As of 17 January 2025, DORA is fully enforceable. Competent authorities across EU member states — the ECB, national central banks, financial regulators — can now supervise financial entities against the full set of DORA requirements and take supervisory action against those found non-compliant.
The honest reality is that not every in-scope financial entity is fully compliant on day one. Complex multi-pillar regulation with a two-year implementation window rarely achieves universal compliance at the deadline. What matters now is the trajectory: are you moving toward compliance, do you have a credible programme, and can you demonstrate to your regulator that you are taking the obligations seriously?
The Immediate Priorities for Entities with Gaps
Get the ICT risk management framework documented and approved. The management body must approve and oversee the ICT risk management framework. If this has not happened formally, it needs to happen now — board or management body approval of the ICT risk management framework is a visible compliance signal that regulators will look for early.
Finalise the ICT third-party register. Even if it is not yet complete or perfectly structured, having a register that is being actively maintained is significantly better than having none. Regulators examining DORA compliance will ask for the register. An in-progress register with a documented plan for completion demonstrates intent and trajectory. No register demonstrates neither.
Ensure incident reporting procedures are operational. The 4-hour initial notification requirement is live. If a major ICT incident occurs today, your process needs to work. If you have not tested the end-to-end notification process, do it this week — a walkthrough exercise with the people responsible for classification and notification takes a morning and tells you quickly whether the process works.
Document what you have, honestly. If your DORA programme is partially complete, document what is in place and what is still being implemented. A gap register with a remediation plan and target dates is the appropriate form for communicating with your regulator about compliance progress. Regulators working with entities that have honest, well-organised gap documentation have a very different experience than regulators working with entities that cannot describe their own compliance status.
The Supervision Landscape
DORA supervision is conducted by each entity’s competent authority under their existing supervisory relationship. The European Supervisory Authorities (EBA, ESMA, EIOPA) are coordinating supervisory approaches across jurisdictions, but day-to-day supervision will happen through national regulators.
The Critical ICT Third-Party Provider (CTPP) designation process — the mechanism by which ESAs designate systemically important technology providers as CTPPs subject to direct EU oversight — is also now active. Technology providers that are designated CTPPs will face a new supervisory relationship that did not previously exist.
At Bitsecura, we are supporting financial entities through the immediate post-deadline period — helping them document and present their compliance status to regulators, prioritise the remaining programme workstreams, and build the sustainable ongoing compliance processes that DORA’s continuous obligations require. If you need support now that the deadline has arrived, reach out here.
Bitsecura provides DORA compliance consulting and ICT risk management services for financial entities. Learn more about our DORA services.