The Digital Operational Resilience Act (DORA) deadline has passed, and financial institutions should now be fully compliant. But in reality, many firms are still facing unexpected hurdles as they put their frameworks into practice.
From third-party compliance gaps to audit inconsistencies, organizations are discovering that aligning with DORA on paper doesn’t always translate into smooth execution. Let’s explore the real-world challenges firms are grappling with—and why operational resilience remains a moving target.
1. Third-party compliance: a continuing weak link
Despite best efforts, many financial institutions are still struggling to enforce compliance across their third-party providers.
Why it’s still an issue:
- There are no crystal clear guidelines on what the requirements are, it’s more on the interpretation of the legal framework level.
- Reviewing all operational processes and technologies of third parties remains unrealistic.
- Compliance costs and resource allocation continue to be a sticking point, with some providers still resisting certain requirements.
“While DORA regulates ICT management, it’s practically impossible for companies to review all operational processes and technologies of their third-party providers.” – Tautvydas Jašinskas, Chief Information Security Officer (CISO) at ConnectPay.
Firms must now shift from compliance planning to active enforcement, ensuring third-party risks are continuously monitored and addressed.
2. TLPT: disruptions and delays
Threat-Led Penetration Testing (TLPT) was one of the most anticipated challenges, and it’s now proving to be a disruptor in practice.
Why companies are struggling? Mostly, because the testing process will cause business interruptions, particularly for firms without prior red teaming experience.
“If companies have not previously ensured penetration tests, red teaming exercises, or TLPT testing, they may experience business interruptions or downtime.” – Tautvydas Jašinskas, CISO at ConnectPay.
3. Audit confusion: no standardized approach
Now that audits are underway, firms are encountering inconsistencies in how DORA compliance is being assessed.
What’s causing the confusion?
- Various service providers are using self-developed audit methodologies, leading to varying interpretations of compliance.
- Risk assessments and key performance indicators (KPIs) differ widely between firms, depending on security maturity.
- The absence of a standardized approach means some firms are investing in unnecessary measures, while others may be overlooking critical gaps.
Without clear regulatory guidance, firms must collaborate with auditors, industry peers, and regulators to establish best practices. Basically, the testers are asking what to test, so it’s up to firms to tell whether to get great results by testing matters already well performing or whether to test the struggling ones and find opportunities for improvement.
4. Regulatory oversight: more than just fines?
Now that enforcement has begun, firms are realizing that DORA’s penalty-driven model isn’t necessarily helping them navigate operational challenges.
What needs to change?
- The penalties, not only for companies but also for private individuals who are responsible for ensuring DORA compliance, can be millions of euros, despite intentional and unintentional actions.
- Many firms believe automated regulatory monitoring tools would be more effective than relying solely on penalties.
- Without proactive support, companies risk being punished for misinterpretations rather than guided toward best practices.
To move forward, firms should push for greater regulatory engagement to ensure compliance remains an ongoing process, not just a one-time requirement.
“In my view, true security doesn’t come from imposing fines—it comes from investing in resilience. If we genuinely want to strengthen the ecosystem, penalties should be directed toward closing security gaps, not just punishing non-compliance. Right now, audits consume significant resources that could otherwise be used for meaningful security improvements. A smarter approach would be to align enforcement with sustainable risk mitigation, ensuring organizations build lasting defenses rather than simply paying for their vulnerabilities.” – Tautvydas Jašinskas, CISO at ConnectPay.
What’s next?
DORA compliance wasn’t just about meeting a deadline—it’s about building long-term resilience. As firms move beyond initial implementation, the real challenge is maintaining compliance while adapting to evolving risks.
- Third-party compliance must be actively enforced, not just documented.
- Firms should collaborate to establish audit best practices in the absence of a standardized approach.
- Legal offices, regulators must take a more proactive role in guiding firms through ongoing compliance by providing clear guidelines and leave less room for interpretation.
With that being said, the DORA journey doesn’t end with the deadline—it’s just the beginning of a new operational resilience reality.
