DORA: One Year On - Are You Compliant or Just Checking Boxes?
Comprehensive review of DORA one year after implementation, examining the five critical pillars and the shift from checkbox compliance to demonstrable resilience.
DORA: One Year On - Are You Compliant or Just Checking Boxes?
Nearly a year since the Digital Operational Resilience Act (DORA)¹ came into effect on 17 January 2025. If your institution is still treating it as a compliance checkbox exercise, it should read on.
DORA is the EU's most comprehensive operational resilience framework for financial services. Regulators now enforce binding obligations across five critical pillars that demand strategic transformation, not superficial compliance.
🛡️ BEYOND POLICIES & PROCEDURES
What makes DORA different is its demand for demonstrable operational resilience. The regulation requires active, evidence-based compliance across ICT risk management, incident reporting, digital operational resilience testing, third-party risk management, and information sharing arrangements. Each pillar carries specific obligations under Articles 5 through 47¹ that require measurable capabilities, not aspirational statements.
🔗 THIRD-PARTY RISK: THE NEW FRONTIER
Chapter V¹ deserves particular attention. Articles 28 through 30¹ require financial institutions to maintain comprehensive registers of ICT third-party service providers, conduct thorough due diligence, and ensure contractual arrangements include specific provisions on access, audit rights, and termination.
🚨 INCIDENT REPORTING & ADVANCED TESTING
Article 16¹'s incident reporting framework requires financial entities to report major ICT-related incidents to competent authorities within strict timeframes. Article 24¹ requires advanced digital operational resilience testing, including threat-led penetration testing (TLPT).
🇪🇺 DIRECT OVERSIGHT OF BIG TECH
Articles 41 and 42¹ establish direct regulatory supervision of major cloud providers and other systemically important technology vendors. This is unprecedented.
❓ THE CRITICAL QUESTION FOR 2026
The question isn't whether your institution is DORA-compliant on paper, but whether your operational resilience strategy would survive the supervisory review under Article 47¹, and whether you're prepared for administrative penalties that can reach up to 2% of total annual worldwide turnover.
References
¹ Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (DORA)
This article was originally published on LinkedIn.
View on LinkedIn →Related Topics:
Gavin Ignatius Persaud
Solicitor | Fintech Law Specialist
Gavin is a specialist solicitor with over 25 years of experience in financial technology regulation, digital assets law, and emerging technology compliance. He advises premier financial institutions and innovative technology companies on complex regulatory matters across 33 jurisdictions.
Qualifications: PhD (Cryptocurrency & Stablecoin Policy), LLM (Commercial Law), Solicitor of England & Wales
Experience: £750M+ transaction value | 33 jurisdictions | Trusted adviser to Morgan Stanley, American Express, Visa, Citibank, and leading fintech innovators
Essential insights on Digital Operational Resilience Act implementation and compliance