DORA one year later: from regulatory compliance to strategic resilience 

When the Digital Operational Resilience Act (DORA) became fully applicable on 17 January 2025, it marked a turning point for the EU financial sector. For years, institutions had relied heavily on digital infrastructure and third-party providers, often without fully appreciating the systemic risks this dependency created. Then came a wake-up call: high-profile cyberattacks, cloud outages, and cascading ICT failures exposed vulnerabilities that could disrupt markets and erode trust overnight. 

DORA was Europe’s answer—a harmonized framework designed to ensure that financial entities can withstand, respond to, and recover from ICT-related disruptions. But the journey didn’t end with its adoption. One year later, firms are navigating a new wave of obligations under Delegated Regulation (EU) 2025/532, which drills deeper into subcontracting risks, and updated outsourcing guidelines from the ECB and ESMA that redefine governance expectations. Supervisory authorities are raising the bar, demanding not just compliance but demonstrable resilience. 

For Wealth & Asset Management firms, this is more than a regulatory exercise—it’s a strategic inflection point. Lean operating models, global outsourcing chains, and legacy contracts make compliance challenging. Yet, these same pressures create opportunities: to modernize ICT risk frameworks, embed resilience into enterprise governance, and leverage technologies like AI to turn complexity into competitive advantage. 

The question is no longer “How do we comply?” but “How do we thrive in a digital-first, risk-aware world?” This article explores what DORA means one year on, the challenges firms face, and the steps they can take to transform compliance into resilience. 

Why DORA Matters 

DORA was designed to address a growing vulnerability in the financial ecosystem: the increasing reliance on digital infrastructure and third-party ICT providers. Cyberattacks, cloud outages, and supply chain disruptions have demonstrated that operational resilience is not optional—it is essential for business continuity and regulatory compliance. 

The recent POST Luxembourg cyberattack in July 2025 underscores exactly why DORA was introduced—to safeguard financial institutions against systemic ICT vulnerabilities and ensure operational resilience in an era of growing digital dependencies. POST Luxembourg suffered a major technical outage caused by an exceptionally advanced cyberattack. The attack disrupted services nationwide, prompting the government to convene a crisis unit on 25 July 2025. While no data was exfiltrated, the incident highlighted the systemic risk posed by ICT vulnerabilities and the urgent need for robust resilience frameworks under DORA. [gouvernement.lu] 

DORA’s Five Pillars 

DORA’s framework is structured around five core pillars that define operational resilience. Each pillar is not just a concept but a set of enforceable requirements: 

1. ICT Risk Management Framework: Financial entities must establish governance structures, policies, and controls to manage ICT risks effectively. 
2. ICT Incident Reporting: Institutions are required to report major ICT-related incidents to competent authorities using standardized templates. 
3. Digital Operational Resilience Testing: Regular testing, including threat-led penetration testing (TLPT), ensures systems can withstand sophisticated cyberattacks. 
4. ICT Third-Party Risk Management: Firms must maintain a comprehensive register of ICT service providers and implement contractual safeguards. 
5. Information Sharing: Entities are encouraged to share cyber threat intelligence within trusted networks to strengthen collective resilience. 

Delegated Regulation (EU) 2025/532 Explained

• As the Digital Operational Resilience Act (DORA) entered into force, the European Commission recognized the need for additional clarity on one of its most complex areas: ICT outsourcing and subcontracting. To address this, Delegated Regulation (EU) 2025/532 was adopted on 2 July 2025 and became applicable on 22 July 2025. This regulation introduces detailed Regulatory Technical Standards (RTS) that define how financial entities must manage subcontracting chains for ICT services supporting critical or important functions. Its purpose is to close oversight gaps, ensure transparency, and strengthen resilience across increasingly interconnected ICT ecosystems. By setting clear conditions for subcontracting, the regulation reinforces accountability and operational continuity in a sector where third-party dependencies are growing rapidly. Key obligations include: 
• Full visibility of subcontracting chains: Financial entities must identify and assess all subcontractors involved in delivering critical ICT services. 
• Enhanced due diligence: Institutions must evaluate subcontractors’ operational resilience, location, and compliance posture. 
• Mandatory contractual clauses: Contracts must include audit rights, termination provisions, and notification obligations for changes in subcontracting. 
• Exit strategies: Firms must define clear steps to terminate arrangements if subcontractors pose unacceptable risks. [eur-lex.europa.eu], [lexology.com], [wizards.io] 

Guidelines on Outsourcing to Cloud Service Providers 

July 2025 marked a pivotal moment for cloud governance as the ECB and ESMA unveiled updated outsourcing guidelines, signaling a new era of resilience and accountability in financial services: 

• ECB Guide (24 July 2025): Sets supervisory expectations for governance, resilience, and exit strategies for banks outsourcing to CSPs. 
• ESMA Guidelines: Revised scope applies only to UCITS and AIF depositaries outside DORA’s remit. 

