The DORA regulation is well over a year into its being as a framework for operational resilience for financial institutions operating in and with the European Union. Since it became applicable on 17 Jan 2025, the central lesson of those 16 months is not about compliance.
Ultimately DORA didn't create a compliance problem, it created an exposure management problem and the firms that understood the difference early are in a fundamentally different position from those that did not.
In the Past
Coming into force in January 2025, the intention of DORA was to strengthen the resilience of the financial sector against cyber-attacks, and drive the concept of operation resilience. It encourages businesses to practice Continuous Threat Exposure Management, and ensure they have strong security on their partners and external supply chains.
The regulation was rolled out in January 2023 before enforcement began in January 2025, so businesses knew what to expect from it - but those 24 months also gave those firms time for preparation.
Since the end of the implementation period and the introduction of enforcement measures, the focus has shifted from preparation to compliance. While DORA does not prescribe a single set of penalties across Europe, national regulators are now responsible for enforcement using their respective financial sanction frameworks. This could be up to €5 million to €20 million, or up to two percent of total annual worldwide turnover, depending on the jurisdiction and severity of the breach.
This raises the question of whether organisations are truly prepared to meet DORA's operational resilience requirements in practice.
Protection and Prevention
Of DORA's 64 articles, one that caught my eye is Article 9, which focuses on protection and prevention. In particular, this emphasises that "financial entities shall continuously monitor and control the security and functioning of ICT systems and tools."
This is done to minimise the risk placed upon ICT systems through the deployment of other ICT security tools, policies and procedures. In other words, Article 9 is intended to ensure financial entities maintain high security standards, and that their ICT systems are resilient to cyber threats and operational failures.
This is another step on the resilience ladder: if businesses falling within this regulation cannot ensure the resilience, continuity and availability of their ICT systems, this is a black mark on their audit.
So what have we learned here? Article 9 demands continuous identification and remediation for both compliance and security needs. From what evidence I've seen, regulated firms still run quarterly scans and ticket-based patching - and say that they are compliant as a result. This is not a documentation problem. It is an exposure management problem - and quarterly scans were never designed to solve it.
Further Gaps?
Even with the time to gain oversight since January 2025, this is where the reality of continuous threat exposure management, as where intent and operational reality have drifted furthest apart, and in our view, this is where the evidence gap will widen most sharply through 2026. Can you prove your level of compliance without the correct evidence?
A head of security at a €20B EU cooperative bank, said: "When the auditor comes, I press the button and say: here, this is how it looks, this is how it was last week, this is how it was four weeks ago, this is the trend, this is what we do, how we do it."
Annual audits were passed because firms could produce a snapshot of their state of compliance, but overall and ongoing compliance often requires an architecture change, not a documentation change.
To date most firms haven't made it, and what we've learned here is that too many audits are not based on continual compliance. The firms that built compliance programmes built something designed to pass an audit. What DORA actually demands is an exposure-management programme - one that produces compliance evidence as a by-product of good security, continuously, on demand. Those are not the same thing, and a new consideration around the use and deployment of AI is another consideration since the DORA regulation was created.
AI Everywhere
Since January 2025, the adoption of generative AI and agentic systems has accelerated significantly. Research shows AI has matured from experimentation in 2023 to widespread operational deployment in 2026, with more than 85% of large enterprises using AI in at least one business function and around half of employees incorporating it into their daily work.
The impact extends far beyond traditional security use cases such as threat detection and email filtering. Tools including Claude, Gemini, Copilot, and ChatGPT have become embedded in day-to-day business processes, while agentic systems are increasingly being used to automate workflows, support decision-making, and augment security operations.
This creates a new dimension for DORA. The challenge is not simply the adoption of AI itself, but whether organisations are managing AI as part of their ICT risk framework. As AI becomes embedded across software, data, infrastructure, networks, interfaces, and business processes, it falls squarely within the environments that DORA is designed to govern.
At the same time, AI is becoming one of the key technologies that makes Continuous Threat Exposure Management achievable at scale. Agentic AI can continuously identify, contextualise, and prioritise risk across complex environments, helping organisations maintain the ongoing visibility and evidence that DORA expects.
However, while AI can accelerate risk management, accountability must remain with the human operator. The value lies in combining AI-driven scale and speed with transparent, auditable decision-making and human oversight.
The other side of the equation is that AI itself is rapidly becoming part of the attack surface. LLM tools, agentic systems, Copilot-style assistants, Shadow AI deployments, retrieval-augmented generation (RAG) pipelines, third-party AI services, and MCP servers are all creating new assets that must be understood, monitored, and assessed for risk.
Regulators are already responding. In 2026, the German regulator BaFin issued guidance on managing ICT risks associated with AI use in financial services, explicitly bringing AI systems within the scope of DORA's ICT framework. This means AI assets now require the same level of inventory management, posture assessment, and continuous exposure monitoring as any other critical technology. Yet many organisations still lack a clear understanding of what AI assets exist across their environments.
This creates a dual challenge for regulated firms. AI is helping organisations operationalise continuous exposure management at the scale DORA requires, while simultaneously expanding the scope of what must be managed and monitored. The question is whether AI initiatives are being governed as part of the organisation's broader ICT risk programme, or whether they continue to operate outside of it.
Looking Back and Forward
It's clear that some majority of businesses were not prepared for compliance with the DORA regulation, but to get back to the main point on what we've learned so far: if 2025 was the year to build the framework, then 2026 is the year that the framework gets tested.
We now see those gaps that efforts to achieve compliance actually surfaced gaps that other regulations did not disclose. This presents Continuous Threat Exposure Management as the best solution for the continuous-evidence division of DORA.
DORA requires that exposure-management capability for the parts that cannot be evidenced with documentation, and that is where practitioners should use compliance as the floor, not the ceiling: operational resilience comes from the ability to robustly fix and mitigate risks, not from the documentation of those fixes.
It is not all bad news though: following DORA's compliance pillars allows users to see exactly where their programme has the gap, why it exists, and what closes it. Use DORA as guidance on whether a programme is built for regular compliance, or to enable exposure management, and how well a continuous management framework could work inside the organisation.
We have to be honest and admit that DORA worked. It has set a stronger regulatory rulebook for regulated financial entities, requiring a better digital operational resilience framework covering for both financial entities, and their ICT third-party providers.
DORA has now been live for 16 months since enforcement began on 17 Jan 2025, and whether you've achieved compliance or not, it is here to stay.
