DORA in Operation: What the Regulator Wants to See

6 min read

DORA has been directly applicable across the EU since January 2025, yet by the end of 2025, only about half of all financial institutions had fully implemented its requirements. The pressure mounts in 2026: the ICT third-party provider register is due, threat-led penetration tests are on the horizon, and critical cloud service providers will come under direct EU supervision.

Related:When the reporting clock really starts ticking  /  KRITIS umbrella law: When resilience becomes a CISO obligation

DORA is in force, but implementation lags

What is DORA? DORA stands for the Digital Operational Resilience Act, an EU regulation ensuring digital operational resilience in the financial sector. It has been directly applicable since 17 January 2025, requiring banks, insurers, and their IT service providers to demonstrate risk management, report incidents on time, and conduct regular resilience tests.

The regulation is now binding law. Yet by the end of 2025, implementation remained incomplete in many places: industry surveys show only about half of European financial institutions had met all requirements, with a significant portion pushing compliance to 2026. For security teams, this means proof is now required in day-to-day operations.

Risk management must be demonstrable

The first pillar is documented ICT risk management. DORA demands substance over glossy concepts: a well-maintained asset inventory, clear responsibilities and controls that work in a crisis. If you haven’t accurately inventoried your critical systems, you can’t assess risks or pass an audit.

The most common mistake in practice is building the framework on paper while disconnecting it from operations. A risk register that no one touches after the audit is worthless. Supervisors look for lived processes-evident in logs, tickets, and tested contingency plans.

Report Incidents Before the Clock Runs Out

The second pillar is incident reporting. DORA requires severe ICT incidents to be classified and reported to regulators within set deadlines. While this sounds straightforward, it often fails due to lack of preparation. If you’re scrambling to clarify who reports what, to whom, and by when during an actual crisis, you’ve already lost critical hours.

This is where practiced routine pays off. A reporting process should be tested like a backup-run through once a quarter, with clear roles and escalation paths. Reporting deadlines vary by regulation, so the starting point of the clock must be precisely defined.

Tests That Impact the Entire Supply Chain

The third pillar is threat-led penetration testing, or TLPT. Beyond traditional pentests, DORA mandates realistic attack simulations for certain institutions, modeled on real-world threat actors and including the ICT supply chain. Which institutions must test-and how often-depends on their size and systemic importance. BaFin is expected to refine the detailed requirements soon.

These pillars can be broken down into concrete tasks for the security team.

When Your Cloud Provider Is Under Supervision Too

The fourth pillar addresses third-party providers. Nineteen IT service providers are classified as critical third parties and fall directly under European supervision-including major hyperscalers. For financial institutions, this changes the landscape: responsibility for resilience remains with the institution, even if the service comes from the cloud.

In practice, this means tracking every critical service in a register, equipping contracts with audit and termination rights, and maintaining an exit plan for each key provider. An outage at your cloud provider doesn’t absolve you of your reporting obligations.

Situation Report

Anyone treating DORA as a mere paperwork exercise will find out the hard way-when the first real incident hits. The regulation demands *lived* resilience.

Frequently Asked Questions

When does DORA take effect, and who does it apply to?

DORA has been directly applicable in all EU member states since January 17, 2025. It applies to banks, insurers, investment firms, payment and crypto service providers, as well as their critical IT service providers. As a regulation, it requires no national transposition-it’s enforceable as is.

What should be considered for the ICT third-party provider register?

The register lists all contractual agreements for IT services and was due to be reported to BaFin by March 30, 2026. It must be kept up to date, as regulators expect a current overview-not just a one-time snapshot.

What does TLPT entail in practice?

TLPT stands for Threat-Led Penetration Testing-realistic attack simulations based on actual threat actors, including the ICT supply chain. It’s primarily required for systemically important institutions, with detailed guidelines to be finalized by regulators later this year.

Who is liable if a cloud provider fails?

The responsibility for operational resilience remains with the financial institution. Even if a critical third-party provider is directly supervised by EU authorities, the institution must report incidents, manage risks, and maintain an exit plan. Outsourcing does not shift this obligation.

What are the consequences of violations?

Regulators can impose severe sanctions, including daily fines of up to one percent of global daily revenue for critical third-party providers-over an extended period. However, the reputational and trust damage following a reported incident often outweighs the financial penalty.

Editor’s Reading Recommendations

• When HCI turns backups into attack vectors
• Zombie accounts: the IAM blind spot in offboarding
• Protective DNS: the layer many overlook

More from the MBF Media Network

Image source: AI-generated (June 2026)

About the author: Alec Chizhik

More articles by Alec Chizhik