The opinions expressed here are those of the authors. They do not necessarily reflect the views or positions of UK Finance or its members.

The DORA compliance deadline took effect 17 January, 2025, requiring financial institutions and critical third-party providers operating in the EU financial sector to have fully implemented its requirements and established robust operational resilience frameworks.

But a survey conducted shortly before DORA's enforcement revealed that 43 per cent of organizations admitted they wouldn't be fully compliant for at least another three months post-deadline. 

That three-month mark is here, and it’s time to ask: how is DORA compliance really going? 

DORA compliance status 

Despite DORA’s importance for digital resilience, many companies still struggle with implementation.

One survey indicated that midsize financial firms had achieved only ~45 per cent implementation of requirements by the January deadline. None of these organizations expected full compliance by then, with anticipated compliance levels ranging between 30 per cent and 90 per cent, and averaging around two-thirds completion.

Compliance challenges encountered so far 

Early DORA implementation has revealed two challenges:

• Third-party risk management: Establishing comprehensive registers of IT service providers is a significant hurdle. Financial entities are required to assess, document and maintain a “register of information” that details third-party relationships, a task complicated by the detailed nature of DORA's stipulations and the need to report annually – and on request – by relevant competent authorities. ​
• Operational integration: Integrating DORA's extensive requirements into existing processes without disrupting business operations – including renegotiating contracts with IT service providers and creating detailed information registers – remains a  challenge. 

Regulatory focus areas

Regulators are increasingly focused on specific DORA components:

• Incident reporting: DORA mandates stringent incident reporting protocols, requiring initial notifications within four hours of classifying an incident as major, followed by detailed reports within 72 hours, and final reports within one month. ​
• Third-party risk oversight: Regulators are emphasizing the importance of managing risks associated with third-party IT providers, necessitating comprehensive documentation and assessment of these relationships

The need for continuous monitoring and reporting post-deadline

The true test begins post-deadline: can organizations sustain compliance through ongoing monitoring, reporting, and risk management?

Stay proactive and prepared by:

1. Leveraging technology: Implement automation tools (and AI where appropriate) to monitor and address risks in real time.
2. Conducting regular audits: Frequently evaluate compliance programs to identify and resolve gaps.
3. Training leadership: Ensure executives understand DORA requirements and operational resilience.
4. Engaging in scenario planning: Test incident response and recovery strategies through simulations.
5. Staying informed on regulatory changes: Monitor updates to regulations to proactively adjust your compliance efforts.
6. Communicating transparently: Keep regulators, stakeholders, and employees informed about your digital resilience initiatives.

By following these proactive measures, your organisation will be prepared to monitor continuously rather than reactively. 

How technology supports post-deadline compliance 

Focusing on long-term compliance, technology is key to streamlining monitoring, reporting, and incident response.

A well-integrated tech stack boosts resilience while easing the ongoing compliance burden. Key areas include:

• Cross-team collaboration: Integrated platforms connect risk, compliance, IT, and more to ensure aligned, timely responses and reduce operational silos.
• Real-time transparency: Centralised systems provide up-to-date visibility into risk and resilience metrics, supporting internal oversight and regulatory scrutiny.
• Automated information updates: Dynamic documentation and evidence management allow for efficient updates to controls, policies, and assessments as changes occur.
• Streamlined reporting: Automated reporting workflows accelerate internal metrics and regulatory submissions, backed by clear audit trails.
• Vendor oversight: Tools that support continuous third-party monitoring ensure organizations can track and report on vendor compliance.
• Secure, scalable infrastructure: Cloud-based solutions provide the flexibility and security required to integrate with evolving IT and risk ecosystems.

With the right technology and strategy, financial institutions can stay agile, manage emerging risks, and strengthen long-term resilience. Sustained compliance means going beyond the baseline to stay ahead.

Want to continue the conversation? Connect with us!