Common Challenges in Meeting Dora Requirements

dora compliance challenges
5/5 - (1 vote)

Last Updated on June 30, 2026 by Narendra Sahoo

The Digital Operational Resilience Act is active. Yet most financial entities are still navigating significant implementation challenges. Here is what they are — and how to overcome each one.

Jan 17, 2025
DORA enforcement date — compliance is mandatory
2% Revenue
Maximum fine for non-compliance with DORA
5 Pillars
ICT Risk, Incident Reporting, Testing, Third-Party Risk, Governance

1️⃣ What Is DORA and Why Does It Matter?

The Digital Operational Resilience Act (DORA) — Regulation (EU) 2022/2554 — is a mandatory EU framework that sets unified, prescriptive requirements for how financial entities must manage ICT risks, report incidents, test operational resilience, and oversee third-party technology providers.

In force since 17 January 2025, DORA applies to banks, investment firms, insurance companies, payment service providers, crypto-asset service providers, and critically — to ICT third-party providers such as cloud platforms, software vendors, and data centres that support EU financial entities.

Non-compliance carries severe consequences: fines of up to 2% of total annual global turnover, or periodic penalties calculated against average daily turnover. Despite this, many organizations are still struggling to meet requirements across DORA’s five core pillars.

💡 KEY INSIGHT

Organizations that already hold ISO 27001 and SOC 2 certifications are typically 70–80% aligned with DORA before they begin a formal DORA program — thanks to shared controls in risk management, incident response, vendor risk, and governance.

Is your organization DORA-ready?

VISTA InfoSec’s certified consultants conduct DORA gap assessments and build compliance roadmaps for financial entities and ICT providers across the EU, UK, and beyond.

Explore DORA Services →

2️⃣ The 5 Pillars of DORA — A Quick Reference

Before examining the challenges, it is important to understand DORA’s structure. The regulation is built on five interconnected pillars, and most compliance challenges arise from one or more of them.

Pillar Core Requirement Key Articles
ICT Risk Management Comprehensive framework covering identification, protection, detection, response and recovery Articles 5–16
Incident Reporting Classify, escalate and report major ICT incidents to regulators within mandated timeframes Articles 17–23
Resilience Testing Annual security testing; TLPT every 3 years for significant entities Articles 24–27
Third-Party Risk Comprehensive vendor governance, mandatory contractual clauses, register of ICT providers Articles 28–44
ICT Governance Board-level accountability, formal risk reporting, management body oversight Articles 5, 13

3️⃣ Common Challenges in Meeting DORA Requirements

Based on our work with financial entities and ICT providers across the EU, UK, and Asia-Pacific, these are the most frequently encountered obstacles to DORA compliance — and the practical approaches to address each one.

👉 Challenge 1 — Integrating DORA with Existing ICT Risk Frameworks

DORA introduces comprehensive ICT risk management requirements that must be integrated with existing frameworks such as EBA guidelines, ISO 27001, and internal risk policies. Aligning these without creating overlaps, gaps, or duplicated controls is one of the most operationally complex challenges organizations face.

Many organizations make the costly mistake of treating DORA as a separate project — pursuing ISO 27001 first, then layering DORA separately. This creates duplicate controls, multiplies audit fatigue, drives costs up, and generates internal confusion across security, compliance, and technology teams.

✅ HOW TO ADDRESS IT

Perform a thorough gap analysis between your current risk management practices and DORA requirements. Build a Unified Control Framework — a single master control library mapped simultaneously to ISO 27001, SOC 2, and DORA. One control, multiple compliance outcomes, zero duplication. Engage cross-functional teams to ensure all aspects are covered and that integration with existing protocols is seamless.

👉 Challenge 2 — Managing Third-Party ICT Provider Risk at Scale

Managing risks associated with third-party ICT service providers is among the most intensified and prescriptive obligations under DORA. Articles 28–44 go significantly further than previous EU outsourcing guidelines. Financial entities must maintain a comprehensive register of all ICT providers, implement mandatory contractual clauses, assess concentration risk, and ensure exit strategies are documented for critical services.

Many firms work with dozens — sometimes hundreds — of vendors, making it difficult to track that every contract aligns with DORA’s stringent requirements. The regulation also extends beyond direct service providers to include subcontractors and the broader supply chain, creating additional complexity.

✅ HOW TO ADDRESS IT

Build a complete ICT provider inventory classifying all vendors by criticality. Establish a due diligence framework covering financial stability, cybersecurity posture, and operational resilience. Renegotiate existing contracts to include DORA-mandated clauses: audit rights, exit strategies, incident notification obligations, and participation rights in regulatory drills. Implement continuous monitoring with measurable KPIs tied to service delivery and security posture.

📑
FREE WHITEPAPER
DORA Compliance Toolkit
Practical frameworks, checklists, and implementation guidance for DORA’s five pillars — built by certified practitioners.
Download Free →

👉 Challenge 3 — Building a Compliant Incident Classification and Reporting System

DORA imposes hard regulatory notification timelines that go well beyond the general incident response plans required by ISO 27001 or SOC 2. Major ICT incidents must be reported to regulators using specific EU templates within defined timeframes — with an initial notification, a follow-up update, and a final report including root cause analysis and remediation actions.

