Skip to main content
19 Jan 2026
7 minute read

DORA is now a household name

From compliance challenges to future milestones

One year into DORA: Where do we stand and what lies ahead?

As we approach one year since the entry into force of the Digital Operational Resilience Act (DORA), a large majority of financial institutions are still not fully compliant. While significant progress has been made, several requirements continue to emerge as particularly challenging. 

This raises a number of key questions for the market: Where do institutions currently stand? What tangible changes has DORA brought so far? What are the main obstacles in the compliance journey? And what major milestones should institutions prepare for next?

This article aims to provide insights into the current market landscape and offer a forward-looking perspective, drawing on our experience supporting multiple entities throughout their DORA compliance journey, as well as on the findings of our 2025 DORA European Survey, published this summer.
 

Current market status: Insights from the DORA European Survey

Our survey results show that progress towards full compliance remains uneven across the different DORA pillars. While 48% of surveyed entities consider themselves fully compliant with the ICT Incident Management pillar, only 25% report full compliance with the of ICT Risk Management pillar. The figures drop even further for Digital Operational Resilience Testing and ICT Third-Party Risk Management, where just 8% of respondents consider themselves fully compliant.

These results clearly indicate that the journey towards full DORA compliance is still long for most institutions. In fact, 50% of surveyed institutions expect to reach full compliance only by 2026 or even 2027, well beyond the initial regulatory timeline.  
 

The impact of DORA so far: Three key positive developments

Despite the multiple challenges—some of which have only recently been uncovered and will be explored later in this article—we have observed three major positive effects driven by DORA so far.

First, DORA has compelled institutions to establish a clear and structured link between business functions, the underlying technological landscape, and supporting ICT service providers. As a result, asset management has become a critical, living capability, rather than a static inventory updated once a year.

Second, DORA has significantly increased the involvement of executive management and supervisory functions, the so-called “management body.” Their accountability under the regulation has elevated both their engagement and their understanding of ICT risk management across the organization.

And third, DORA has acted as a catalyst for breaking down silos.  It has fostered stronger alignment between risk management, cybersecurity, and business continuity functions, which historically often operated independently, with limited coordination.

The challenges faced and how the financial sector is responding

To better understand how financial institutions are progressing on their DORA journey, it is useful to take a closer look at each pillar, the key challenges encountered, and the ways in which those challenges have been addressed.

Financial entities were already familiar with ICT security and risk requirements through existing regulations and supervisory expectations from the CSSF, the European Central Bank (ECB), and European Authorities (mainly EBA and EIOPA). However, the granularity and breadth of DORA requirements and related technical standards led most institutions to significantly revise and enhance more than half of their ICT security policies.

A major new requirement emerged at the governance level: the definition and implementation of a Digital Operational Resilience Strategy. Institutions had to bring coherence across roles and responsibilities spanning the three lines of defense, clarify the involvement of the management body, and establish structured reporting mechanisms to enable effective steering and oversight. For this challenge, awareness, communication, and cross-functional alignment proved to be the key success factors.

The second challenge related to the identification of critical or important functions (CIFs) and their mapping to the technology layer, including underlying ICT assets and services. This exercise required an extensive effort and multiple workshops, often resulting in an initial output that lacked maturity or consistency. This exercise required significant effort and multiple workshops, often resulting in an initial output that lacked maturity or consistency. Institutions that adopted a clear methodology combined with an iterative refinement approach achieved the most robust and defensible outcomes over time.

The final major challenge within ICT risk management stemmed from highly detailed technical standards requiring structural changes to IT environments, including network segmentation, encryption, and back-up and restoration capabilities. These requirements typically involve multi-year transformation initiatives and are the primary reason why many DORA programs are expected to extend well beyond 2025.

Leveraging the existing CSSF Circular 24/847 and the previously established EBA guidelines on ICT security, financial entities were quick to adopt the requirements set out in DORA ICT Incident Reporting pillar. Thanks to the structured nature of the framework and the highly detailed technical standards issued by the European Supervisory Authorities (ESAs), incident classification and reporting requirements were rapidly implemented across the sector.

However, practical challenges emerged when entities began classifying their first ICT incidents. Data collection—particularly from third-party providers—proved complex, as did the interpretation of certain criterial. These challenges were most evident when assessing client, transaction, counterparty impacts, as well as estimating financial losses. In addition, entities operating across multiple jurisdictions often found themselves triggering the “major incident” classification threshold every quickly, sometimes even for minor incidents.

To address these challenges, many financial entities initiated simulation exercises in which ICT-related incidents were captured and assessed against the DORA classification criteria. The objective of these simulations was to validate the availability and quality of the required data and to build a clearer understanding of when an ICT incident meets the threshold for classification as a major incident requiring regulatory reporting.

Digital Operational Resilience (DOR) testing has primarily focused on system security and tools. Our DORA European Survey revealed that testing strategies most commonly included:

  • Weekly automated testing (SAST, DAST, SCA) and regular scans for all ICT assets.
  • Annual security assessments of networks supporting critical or important functions (CIFs).
  • Penetration testing of systems and tools supporting CIFs.
  • Reviews of firewall and network security configurations.
  • Vulnerability assessments and patch management activities.

