The Honest Assessment
Six months into DORA’s application period, the picture across European financial services organisations is neither as positive as the compliance programme reports submitted to boards would suggest, nor as negative as the commentary from organisations that treat DORA as an unreasonable burden would imply. It is more nuanced, and understanding the nuance matters for financial services CTOs who need to assess where their genuine exposure sits.
The January 2025 deadline produced a predictable pattern: the compliance documentation was substantially complete for most covered entities, the operational readiness to actually live under DORA was substantially incomplete for a significant proportion of them. The distance between those two positions is where the current risk sits, and where the supervisory engagement over the next twelve months will reveal the gap.
Where Genuine Progress Has Been Made
The areas where DORA compliance has produced genuine operational improvement, rather than just documentation, are identifiable from the programmes that prioritised operational change alongside compliance documentation.
ICT incident classification processes have improved substantially in the organisations that treated the DORA incident reporting requirements as an operational process design problem rather than a documentation problem. The classification framework that determines whether an incident is a major DORA incident subject to the 24-hour initial notification requirement now exists in most covered entities and is being used in incident response rather than sitting in a compliance document. The distinction matters: a classification framework that exists but is not embedded in the incident response process will not produce the 24-hour notification when an incident occurs under operational pressure.
Third-party ICT risk register development has progressed further than expected in the organisations that started early. The register requirement that revealed significant inventory gaps in the second half of 2024 has, in many organisations, produced better third-party visibility than existed before DORA. The registry is now the starting point for supplier management conversations that previously had no structured context.
Management body engagement with ICT risk has increased visibly in the financial services sector since DORA’s personal liability provisions became widely understood. Board-level technology risk education programmes, DORA-specific board training, and the establishment of technology oversight sub-committees are all more common now than they were twelve months ago. The quality of the engagement varies significantly, but the structural changes are real.
Where the Compliance Debt Remains Significant
The areas where the gap between documentation and operational reality is most pronounced are also identifiable, and they warrant attention because they are the areas most likely to surface in supervisory engagement.
The supply chain security requirements remain the most common area of substantive non-compliance. The DORA article 21 requirement for ICT supply chain security is operationally demanding: it requires assessing the security posture of ICT suppliers, understanding how those suppliers manage their own ICT risks, and ensuring that contractual arrangements provide the oversight rights that DORA requires. The register exists in most covered entities. The enhanced due diligence on critical and important suppliers has been completed for the top tier of suppliers in most cases. The programme that addresses the full population of in-scope suppliers, and that maintains ongoing assurance rather than point-in-time assessment, is incomplete in most organisations.
The TLPT programme for organisations in scope for threat-led penetration testing has barely started in most cases. TLPT requires a structured engagement with the national competent authority, qualified threat intelligence providers, and testing teams that meet DORA’s competency requirements. The preparation for a first TLPT typically takes six to nine months from the point at which the scope and approach are agreed with the authority. Most covered entities have not reached that point.
The resilience testing programme for all covered entities, which DORA requires to be systematic, documented, and demonstrably improving resilience posture over time, has been implemented at varying levels of maturity. The organisations that had mature pre-DORA penetration testing and scenario testing programmes have adapted them to the DORA framework. Those that did not have mature testing programmes are building from a lower base, and the gap between their DORA testing documentation and their actual resilience testing maturity is significant.
ICT third-party contract amendment is a multi-year programme that is behind schedule in almost every covered entity that has disclosed its status. The contractual requirements that DORA imposes on vendor agreements — right to audit, business continuity obligations, incident reporting obligations, data return and deletion rights — are not present in most existing contracts and require renegotiation or replacement at renewal. The volume of contracts requiring amendment in large financial services organisations exceeds what can be processed in any twelve-month period, which means that a programme structure with a multi-year horizon is the realistic approach, and that is what most organisations are implementing.
What the Early Supervisory Signals Indicate
The early engagement between national competent authorities and covered entities, which has been proceeding through questionnaire issuance and initial supervisory dialogue in the first half of 2025, indicates several patterns worth noting.
The supervisory focus in the initial engagement is heavily weighted toward third-party risk management and incident reporting processes. These are the areas where DORA’s requirements are most operationally demanding and where the gap between documentation and operational reality is most visible. Covered entities that have strong stories to tell in both areas are experiencing less intensive supervisory follow-up than those that cannot clearly articulate their third-party risk management approach or demonstrate their incident classification and reporting capability.
The supervisory tone in most jurisdictions has been constructive rather than adversarial in the initial engagement phase. Supervisors are asking organisations to demonstrate their compliance programmes and identify the gaps and remediation plans rather than imposing penalties for incomplete compliance at the six-month mark. This constructive posture reflects the recognition that DORA’s requirements are complex and that the supervised population is genuinely engaged in compliance rather than ignoring its obligations.
The expectation, based on the supervisory guidance published by the ESAs, is that the constructive posture will persist while covered entities are demonstrating meaningful progress against their compliance programmes, and that enforcement attention will concentrate on organisations that are not making meaningful progress or that have significant operational incidents that reveal compliance gaps.
The Priority for the Next Six Months
The priority for covered entities in the second half of 2025 is not additional documentation. It is operationalising the documentation they have.
The incident classification process that exists as a document needs to be exercised in tabletop scenarios that test whether the 24-hour classification and notification can actually be achieved under operational pressure. The third-party risk register needs an active management process, not just an inventory. The resilience testing programme needs to produce actual testing and actual findings, not just a testing plan.
The DORA compliance programme that has completed its documentation phase and is now in its operationalisation phase is in the position that the January 2025 deadline was intended to produce. The programmes that are still in the documentation phase need to accelerate.
Supervisory patience has a limit. The next review cycle will be less forgiving of programmes that have not made the transition from plan to operation.