On 17 January 2025, the Digital Operational Resilience Act (DORA) becomes binding across the European Union, marking a crucial milestone for financial institutions. The regulation introduces stringent requirements to safeguard the sector against technological disruptions. With just days to go, organisations are scrambling to meet its complex demands.

The European Supervisory Authorities (ESAs) have made it clear: there will be no phased enforcement period. Full compliance is expected from day one, leaving little room for delay. However, with over 500 requirements and tight timelines, regulators may initially prioritise significant breaches due to limited resources, reports the Global Treasurer.

Central to DORA’s implementation is a register of key third-party providers, aimed at assessing their resilience. While the final regulation for these registers was only published in December 2024, the ESAs argue that draft guidelines available since January 2024 provided institutions ample time to prepare. Nonetheless, the sector faces significant challenges in ensuring technical accuracy and comprehensive coverage of critical IT providers.

Readiness varies across the industry

Banks and insurers appear relatively well-prepared, thanks to existing outsourcing and ICT guidelines from regulators like the European Banking Authority (EBA). A recent ESA dry run showed these entities submitted registers with five times more data points than alternative investment fund managers.

Smaller institutions and alternative investment managers, with less mature compliance frameworks, are struggling. The disparity underscores how previous regulatory landscapes have shaped preparedness, leaving some sectors scrambling to build the necessary infrastructure.

Divergent enforcement

Despite DORA’s goal of standardising digital resilience across the EU, enforcement is expected to vary between countries. Luxembourg, for example, has proactively introduced DORA-inspired rules, while Austria, Malta, and Hungary have emphasised ESA dry-run participation. Meanwhile, some Member States have yet to transpose DORA-related amendments into national laws, potentially complicating compliance for multinational firms.

Managing third-party risk is one of DORA’s biggest challenges. Financial institutions must review and renegotiate contracts with critical providers to ensure compliance. Larger institutions, managing thousands of contracts, are prioritising key agreements ahead of the deadline, with phased implementation for less critical ones expected throughout 2025.

Global implications

DORA’s scope extends beyond the EU, affecting non-EU financial institutions operating within the bloc. However, compliance efforts outside the EU remain inconsistent, with smaller firms and non-EU banks often deprioritising the regulation.

As the January deadline looms, the financial sector faces a critical test of its digital resilience and regulatory preparedness.