It is now just over a year since the EU’s Digital Operational Resilience Act came into effect, applying to banks and other financial institutions operating across the European Union. DORA was introduced to create a consistent operational resilience framework across the European financial sector. Its purpose is clear. Firms must understand their technology risks, map their critical dependencies, assign ownership, prepare for disruption and demonstrate that they can continue providing essential services during incidents. The regulation covers banks, insurers, investment firms, ICT service providers and many other entities that support the stability of the financial system.
The full implementation date of 17 January 2025 has now passed, which means the transition phase is officially over. Regulatory scrutiny is already taking place. Supervisors are now examining whether firms used the earlier period to make meaningful improvements or whether they relied on the language of continuous improvement without delivering measurable progress. Many firms have already been instructed to undertake remediation, have faced increased oversight and are now having difficult internal and external discussions about their readiness.
The early activity from supervisors highlights an important reality. Compliance is only the starting point. Firms need to be resilient in practice, not just compliant on paper. They must be able to absorb shocks, maintain service and recover quickly. The need for resilience is increasing because operational incidents are becoming more frequent, more severe and longer lasting. We’re seeing everything from sophisticated cyberattacks and AI‑driven fraud, to major supply‑chain failures, cloud provider outages and critical third‑party disruptions. These incidents escalate faster than they once did and they compound more easily. The cost of responding to disruption continues to rise, and when increasing insurance premiums are factored in, the overall cost of non-compliance already exceeds the cost of modernisation.
The weaknesses that are emerging are not usually caused by misunderstanding DORA. They are caused by difficulties with execution, especially across the supply chain. Many firms issued contract amendments that lacked specificity, leaving expectations open to interpretation and resulting in long cycles of renegotiation.
1. Suppliers disputing their critical status
Some suppliers argue that they should not be designated as critical, even though the definition is based on the impact to the financial institution and its customers. Resolving this can take significant time and may require regulatory involvement.
2. Contract wording that is not detailed enough
If the expectations were not written clearly into initial contract updates, further amendments are now required. This increases operational workload and slows progress.
3. Debates over cost and proportionality
Suppliers often challenge the cost of implementing required resilience measures. These disputes can disrupt proportionality calculations and lead to stalling.
4. Suppliers unable to meet the requirements
Some suppliers do not have the capabilities needed to meet DORA’s expectations. Identifying these weaknesses and planning exit strategies or replacements is complex and time consuming.
5. Intragroup outsourcing as a major weakness
This remains one of the most consistent gaps. Many regulated entities assume that their intragroup providers have met the requirements, often because these teams sit within the same group structure and are viewed as extensions of the business. In reality, many intragroup arrangements are far less prepared than external suppliers. Documentation is often incomplete, operational processes are less formalised and evidence of resilience activity is limited when supervisors request it.
The challenge is accountability. Activities can be outsourced but risk cannot. The regulated entity remains responsible for the continuity of its services, regardless of whether the work is performed by an external provider or a shared service within the group. Supervisors expect the same level of clarity, oversight and testable resilience from intragroup providers as they do from any third party.
For this reason, firms relying on intragroup outsourcing must request clear, verifiable evidence of compliance rather than internal assurances. Stressed exit planning is particularly important. Regulators want proof that the firm could continue operating if an internal provider became unable to deliver or experienced a prolonged failure. Many firms have not yet tested these scenarios or documented credible alternatives, which leaves a noticeable gap as scrutiny increases.
Supervisors now want proof. They expect documented decisions, tested plans, completed exercises and visible improvements. Any firm that has not been building a strong evidence base throughout 2024 and 2025 will now face considerable challenges.
DORA is technology agnostic. It states the outcome required but not the tools. This creates challenges when planning for supplier insolvency. Other regulatory guidance takes a clearer approach. Authorities in the United Kingdom, the United States, Singapore, Hong Kong, Saudi Arabia, India, Pakistan and others explicitly reference software escrow within stressed exit planning.
The absence of explicit reference to software escrow in DORA leaves European only firms exposed to greater risk of supplier collapse, service deterioration and concentration risk. Software escrow can help address these gaps. It creates a legal right to access the source code and documentation of a critical application if a supplier fails, giving firms the ability to continue running or rebuild the software when needed. It also supports knowledge transfer by enabling internal teams or new suppliers to understand how the application works and how it can be managed independently.
Software escrow and verification services strengthen scenario testing. Organisations can simulate supplier failure and check that the material held in escrow is complete and usable. These tests confirm whether they have enough information to compile the code, rebuild the application and keep services operating during a stressed exit.
DORA requires firms to build resilience in a world where disruption is becoming normal. The expectations are balanced and grounded in good practice. The challenge is no longer understanding what DORA asks for but demonstrating that the work is being carried out and evidenced. Firms that address supply chain gaps, strengthen intragroup arrangements and build strong stressed exit planning will be much better placed to meet the rising expectations of the next phase.
