After one year of DORA implementation, it is clear: complexities have become visible, the need for action is concrete
One year after the Digital Operational Resilience Act (DORA) entered into force, the grace period is now over. While many institutions have achieved formal compliance, their operational steering capability is often still lacking. Current audit findings confirm what is also becoming increasingly visible in market reporting: DORA exposes drivers of complexity that were previously hidden – in particular in the information register and in data models, third-party risk management, criticality and function classifications, and in governance and operational embedding.
Among the biggest problems and inefficiencies uncovered by DORA reporting are:
• a high proportion of processes and ICT service providers classified as “critical / important”
• data discontinuities between procurement, CMDB, TPRM and the DORA information register
• governance structures that are formally defined but not effectively embedded
• increasing audit and reporting effort with limited added value for steering
The challenge now is not additional documentation, but achieving an integrated target operating model that brings together regulation, processes, data models, and systems. Because DORA will only become manageable if institutions shift from implementation to effectiveness, efficiency and genuine steering capability.
In our Deep Dive, we explore the challenges uncovered in the past year and show which criteria need to be fulfilled for a truly successful and efficient DORA implementation.
