year. Supervisors are currently reviewing frameworks and identifying gaps. What comes next is stricter enforcement — and the firms that treated DORA as a deadline rather than a standard will feel it first.

The Problem DORA Is Actually Solving

To understand why DORA matters, you need to understand the scale of what it is responding to.

The EU financial sector is not just dependent on technology — it is structurally exposed to it. Banks, insurers, payment providers, and investment firms have outsourced enormous portions of their operations to a relatively small number of technology companies. Cloud infrastructure, data analytics, payment processing, core banking platforms — much of this now runs on third-party systems that financial institutions do not own, cannot fully control, and until recently, were not required to properly oversee.

That concentration is the systemic risk DORA is designed to address. If a single major cloud provider experiences a prolonged outage, the disruption does not stay contained to one institution. It cascades across dozens or hundreds of financial entities simultaneously. Before DORA, there was no EU-wide framework for managing that concentration risk. Now there is.

Why Existing Frameworks Were Not Enough

A common response from compliance teams when DORA was introduced was: we already have ISO 27001, we already follow EBA guidelines, we already comply with NIS2. Surely that covers it.

It does not — and this distinction is worth understanding precisely.

DORA does not replace these frameworks. But it cannot be satisfied by pointing to them. It requires financial institutions to demonstrate capabilities — not just document policies.

The Third-Party Problem Nobody Wanted to Talk About

The pillar of DORA that most institutions underestimated — and in many cases still have not fully addressed — is third-party risk management.

The problem is structural. Financial institutions have spent years building commercial relationships with technology providers without building governance relationships. Contracts were negotiated for price, service levels, and functionality. They were not negotiated for audit rights, incident notification timelines, business continuity obligations, or exit arrangements. In many cases they could not be — the technology provider had no interest in accepting those terms, and the financial institution had no regulatory requirement to insist on them.

DORA changes that equation entirely. Every contract with an ICT provider supporting a critical or important function must now include specific provisions. Institutions that went to market to renegotiate these contracts discovered something uncomfortable: some providers refused. The question those institutions then had to answer was whether to accept non-compliance or exit the relationship.

What the First Year of Enforcement Is Already Revealing

Regulators are not yet issuing significant fines. But they are reviewing what institutions have built, and what they are finding is instructive.

The common gaps emerging in early supervisory engagement are not in the areas institutions focused on most heavily. Institutions generally produced ICT risk management documentation. They generally updated incident response procedures. What they did not do adequately, in many cases, was complete the Register of Information — the structured inventory of all ICT third-party arrangements that competent authorities were required to submit to the ESAs by April 2025.

That register is not an administrative form. It is the foundation of DORA's oversight model. It connects every financial institution's critical business functions to the specific technology services and providers that support them. Regulators use it to identify concentration risk, to assess systemic exposure, and to determine which technology providers warrant critical designation. Institutions that submitted incomplete or inaccurate registers have signalled to regulators that their third-party governance is not yet functional.

The Accountability Shift Most Boards Have Not Absorbed

Perhaps the most significant aspect of DORA — and the one least discussed in compliance circles — is what it does to personal accountability.

DORA places ICT risk governance directly on the management body. Board members are expected to maintain current knowledge of cyber threats. ICT risk is not a matter for the technology department to manage and report upward. It is a governance responsibility that sits at the top of the organisation.

This is not theoretical. Regulators have extensive powers and the precedent of GDPR enforcement to draw from. Over time, DORA penalties are expected to approach the scale of sanctions seen under GDPR — which have reached into the hundreds of millions of euros for the largest violations.

The Deeper Point

DORA matters not because of the penalties, though those are real. It matters because the problem it is addressing is real.

Financial services have become inseparable from digital infrastructure. When that infrastructure fails — through attack, outage, or vendor failure — it is not just a technology problem. It is a social problem. People cannot access their money. Businesses cannot process payments. Critical transactions do not settle. The interconnectedness of the financial system means a disruption at one institution, or one critical vendor, can propagate rapidly across the entire sector.

DORA is the EU's attempt to ensure that when disruptions occur — and they will — financial institutions are prepared to absorb them, contain them, and recover from them quickly. That is not a compliance ambition. It is a stability imperative.

The institutions that understand this will approach DORA as an ongoing operational standard. The institutions that do not will approach each supervisory cycle as a renewal of the compliance project they thought they had already closed.