Beyond these baseline activities, many companies achieved greater efficiency in their testing strategies by improving consistency between scope of security testing and that of the response and recovery testing. A particular focus was placed on testing critical functions in an end-to-end manner. This considerable challenge required close collaboration between business continuity, IT, information security, and business process owners to design and execute a coherent and integrated testing plan.

A key question for many entities was their eligibility for Threat-Led Penetration Testing (TLPT), aligned with the TIBER-EU framework, and whether third-party service providers should be included in such exercises. Our survey indicated that most entities conducting TLPT carefully considered the scope of third-party involvement, with more than one-third of surveyed organizations involving their vendors directly in the testing process.

One of the initial challenges in ICT third-party risk management was determining which services fell within the scope of DORA and appropriately identifying and classifying them for remediation. This task proved particularly complex for entities relying on group-level frameworks, where visibility into subcontracting arrangements was often limited.

Subsequently, many entities focused on contractual amendments. Legal teams and business stakeholders worked together to understand subcontracting chains and negotiate the new contractual clauses required under DORA.

A major operational challenge arose with the submission of the Register of Information in between 1 and 15 of April 2025. While the CSSF initially granted Luxembourg entities an extension until 30 April 2025—later extended to 31 May 2025—the exercise remained demanding and resource-intensive.

Our survey revealed that more than half of the surveyed financial entities encountered difficulties in identifying the supply chain dependencies beyond first-tier providers. Also, 80% of respondents reported addressing concentration risk by implementing or reinforcing a multi-vendor strategy.

What to expect as next major milestones

What to expect for financial institutions

The latest milestone reached was the designation of Critical Third-Party Providers (CTTPs) in the EU. 19 CTPPs were designated that will be directly overseen by the joint supervisory teams led by the European Supervisory Authorities (ESAs). These third party providers will have to align their internal governance and security with DORA requirements and the financial institutions of EU.

Regarding supervision by national competent authorities, regulators across the EU—including the CSSF—have indicated that the initial on-site inspections will primarily focus on the maturity of institutions’ DORA gap assessments, implementation roadmaps, and associated action plans. In Germany, BaFin initiated DORA- related on-site visits as early as May 2025. In Luxembourg, while no DORA-specific on-site inspections were undertaken by the CSSF in 2025, several thematic reviews targeting management companies and banks were announced. The CSSF is expected to accelerate its supervisory activities move in 2026, with IT on-site inspection programs adapted to reflect DORA requirements.
 

What to expect for support PSFs

The transposition of the NIS2 Directive will complete the regulatory landscape for support PSFs providing ICT services.

While DORA is a sector-specific regulation that is directly applicable to financial entities, NIS2 is cross-sector directive that requires national transposition into local law. As a result, the scope of entities subject to NIS2 does not fully align with those subject to DORA. Nevertheless, two distinct areas of overlap exist.

The first overlap concerns banks and financial market infrastructures, which fall directly within the scope of both NIS2 and DORA. In this case, the lex specialis principle applies, meaning that DORA takes precedence over NIS2. This approach presents duplicate regulatory requirements and ensures that financial-sector-specific rules prevail.

The second overlap applies to support PSF providing ICT services. These entities are directly subject to NIS2 requirements, while DORA obligations apply to them indirectly through contractual arrangements. Financial entities subject to DORA must cascade relevant DORA requirements into their contracts with ICT service providers. In this scenario, the lex specialis principle does not apply. However, by achieving compliance with NIS2, a Support PSF can already meet a significant portion of its clients’ DORA-related expectations.

Key areas where DORA and NIS2 overlap include:

  • ICT and cyber risk management processes, including  the level of comprehensiveness and risk reporting requirements.
  • Incident classification criteria, reporting timeline, and data requirements.
  • Third-party and supply chain risk management, including subcontracting, where DORA introduces additional obligations compared to NIS2.
  • Responsibilities of the management body.

The illustration below provides a high-level view of these overlapping areas and their respective regulatory coverage.

Click here to enlarge the table 


In summary, DORA remains a demanding journey for the financial sector, yet institutions have already taken significant steps toward strengthening their digital operational resilience. While the first wave of challenges—focused on interpretation, scoping, and initial implementation—has largely been overcome, a second wave is now emerging. This next phase centers on embedding DORA requirements into business-as-usual operations, alongside addressing more structural and technical implementation challenges.

Ultimately, these combined efforts will better position financial entities and their service providers for upcoming supervisory scrutiny, with on-site inspections expected to be conducted against a significantly higher bar of maturity and preparedness.

Get in touch

Laureline Senequier

Laureline Senequier

Partner | Cyber Governance and Compliance
+352 45145 4422
Hatice Baskaya

Hatice Baskaya

Director | Cyber Governance and Compliance
+352 45145 3586

Did you find this useful?

Yes
No

Thanks for your feedback

Your feedback is important to us

To tell us what you think, please update your settings to accept analytics and performance cookies.

Need help updating cookies?

Recommendations

Professionals of the Financial Sector (PSF)

Luxembourg's Professionals of the Financial Sector (PSF) is thriving thanks to a financial, political, legal and social stability.
Industry
2 minute read

2025 Luxembourg PSF Market Analysis

Our latest analysis reveals how Luxembourg is positioning for the next wave of innovation—from digital assets to tokenization.
Research