The most common failure points are: unclear incident classification criteria, gaps in coordination between technical and business teams, and insufficient documentation to demonstrate resilience maturity to regulators.

✅ HOW TO ADDRESS IT

Define explicit classification criteria for major vs. non-major ICT incidents aligned with DORA’s RTS. Document escalation chains — who is responsible for each decision, including the management body. Pre-build EU regulatory reporting templates and rehearse the reporting workflow. Conduct tabletop exercises to validate that technical and business teams can coordinate effectively within reporting windows.

Not sure where your DORA gaps are? Start with a gap assessment.

Our QSA-certified consultants map your current controls against DORA’s five pillars and deliver a prioritized remediation roadmap.

Book a DORA Gap Assessment →

👉 Challenge 4 — Implementing Threat-Led Penetration Testing (TLPT)

DORA mandates regular ICT resilience testing — including Threat-Led Penetration Testing (TLPT) every three years for entities designated as significant. TLPT goes far beyond standard vulnerability assessments. It involves live-fire red team exercises against critical systems, requires certified external testers, demands regulatory approval, and must include all relevant third-party systems in testing scenarios.

For most organizations, this is resource-intensive, expensive, and requires specialized expertise that internal teams may not possess. Many institutions also underestimate how much time the approval and scoping process takes before testing can even begin.

✅ HOW TO ADDRESS IT

Develop an internal testing calendar aligned with DORA’s annual and three-year cycles. Engage CREST-certified third-party testers for TLPT and begin the regulatory approval process early — it takes longer than most organizations expect. Ensure all relevant third-party ICT systems are included in scope. Document all findings meticulously and implement immediate corrective actions based on test results.

👉 Challenge 5 — Establishing Board-Level Governance and Accountability

DORA places personal accountability on management bodies, with potential regulatory enforcement exposure for board members. Formal risk reporting to board level must be evidenced and documented. This represents a fundamental cultural shift for many organizations where ICT risk has historically been managed below the board level.

The challenge is not just creating governance structures on paper — it is ensuring that board members have sufficient ICT literacy to meaningfully oversee DORA-relevant risks, and that formal reporting cadences are embedded into governance cycles.

✅ HOW TO ADDRESS IT

Assign formal ICT risk ownership at management body level. Implement quarterly ICT risk reporting to the board with documented minutes. Conduct board-level ICT literacy training to ensure meaningful oversight. Establish a governance charter that defines escalation paths, approval rights, and reporting frequencies — and have it reviewed by legal counsel familiar with DORA Article 5 requirements.

👉 Challenge 6 — Resource Constraints and Cost of Compliance

DORA compliance requires significant investment in technology, cybersecurity measures, and specialized expertise. Smaller financial entities and ICT providers in particular face challenges in allocating sufficient budget and personnel to meet all requirements simultaneously. Industry estimates suggest EU financial entities are spending €2–5 million on DORA compliance — with only 8% achieving full compliance in digital operational resilience testing and third-party risk management.

✅ HOW TO ADDRESS IT

Prioritize compliance efforts by risk level — focus first on the highest-risk gaps such as critical ICT dependencies, incident reporting readiness, and third-party governance. Build a phased roadmap aligned with existing security and digital transformation initiatives to reduce duplication. Consider the VISTA InfoSec AuditFusion360 approach — consolidating overlapping ISO 27001, SOC 2, and DORA controls into a single streamlined audit to dramatically reduce cost and effort.

📄
FREE DOWNLOAD
DORA Compliance Toolkit — Full Framework Guide
ICT Risk Management, Incident Reporting, TLPT, Third-Party Risk — all five pillars covered.
Get Toolkit →

👉 Challenge 7 — ICT Concentration Risk and Vendor Dependency

DORA specifically addresses ICT concentration risk — the risk that arises when a financial entity relies too heavily on a single provider or a small number of providers for critical functions. This is particularly relevant for cloud services, where a dominant hyperscaler may support multiple critical operations simultaneously.

Many institutions have limited visibility into their full ICT dependency chain, including subcontractors and fourth-party relationships. Without a complete picture of the technology supply chain, it is impossible to assess concentration risk accurately.

✅ HOW TO ADDRESS IT

Map your complete ICT ecosystem — including direct providers, subcontractors, and fourth-party relationships. Identify which providers support critical or important functions and assess substitutability. Where concentration risk is identified, develop alternative sourcing strategies and document them in your ICT risk framework. Build predefined exit strategies for all critical ICT services so that operational continuity is maintained if a provider fails.

👉 Challenge 8 — Keeping Pace with Evolving Regulatory Technical Standards (RTS)

DORA is not a static regulation. The European Supervisory Authorities (EBA, EIOPA, and ESMA) continue to publish and update Regulatory Technical Standards and Implementing Technical Standards that add prescriptive detail to DORA’s requirements — covering ICT risk management frameworks, incident classification, third-party policy criteria, and TLPT specifications.

