While the Digital Operational Resilience Act (DORA) has been fully applicable since 17 January 2025, supervisory attention in 2025–2026 has clearly shifted from formal policy adoption to practical implementation, governance effectiveness and evidence-based compliance.

For financial institutions, DORA is no longer assessed as a theoretical ICT framework, but as a live operational resilience regime, testing how organisations respond to real-life disruptions, cyber incidents and third-party failures.

From Policies to Proof: The Supervisory Shift

A recurring supervisory theme across the EU is the move from “policy completeness” to “operational credibility.” Institutions are increasingly expected to demonstrate:

• that ICT risk frameworks are embedded in day-to-day operations,
• that incident response mechanisms function in practice, and
• that senior management and Boards exercise meaningful oversight.

In this context, written policies alone are no longer sufficient. Supervisors expect implementation evidence, such as testing results, incident simulations, management information, escalation records and remediation actions.

Board Accountability Under DORA

One of the most material changes introduced by DORA is the explicit responsibility placed on the management body.

Boards are expected to:

• approve the ICT risk management framework,
• oversee the digital resilience strategy,
• monitor significant ICT incidents and remediation,
• understand key third-party dependencies and concentration risks.

In practice, this means that ICT and cyber risk can no longer sit exclusively at operational or IT level. DORA elevates digital resilience to a core governance and risk topic, comparable to capital, liquidity or conduct risk.

Supervisors increasingly expect Boards to be able to articulate:

• the institution’s critical business services,
• key ICT dependencies supporting those services,
• tolerance levels for disruption, and
• decision-making processes during a severe ICT incident.

Operational Resilience Testing: A Governance Issue, Not Just a Technical Exercise

Resilience testing under DORA is often misunderstood as a purely technical requirement. In reality, supervisors assess testing as a governance-controlled process, asking:

• Is testing risk-based and proportionate to the institution’s profile?
• Are scenarios realistic and severe enough?
• Are results escalated to senior management and the Board?
• Are weaknesses tracked and remediated within defined timelines?

For certain entities, advanced testing (including threat-led penetration testing) further increases expectations around independence, scope and follow-up actions.

Testing that exists “on paper” but does not influence decision-making is unlikely to satisfy supervisory scrutiny.

Third-Party and Outsourcing Risk: A Central DORA Focus

One of the most challenging areas in practice is ICT third-party risk management.

DORA requires institutions to maintain clear visibility over:

• critical and important outsourced ICT services,
• subcontracting chains,
• concentration risk (including reliance on a small number of providers),
• exit and substitution strategies.

Supervisors pay particular attention to situations where:

• core services depend heavily on cloud or group providers,
• outsourcing arrangements limit supervisory access or audit rights,
• exit plans are theoretical rather than operational.

In 2025–2026, this area is also closely linked to the EU-level oversight of critical ICT third-party providers, increasing expectations on financial institutions to actively manage, and not merely accept, third-party risk.

Incident Management and Reporting: Preparedness Matters

DORA introduces detailed requirements for incident classification, escalation and reporting. In practice, supervisors test whether institutions can:

• detect incidents promptly,
• classify them consistently,
• escalate internally without delay, and
• meet regulatory reporting timelines under pressure.

Institutions that have not conducted dry runs or simulations of incident scenarios often struggle to demonstrate readiness. As a result, incident management is increasingly assessed as part of the broader operational resilience framework, rather than a standalone compliance process.

Interaction with Other EU Regulatory Frameworks

DORA does not operate in isolation. In practice, institutions must align it with:

• MiCA, for crypto-asset service providers,
• outsourcing and cloud governance frameworks,
• cybersecurity and data protection obligations,
• evolving EU digital regulatory initiatives.

Supervisory reviews increasingly examine consistency across frameworks, rather than treating DORA as a siloed requirement.

Common Implementation Challenges

Across the market, recurring DORA implementation challenges include:

• limited Board engagement beyond formal approvals,
• fragmented ownership of ICT risk across functions,
• insufficient documentation of testing outcomes and remediation,
• over-reliance on third parties without effective oversight,
• lack of consolidated management information on digital resilience.

Addressing these gaps typically requires structural changes, not just policy updates.

Conclusion

DORA implementation is fundamentally a governance and operating model exercise, not merely a technical compliance task. Institutions that approach DORA as a living framework—supported by Board oversight, effective testing, disciplined third-party management and evidence-based controls—will be far better positioned to meet supervisory expectations.

In an environment of increasing digital complexity and interconnectedness, operational resilience has become a defining feature of regulatory credibility and long-term sustainability.

DKA Financial Consultants advises financial institutions and fintech firms on DORA implementation, governance design, third-party risk frameworks and supervisory readiness, supporting organisations in moving from formal compliance to effective operational resilience.

The content of this article is intended solely for general information purposes and does not constitute, and should not be construed as, professional advice or a formal opinion.

© 2026 DKA FINANCIAL CONSULTANTS LTD. All rights reserved.