The Digital Operational Resilience Act (DORA) has fundamentally changed how financial institutions are expected to manage ICT risk. While many organisations have invested significant time and resources in implementation projects, supervisory experience across the financial sector suggests that many institutions remain focused on documentation rather than on operational resilience itself.

As regulatory scrutiny intensifies, the question is no longer whether an institution has adopted DORA policies; it is whether it has implemented them. The more important question is whether the institution can demonstrate that its governance structures, operational processes and technology environment function effectively in practice.

DORA Is Not a Documentation Exercise

A common misconception during implementation has been that DORA can be addressed primarily through policies, procedures and contractual updates.

While documentation remains important, DORA is fundamentally an operational framework. Regulators increasingly expect institutions to demonstrate that governance decisions, risk assessments, incident management processes, and oversight mechanisms for outsourcing operate effectively within day-to-day business activities.

Institutions that focus solely on formal compliance may find themselves exposed when supervisory authorities assess how resilience measures function in real operational environments.

Governance Remains the Most Significant Gap

One of the most common challenges involves governance.

DORA places explicit responsibility on management bodies for ICT risk oversight and operational resilience. In practice, however, many organisations continue to treat ICT risk as a matter delegated primarily to IT departments, compliance functions or external service providers.

Supervisory expectations are increasingly focused on whether management bodies:

  • understand material ICT risks;
  • receive meaningful reporting on resilience and incidents;
  • participate in resilience decision-making;
  • oversee outsourcing arrangements; and
  • can demonstrate accountability for operational resilience outcomes.

Where ICT governance remains disconnected from board-level oversight, institutions may struggle to meet regulatory expectations despite having extensive documentation in place.

Third-Party Risk Management Is Under Increasing Scrutiny

Financial institutions are becoming increasingly dependent on cloud providers, payment infrastructure partners, software vendors and other ICT service providers.

DORA requires institutions to move beyond simple contractual management of outsourcing relationships and develop a comprehensive understanding of operational dependencies throughout their technology ecosystem.

In practice, many institutions still face challenges in:

  • identifying critical ICT providers;
  • maintaining accurate outsourcing inventories;
  • assessing concentration risks;
  • monitoring subcontracting arrangements; and
  • ensuring that contractual rights align with regulatory requirements.

Demonstrating effective oversight of critical service providers is becoming a key supervisory focus.

Incident Management Must Be Operational

Many institutions have established incident response procedures. However, regulatory expectations extend beyond the existence of a documented process.

Supervisors increasingly assess whether organisations can:

  • identify incidents promptly;
  • classify incidents consistently;
  • escalate issues effectively;
  • coordinate technical and management responses; and
  • meet regulatory reporting obligations within required timeframes.

Operational resilience depends not only on written procedures but also on testing, preparedness and the ability of different functions to work together during periods of disruption.

Resilience Testing Is Often Underestimated

DORA introduces a stronger emphasis on testing and validation of resilience measures.

For many institutions, testing has historically focused on technical recovery capabilities. DORA expands this perspective by requiring organisations to assess broader operational resilience, including governance effectiveness, communication processes and third-party dependencies.

Testing exercises frequently reveal gaps that are not visible through policy reviews alone. As a result, resilience testing should be viewed as a governance tool rather than solely a technical requirement.

Data, Documentation and Evidence Matter

A recurring challenge for financial institutions is demonstrating that DORA requirements have been embedded into operational practice.

Regulators increasingly expect organisations to maintain evidence supporting:

  • ICT risk assessments;
  • outsourcing decisions;
  • governance oversight activities;
  • resilience testing outcomes;
  • incident response actions; and
  • remediation measures.

The ability to produce clear evidence often becomes as important as the underlying control itself.

Looking Ahead

As DORA moves from implementation to supervision, financial institutions are entering a new phase of regulatory scrutiny.

The institutions best positioned for future supervisory engagement will not necessarily be those with the largest number of policies or procedures. Rather, they will be those capable of demonstrating that operational resilience is genuinely embedded within governance structures, business processes and technology environments.

DORA is ultimately about resilience in practice. The organisations that succeed will be those able to show that their controls operate effectively not only on paper, but also under real-world operational pressure.

About ECOVIS ProventusLaw

ECOVIS ProventusLaw advises banks, electronic money institutions, payment institutions, crypto-asset service providers and other regulated financial institutions on DORA implementation, ICT governance, outsourcing arrangements, operational resilience frameworks, incident management, supervisory remediation programmes and broader EU financial regulatory compliance matters.

About the Author

Loreta Andziulytė is a Partner and Attorney-at-Law at ECOVIS ProventusLaw, heading the firm's Data Protection, Employment, and Corporate Commercial teams. With over 20 years of experience, she advises on corporate governance, regulatory compliance, GDPR, DORA, and fintech licensing matters. Ranked in FinTech Legal by Chambers and Partners (2020, 2023–2026) and recognised by The Legal 500 in FinTech, Employment, TMT, and Dispute Resolution (2019–2025). Loreta is a Certified Data Protection Expert (CIPP/E).