Organizations that achieved initial compliance in January 2025 may find that subsequent RTS updates require changes to their frameworks, contracts, or reporting processes. Staying current is an ongoing operational requirement, not a one-time activity.

✅ HOW TO ADDRESS IT

Assign a dedicated regulatory monitoring function to track ESA publications. Subscribe to official ESA regulatory update channels and engage a compliance consultant with active DORA practice exposure. Build regulatory change management into your compliance program so that RTS updates trigger a structured review and remediation cycle — not a reactive scramble.

Facing one of these challenges right now?

VISTA InfoSec has guided financial entities and ICT providers through every DORA challenge — from gap assessments to TLPT preparation to third-party contract remediation.

Explore DORA Services → Get Free Toolkit

4️⃣ DORA Challenges — Quick Reference Summary

Use this summary to quickly assess which challenge areas require the most attention for your organization.

Challenge Area DORA Pillar Complexity
Integrating with existing frameworks ICT Risk Management High
Third-party ICT risk at scale Third-Party Risk High
Incident classification and reporting Incident Reporting Medium
Implementing TLPT Resilience Testing High
Board-level governance ICT Governance Medium
Resource constraints and cost All Pillars Medium
ICT concentration risk Third-Party Risk Medium
Evolving RTS requirements All Pillars Ongoing

“DORA compliance is not a one-time project — it is an ongoing operational capability that must be embedded into your governance, technology, and culture.”

5️⃣ How VISTA InfoSec Helps You Navigate DORA

VISTA InfoSec’s DORA compliance service is built around your organization’s specific risk landscape. As a vendor-neutral, CREST-certified firm, we provide independent, transparent, and expert-led services across every stage of the compliance journey.

✓  DORA Gap Assessment — Evaluate your current ICT controls against all five DORA pillars and deliver a prioritized remediation roadmap
✓  ICT Risk Framework Development — Build or enhance your risk management framework to meet DORA’s Articles 5–16 requirements
✓  Third-Party Risk Programme — Build vendor registers, assess critical ICT providers, and remediate contractual gaps
✓  TLPT Preparation and Testing — Scenario-based penetration tests to validate cyber resilience against real-world threats
✓  Incident Reporting Playbooks — Design, document, and drill EU-compliant incident classification and reporting workflows
✓  AuditFusion360 — Consolidate DORA, ISO 27001, and SOC 2 into a single streamlined audit for maximum efficiency and cost savings

Download the DORA Compliance Toolkit — Free

Practical frameworks, checklists, and implementation guidance across all five DORA pillars — built by certified practitioners with hands-on DORA audit experience.

Get the Free Toolkit →

Frequently Asked Questions

Who does DORA apply to?
DORA applies to a broad range of financial entities operating within the EU — including banks, investment firms, insurance and reinsurance companies, payment service providers, electronic money institutions, and crypto-asset service providers. It also applies to ICT third-party providers such as cloud platforms, software vendors, and data processors that support these financial entities, even if the provider is based outside the EU.
What is the penalty for DORA non-compliance?
Financial entities that fail to comply with DORA can face fines of up to 2% of their total annual worldwide turnover, or periodic penalties based on average daily global turnover until compliance is achieved. For critical ICT third-party providers, the consequences can include suspension of services to financial entities — a severe commercial and reputational outcome.
If we are already ISO 27001 certified, how much additional work does DORA require?
Organizations with ISO 27001 certification are typically 70–80% aligned with DORA before beginning a formal program. The remaining 20–30% focuses on areas that go beyond ISO’s scope: mandatory EU regulatory incident reporting timelines and templates, Threat-Led Penetration Testing (TLPT) with regulatory approval, board-level accountability requirements, and the DORA-specific contractual and governance obligations for ICT third-party providers.
How long does DORA compliance take to achieve?
For organizations starting from scratch, full DORA compliance typically takes 6–12 months depending on organization size, existing control maturity, and vendor ecosystem complexity. Organizations with established ISO 27001 or SOC 2 programs can often achieve compliance faster. The TLPT requirement adds lead time due to the regulatory approval process, so planning for this well in advance is strongly recommended.
What is TLPT and is it required for all organizations?
Threat-Led Penetration Testing (TLPT) is a live-fire red team exercise conducted against an organization’s critical systems using real threat intelligence. Under DORA, TLPT is mandatory every three years for significant financial entities — typically those with the largest balance sheets, largest customer bases, or those identified by their national competent authority. Smaller or less significant entities may be exempt from TLPT but are still required to conduct annual ICT resilience testing.

VISTA InfoSec • Certified DORA Compliance Consultants

Navigate DORA With Expert Guidance

Whether you are starting a gap assessment, preparing for TLPT, or remediating third-party contracts — our certified team guides you from scoping to full DORA compliance.

 

Explore DORA Services → Get Free Toolkit