DORA Compliance in Practice: What Financial Institutions Must Demonstrate Beyond Documentation 

The Digital Operational Resilience Act (DORA) represents one of the most significant shifts in the EU financial regulatory framework in recent years. While many financial institutions have already completed formal implementation exercises, supervisory expectations are now moving decisively from documentation review to operational validation. 

In practice, this means that compliance is no longer assessed solely by the existence of policies, but by an institution’s ability to demonstrate that ICT risk management, governance structures, ICT services provision arrangements, and incident response mechanisms function effectively in real operational conditions. 

This shift has important implications for electronic money institutions, payment service providers, fintech companies and other regulated financial entities operating under EU supervision. 

DORA is not a documentation exercise 

A recurring misconception is that DORA implementation can be achieved primarily through policy updates and contractual amendments. 

However, supervisory practice increasingly confirms that DORA is an operational resilience framework, not a paperwork exercise. 

Regulators expect institutions to demonstrate that: 

  • ICT risk is actively governed at the management level 
  • Incident response processes are tested and functional 
  • ICT services provision arrangements are continuously monitored 
  • Operational disruptions can be managed in real time 
  • Risk decisions are embedded in business operations 

Institutions that rely solely on formal documentation risk significant gaps during supervisory inspections. 

Governance remains the most critical weakness 

One of the most frequent deficiencies observed in practice relates to governance structures. 

Although DORA places explicit responsibility on management bodies for ICT risk oversight, many organisations still treat ICT risk as a delegated technical function rather than a board-level governance issue. 

Supervisory expectations increasingly require evidence that management bodies: 

  • understand ICT and operational risks 
  • receive meaningful risk reporting 
  • participate in key resilience decisions 
  • oversee outsourcing dependencies 
  • can demonstrate accountability for outcomes 

Where governance is fragmented between IT, compliance and external providers, institutions often struggle to demonstrate effective oversight. 

https://ecovis.lt/practice-areas/telecommunications-it-and-data-protection-en/dora-regulation/ 

Third-party risk is now a supervisory priority 

Financial institutions increasingly rely on external ICT service providers, including cloud infrastructure providers, software vendors and payment processors. 

Under DORA, ICT services and ICT outsourcing is no longer a contractual formality but a supervisory risk area. 

Key challenges include: 

  • identifying important and critical ICT service providers 
  • mapping full outsourcing chains (including subcontractors) 
  • setting agreement terms in line with DORA 
  • assessing concentration risk 
  • ensuring audit and access rights are enforceable 
  • maintaining up-to-date ICT third-party registers 

In practice, many institutions discover that their visibility over third-party dependencies is incomplete only during implementation or inspection phases. 

https://ecovis.lt/digital-operational-resilience-act-dora-managing-ict-risks-from-third-parties/ 

Incident management must function under pressure 

While many institutions have formal incident response procedures, supervisory authorities increasingly assess whether these processes work under real operational stress. 

Key expectations include: 

  • rapid identification and classification of incidents 
  • clear escalation procedures 
  • coordination between technical and management teams 
  • compliance with regulatory reporting timelines 
  • post-incident review and remediation 

The effectiveness of incident management is often fully tested only during real disruption events or during supervisory reviews. 

Testing reveals the real level of resilience 

DORA places significant emphasis on resilience testing, including scenario-based testing and assessment of operational continuity. 

In practice, testing frequently reveals gaps that are not visible in documentation, including: 

  • unclear governance responsibilities 
  • fragmented escalation structures 
  • inadequate third-party coordination 
  • insufficient recovery planning 

Testing should therefore be viewed as a governance and risk validation tool, not a technical exercise. 

Evidence and auditability are becoming decisive 

A growing supervisory trend is the expectation that institutions can demonstrate not only compliance design, but also operational evidence of implementation. 

This includes: 

  • ICT risk assessments 
  • governance meeting records 
  • outsourcing decisions and approvals 
  • incident logs and response actions 
  • resilience testing outcomes 
  • remediation tracking 

Without structured evidence, institutions may struggle to demonstrate compliance even when controls are in place in practice. 

As DORA moves from implementation into enforcement and supervisory assessment, financial institutions must shift their focus from compliance documentation to operational resilience in practice. 

The key differentiator will not be the existence of policies, but the ability to demonstrate that governance, ICT risk management, outsourcing oversight and incident response mechanisms operate effectively under real-world conditions. 

Institutions that approach DORA as a living operational framework — rather than a regulatory exercise — will be significantly better positioned for supervisory scrutiny. 

ECOVIS ProventusLaw expertise 

ECOVIS ProventusLaw advises financial institutions, payment service providers and fintech companies on DORA implementation, ICT governance, outsourcing frameworks, operational resilience, incident management and broader EU financial regulatory compliance. 

About the authors 

About the Authors:

Loreta Andziulytė is a Partner and Attorney-at-Law at ECOVIS ProventusLaw, heading the firm’s Data Protection, Employment, and Corporate Commercial teams. With over 20 years of experience, she advises on corporate governance, regulatory compliance, GDPR, DORA, and fintech licensing matters. Ranked in FinTech Legal by Chambers and Partners (2020, 2023–2026) and recognised by The Legal 500 in FinTech, Employment, TMT, and Dispute Resolution (2019–2025). Loreta is a Certified Data Protection Expert (CIPP/E). 

Connect on LinkedIn →

Aušvydas Čebatorius is Head of the FinTech Regulatory Group at ECOVIS ProventusLaw. He advises fintech and financial services clients on regulatory licensing and authorisation processes, and on ongoing compliance across EU financial services frameworks. His practice also covers EU law, consumer protection, public procurement, contract law, and financial services litigation. He is recognised as a Rising Star in Financial Services Regulatory by IFLR1000. 

Connect on LinkedIn →

MiCA Licensing in Practice

Employee monitoring in 2026

Why FinTech Companies Are Choosing Latvia for MiCA, EMI, Payment Institution and Neobank Licensing in 2026.

Fintech licensing in the EU.  

Newsletter SubscriptionGet in touch
Free initial advice now!

Have a question or need more information?

Send us an e-mail message!