The Digital Operational Resilience Act (DORA) began active supervision on January 17, 2025. For EU financial entities, the compliance clock is no longer theoretical.
Yet 38% of firms are targeting full compliance in 2026, according to Deloitte’s Wave 3 DORA survey (March 2025), which covered 36 entities across 28 countries. The gap between regulatory expectation and organisational readiness is widening.
Unlike GDPR, which many organisations approached as a privacy checkbox exercise, DORA mandates operational resilience across ICT risk management, incident reporting, digital operational resilience testing, and third-party risk management. The regulation covers 21 types of financial entity, from credit institutions to crypto-asset service providers.
Four requirements are hitting SME financial firms hardest.
Article 6: ICT risk management framework. Financial entities must implement ‘proportional’ ICT risk management, but proportionality is undefined. A €50M asset manager faces the same baseline requirements as a €50B bank, scaled only by ‘complexity and criticality.’
Articles 17-19: Incident reporting with financial impact. Major incident reporting must include an estimated economic impact, which is a mandatory classification criterion. Incidents exceeding €100K in costs or losses must be reported to the competent authority within four hours of classification. Without the ability to quantify Annual Loss Expectancy (ALE), Single Loss Expectancy (SLE), and Probable Impact Range (PIR), firms cannot satisfy this requirement.
Article 26: Threat-led penetration testing (TLPT). Entities designated as significant must conduct threat-led penetration testing every three years. This is not a vulnerability scan. It is a simulated attack by certified testers mimicking advanced persistent threats on live production systems. Article 27 sets the qualification standards those testers must meet.
Articles 28-30: Third-party ICT risk and concentration. Firms must maintain a register of all ICT third-party arrangements and assess concentration risk. If 60% of ICT services come from AWS, Azure, or GCP, documented mitigation strategies are required.
Large banks have compliance teams. SME financial firms, asset managers, payment processors, credit unions, and fintech startups generally do not.
They are expected to map 40+ DORA articles to existing controls, implement financial impact modelling for incidents, conduct gap analysis across ICT risk domains, document third-party concentration risk, and prepare for regulatory audits throughout 2025-2026. External consultants with DORA-specific expertise are in short supply and not cheap.
Deloitte’s survey found 64% of institutions plan to spend €2-5M on DORA compliance, with only 11% expecting to come in under €2M. For SMEs operating without a dedicated DORA programme, even the lower end of that range is a significant commitment.
RiskAct™ maps existing controls to DORA Articles 6, 8, 9, 11, 17-19, 26-27, and 28-30, auto-generates gap analysis reports, and embeds financial risk quantification (ALE/SLE/PIR) directly into incident classification workflows. Third-party ICT dependencies are tracked against the register requirements, and audit-ready documentation is generated on demand. Implementation runs in days rather than the six to twelve months a manual approach requires.
For SME financial services firms, the practical value is scope reduction. Automated mapping removes the manual work of cross-referencing articles to controls, which is where most of the consulting spend goes.
DORA has extraterritorial reach. Firms providing services to EU financial entities from outside the EU, operating EU subsidiaries or branches, or participating in EU financial markets are likely in scope.
UK firms anticipating regulatory divergence post-Brexit should note that the FCA and PRA are signalling DORA-equivalent requirements under the UK Operational Resilience framework. The direction of travel is consistent on both sides of the Channel.
Financial services firms need ICT risk management expertise they don’t have internally. MSSPs that can deliver DORA article mapping, automated compliance documentation, financial impact modelling, and third-party risk registers have moved from IT support to regulatory compliance partner. That is a different commercial conversation at a different price point.
Start with a gap analysis against DORA Articles 6, 8, 9, 11, 17-19, 26-27, and 28-30. Implement ALE/SLE/PIR quantification for incident classification so reporting obligations can be met without manual calculation. Build the third-party ICT register now, as 46% of firms surveyed identified it as the single hardest DORA requirement. Then prepare for regulatory audit scrutiny in 2025-2026 focused on proportionality.
The 38% missing compliance are not unprepared by choice. The regulation is genuinely complex and the implementation burden is unevenly distributed. Automated tooling reduces the gap between where firms are and where regulators expect them to be.
Sources
About NetraScale™: RiskAct™ provides automated DORA compliance mapping across Articles 6, 8, 9, 11, 17-19, 26-27, and 28-30, with embedded financial impact modelling (ALE/SLE/PIR), third-party risk registers, and audit-ready documentation, purpose-built for EU SME financial services firms and their MSP/MSSP partners.
