Introduction  

The initial sprint to comply with the EU’s Digital Operational Resilience Act (DORA) reached a milestone in April 2025 as financial institutions rushed to submit their Registers of Information (RoI) on ICT third-party arrangements. The Commission de Surveillance du Secteur Financier (CSSF) even extended its RoI submission portal until 31 May 2025 to let financial institutions fix errors and resubmit their registers. But this experience is not the end of the DORA journey. In fact, the real work of digital operational resilience is just beginning.

We explore below the dimensions of Digital Resilience beyond simple compliance that will transform your Digital Resilience journey into actual results.

Beyond the register: Remediate your contracts and manage your ICT third-party risk

Creating the RoI forced financial institutions to list all contracts with ICT third-party service providers, not just IT outsourcings. This was revealing for many, but it’s only step one.

One immediate priority post-Registers of Information is the contractual remediation campaign with all ICT third-party service providers to meet DORA’s highly detailed contractual expectations. This, among others, includes a clear description on the ICT services, audit and access rights, termination rights or service levels. In practice, the Market moved to the option of creating two DORA-compliant addendums: one for contracts supporting critical or important functions, and one for other contracts.

This remediation isn’t a trivial effort. Providers may be hesitant to adopt new terms, and coordination across legal, IT and vendor management teams is needed. DORA took full effect in January 2025 with no grace period. This means that any non-remediated contracts are a compliance gap.

Beyond paper compliance, ICT third-party risk management is an on-going discipline. Financial institutions should now have a live inventory to continuously track, register and monitor contracts with their ICT third-party service providers along with the risk exposure due to those contractual arrangements. Ensuring robust ICT third-party risk management is not just a one-time exercise, especially in today’s context with heavy dependencies on ICT third-party providers. Harnessing the potential of this register will be the smart move to take and Artificial Intelligence can transform raw data of the Register to smart information. 

The next major date for ICT Third-Party Risk is next annual submission which should take place in early 2026 (or upon the request of the regulators, as mentioned in Article 28(3) of DORA). Continuous maintenance of the Register of Information will avoid another sprint like April 2025.

Beyond ICT incident: Prepare to respond and recover from the unknown

With the RoI done and contracts under review, financial institutions must double down on another core pillar of DORA: the ICT incident notification. While several organizations updated their policies on paper ahead of the January 2025 compliance date, the challenge now is to ensure those policies are fully implemented, effective, and regularly tested.

DORA’s incident reporting regime is particularly complex. This means that when a serious cyber incident or IT outage happens, the clock starts ticking. Not just on classification, not just on recovery, but also on notification to the regulator. Teams must swiftly determine if the incident meets DORA’s thresholds often while the crisis is still unfolding. This highlights the necessity of preparing in advance. A recommended approach is to conduct tabletop exercises simulating a major incident.

You might for example simulate a core banking system outage and walk through the entire incident response chain:

• Can you gather quickly the impact data required for classification?
• Do you understand the criteria to declare a major incident? Do you know how to fill out the official incident notification form?
• Who has access to the eDesk or IMAS declaration platform?

Finally, the ICT third-party providers should also be considered in incident reporting. If one of your main providers experiences an outage that affects your services, you are still responsible for the regulatory classification and reporting duty. This is why contractual clauses (as discussed earlier) should also be implemented to mandate ICT third-party providers supporting critical or important functions to notify you immediately of any incident occurring on their side.

DORA's brief notification period urges financial institutions to prepare in advance their communication strategies under pressure, for regulators, customers, media, and other stakeholders when necessary.

Success lies in preparing for the unknown by frequently revisiting your threat scenarios, both intentional and unintentional, and enhance your impact assessment.

Beyond DORA’s requirement: Embed a resilience culture from the design

“Resilience” is progressively becoming a unifying theme across regulations. The idea is that financial institutions are expected to anticipate and withstand a spectrum of digital disruptions. This calls for strategic thinking: senior leadership should integrate it into the institution’s broader strategy. This approach integrates resilience into digital transformation efforts, cloud migration strategies, and AI adoption, instead of creating separate silos.

Financial entities stand out by integrating resilience during the design phase, especially in system architecture. A system that quickly recovers can be more effective than just relying on preventive measures.

Beyond resilience: Build trust on technology

While digital resilience is a moving target, and the next challenge is the rise of artificial intelligence (AI). DORA may be the current focal point for digital operational resilience, but new frameworks are on the horizon, such as the EU’s AI Act. Resilience is a broad paradigm, it’s not just about servers and networks staying up, but also algorithms and data.

AI is transforming the fixed nature of traditional algorithms. Unlike these that produce the same result for the same input, AI learns continuously, causing results to change over time and introducing additional risks beyond resilience.

DORA advises the industry to create robust systems, prepare for disruptions, understand dependencies, and be ready for the unexpected. The AI Act adds another layer by demanding trustworthy AI system, which means they should be transparent, safe, unbiased, accountable, and ethical. We anticipate a shift from just pure resilience to trust, where systems must not only function but also deliver accurate and unbiased results.

Conclusion

The DORA RoI submission in May 2025 was a key milestone, but not the finish line. DORA’s real impact will be seen in how well financial institutions develop sustainable operational resilience in the future. It is more than a regulatory checklist; it can enhance customer trust and reduce disruptions. Regulations like DORA and the AI Act set higher standards, leaving each organization to embed these into daily operations.

In a rapidly changing digital world, financial institutions with a strong resilience culture will be the ones to maintain trust and stability.