The First 12 Months of DORA: Enforcement Ramps Up as Data Sovereignty Takes Centre Stage

Over the past few years, the regulatory landscape has been steadily intensifying. Rather than sudden changes or dramatic pivots, what we’ve seen is a consistent tightening of expectations as authorities push firms toward higher levels of operational maturity. While the core regulatory principles have remained relatively stable over the past year, the introduction of frameworks such as the EU’s Digital Operational Resilience Act (DORA) and the NIS2 Directive reflects a clear upward trajectory. These developments don’t rewrite the rulebook, but they do raise the bar by adding structure, clarity, and new layers of accountability. Together, they signal a regulatory environment that is becoming more assertive, more interconnected, and more focused on ensuring that organisations can demonstrate genuine resilience rather than simply declare it.

Too often, organisations underestimate the significance of new regulations, yet we are likely to see increasing scrutiny in this space. DORA, in particular, places clear responsibility on service providers to demonstrate that they can meet operational and resilience standards. In fact, over the past 12 months since coming into force, DORA has crossed an important threshold. For years, it existed mostly as a looming deadline, a complex regulatory framework that financial institutions and their technology partners were preparing for, debating, and in some cases ignoring. But that preparatory phase is now firmly behind us.

That shift has brought a noticeable change in tone across the industry. What once felt like a distant compliance horizon has become a present‑day operational reality. Firms are no longer asking what DORA will require; they’re asking whether their systems, processes, and suppliers can withstand the scrutiny that is now beginning to intensify.

One of the most significant developments in this period was the arrival of the Delegated Regulation on Subcontracting, which came into effect on the 22nd of July 2025. This piece of legislation may not have generated headlines outside regulatory circles, but it matters enormously. It fills in the final missing details of how subcontracting chains, especially those supporting critical or important functions, must be governed. In practical terms, it means financial entities can no longer rely on vague assurances from their service providers about downstream dependencies. The rules are now explicit, enforceable, and active. With this, the DORA framework is essentially complete.

To this point, data sovereignty has rapidly become one of the most sensitive and strategically important dimensions of DORA compliance. As financial institutions deepen their reliance on cloud services, shared infrastructures, and increasingly complex technology supply chains, the question of where data resides, and who ultimately has control over it, has moved to the centre of regulatory and operational discussions.

For EU‑based data, the expectations remain uncompromising: it must stay within the EU unless strict safeguards are in place, and organisations must be able to demonstrate full visibility and control over its location at all times. GDPR continues to anchor these obligations, but DORA adds a new operational layer by forcing firms to interrogate their providers’ architectures, subcontracting arrangements, and data‑handling practices in far greater depth. As data flows through multi‑tenant environments and distributed systems, the burden on both providers and customers to maintain clarity, accountability, and lawful processing has never been higher. In many ways, data sovereignty has become the backbone of operational resilience, because without certainty about where data lives, no organisation can credibly claim to be resilient.

Supervisory authorities across Europe aren’t wasting any time either. The ECB, the FCA, the BaFin and the Banque de France have all signalled that operational resilience will be a central theme of their oversight in 2026. Their messaging has been consistent: DORA is not a box‑ticking exercise, and compliance will not be judged solely on the existence of policies. What matters is whether firms can demonstrate real, measurable resilience in the face of technology disruptions. Incident reporting processes, risk management frameworks, and third‑party oversight arrangements are already coming under closer examination.

In parallel, the European Insurance and Occupational Pensions Authority (EIOPA) has brought additional clarity by publishing its DORA Oversight Guide. The guide explains how supervision of third‑party service providers will work in practice, including the role of the “Lead Overseer,” a concept that has raised both interest and concern among providers. Overall, it gives firms a better sense of what to expect and reinforces that oversight will be active, coordinated, and increasingly driven by data.

Yet despite all this regulatory momentum, the industry’s readiness tells a different story. A major survey published in August 2025 revealed that 96% of European financial institutions do not yet feel fully resilient under DORA’s standards. Many cite budget pressures, rising supplier costs, and the sheer complexity of mapping and managing subcontracting chains. Others point to the strain on IT and security teams, who are being asked to deliver resilience at a scale and pace that outstrips available resources. This is echoed in 11:11 Systems’ global survey of 800+ IT leaders, where 46% of respondents said the complexity of planning cyber incident recovery is their biggest challenge. The result is a widening gap between regulatory expectations and operational reality, a gap that may soon become visible in supervisory findings.

However, taken together, the last 12 months have marked a turning point. DORA has moved from concept to practice, from preparation to enforcement. The regulatory framework is complete, supervisors are mobilising, and the industry is still finding its footing. For financial institutions and service providers alike, the message is clear: operational resilience is no longer a future ambition. It is a present‑day obligation, and the scrutiny is only going to increase.

In summary, this signals a clear shift:

• The regulatory framework is now complete; we’re no longer waiting for missing parts.
• Supervisors are moving into enforcement mode.
• Subcontracting chains and third‑party oversight are the hottest areas of scrutiny.
• Incident reporting expectations are now fully defined and active.
• Most firms are behind, so regulators may take a pragmatic but firm approach

Now it is abundantly clear that the window for preparation has closed, and the time for demonstrable resilience has arrived.