After DORA is Before DORA

Europe’s Digital Operational Resilience Act (DORA) took full effect on 17 January 2025, reshaping how banks, insurers, payment firms, asset managers, and their ICT providers organize compliance, IT, and operational resilience. DORA unifies requirements for ICT risk management, incident reporting, resilience testing, and third-party oversight into a single regulatory framework across the EU financial sector (ESMA, 2025).

What DORA Changed and Why It Matters

DORA established a harmonized rulebook for ICT risk management, requiring governance, risk assessment, protection, detection, and recovery controls (EBA, 2025). Incident reporting obligations now follow a unified timeline: initial notification within four hours, intermediate report within 72 hours, and final report within one month (ESAs, 2024). It also introduced Threat-Led Penetration Testing (TLPT) requirements, mandating intelligence-led cyber resilience testing at least every three years (EIOPA, 2025).

Compliance teams now face a shift from policy documentation to real-time evidence of control effectiveness. Incident management processes must align with strict DORA timelines and integrate with NIS2 and PSD2 frameworks. IT departments are evolving from focusing solely on prevention to ensuring recoverability and continuity, while organizational structures must support vendor oversight and board-level accountability for ICT concentration risks (ECB, 2024).

ENISA’s 2024/25 Threat Landscape reported 4,875 incidents in the financial sector between July 2024 and June 2025, with ransomware remaining the most common attack vector (ENISA, 2025). The ECB noted that only 28% of EU banks use verified golden sources for critical-function data, and ICT-related losses rose from €16.4m in 2022 to €38.6m in 2023 (ECB, 2024). The IMF’s 2025 Euro Area review highlighted increased risks in ICT security, outsourcing, and change management, areas at the heart of DORA’s objectives (IMF, 2025).

Three Non-Negotiables to Have in Place

1. A DORA-grade ICT Risk Management Framework, documented governance, control baselines, and evidence-driven metrics aligned with the Commission’s Regulatory Technical Standards (RTS) (EBA, 2025).

2. An End-to-End Major Incident Regime, standardized playbooks that meet the 4h/24h/72h/1-month reporting cadence (ESAs, 2024).

3. A Living Third-Party & Sub-Contracting Register, a continuously updated register of ICT providers, risk ratings, and exit strategies (ESMA, 2025).

Three Best Practices for Continuous Resilience

1. Provider Management System for Live Data Updates, implement a centralized provider management tool that automates vendor data ingestion and tracks subcontracting chains (EBA, 2025).

2. Automated and Streamlined Onboarding and Data Extraction, use workflow automation and AI-driven contract analysis to maintain up-to-date information registers (ESMA, 2025).

3. Leveraging AI for Automated Regulatory Compliance, deploy AI to monitor RTS and ITS updates, assess compliance drift, and classify incidents against materiality thresholds (EIOPA, 2025).

Conclusion

After DORA is before DORA. The regulation is not a finish line but a continuous operational rhythm. Firms that embed automation, real-time supplier oversight, and proactive AI-driven compliance will transform DORA from a compliance obligation into a competitive advantage.

About Fundvis

Fundvis is a Luxembourg-based RegTech platform that centralizes the onboarding, monitoring, and regulatory compliance of providers, delegates, and funds across financial institutions through advanced AI-driven automation. Already overseeing more than 1,000 delegates and having successfully filed regulatory reports across four jurisdictions, Fundvis has established itself as a trusted partner for digital governance and oversight. Serving clients across the financial industry; including banks, asset managers, management companies (ManCos), and insurance firms, Fundvis leverages its deep operational experience to streamline complex compliance workflows. With its proven capabilities, Fundvis is uniquely positioned to support firms in achieving and maintaining DORA compliance, ensuring continuous monitoring, transparent reporting, and resilient operational oversight.

References

EBA (2025). Final Regulatory Technical Standards on ICT Risk Management under DORA.ESMA (2025). Joint Guidelines on ICT Third-Party Risk and Oversight.EIOPA (2025). TLPT Implementation Guidance.ENISA (2025). Threat Landscape 2024/25.ECB (2024). Banking Supervision Cyber Risk Observations.IMF (2025). Euro Area Financial Sector Assessment Program.ESAs (2024). Joint Draft Standards on ICT Incident Reporting Timelines.