Both documents emphasize continuous monitoring, business continuity, and audit rights, aligning with DORA’s principl [esma.europa.eu] 

Challenges for Wealth & Asset Management Firms 

For Wealth & Asset Management firms, DORA compliance is not just a regulatory requirement—it is a strategic challenge. These firms often operate with lean structures, making the implementation of complex ICT risk frameworks particularly demanding. 

Key Challenges and how to tackle them (and how AI can help): 

• Resource Constraints:  
  • Smaller firms lack dedicated ICT risk teams, increasing reliance on external consultants. 
  • Build internal awareness and leverage managed services or co-sourcing models. Consider partnerships with specialized ICT risk providers to reduce cost and complexity.  
  • Use Virtual Compliance Assistants - AI-driven tools - to guide staff through regulatory requirements without needing large dedicated teams. 
• Third-Country Dependencies:  
  • Outsourcing to non-EU providers complicates compliance with subcontracting RTS. 
  • Map all non-EU providers and assess compliance gaps. Negotiate contractual clauses aligned with DORA RTS, and implement contingency plans for critical services. 
  • Leverage AI to evaluate geopolitical and operational risks of non-EU providers using real-time data feeds. 
• Contract Remediation:  
  • Legacy agreements rarely include DORA-mandated clauses, requiring extensive renegotiation 
  • Map all non-EU providers and assess compliance gaps. Negotiate contractual clauses aligned with DORA RTS, and implement contingency plans for critical services. 
  • AI can flag non-compliant clauses and suggest standardized language for remediation. Machine learning models can process hundreds of contracts quickly, reducing manual workload. 
• Proportionality Ambiguity: 
  • Applying proportionality without breaching compliance obligations remains unclear. 
  • Document your proportionality approach clearly—justify scaled measures based on size, complexity, and risk profile. Align with CSSF guidance and industry best practices. 
  • AI can simulate risk exposure under different proportionality strategies to justify decisions. 
• Operational Complexity: 
  • Integrating ICT risk into enterprise-wide frameworks demands cultural and structural change.  
  • Integrate ICT risk into enterprise risk frameworks (COSO ERM, NIST CSF). Establish governance at board level and embed resilience metrics into performance dashboards. 
  • AI-powered dashboards consolidate ICT risk metrics, enabling real-time monitoring and board-level reporting. 

Opportunities Beyond Compliance 

While DORA introduces significant obligations, it also opens the door for firms to transform compliance into a strategic advantage. Rather than viewing these requirements as a burden, forward-thinking organizations are leveraging them to strengthen resilience, build trust, and accelerate innovation. 

1. Harmonized Standards 

DORA eliminates regulatory fragmentation across EU jurisdictions, creating a single, consistent framework for ICT risk management. This harmonization reduces complexity for cross-border operations and enables firms to streamline governance processes. 

2. Enhanced Client Trust 

Operational resilience is no longer a back-office concern—it’s a front-line differentiator. Demonstrating robust ICT risk management reassures clients and investors that their assets are protected against cyber threats and operational disruptions. In an era where trust drives growth, resilience becomes a competitive edge. 

3. Innovation Catalyst 

Compliance can be a springboard for digital transformation. By adopting AI and automation tools for monitoring, reporting, and contract remediation, firms can reduce manual effort and improve accuracy. These technologies not only meet regulatory expectations but also free resources for strategic initiatives. 

Recently, a Luxembourg-based entity implemented AI-driven contract review tools to address subcontracting requirements under Delegated Regulation (EU) 2025/532. The result? A 40% reduction in remediation time, enabling the firm to redirect legal and operational teams toward higher-value projects such as client onboarding and product innovation. 

4. Integrated Risk Management 

DORA encourages firms to embed ICT risk into enterprise-wide frameworks like COSO ERM and NIST CSF. This integration ensures that technology risks are considered alongside credit, market, and operational risks, creating a holistic view of resilience. Boards gain better visibility, and decision-making becomes more informed and proactive. 

Competent Authorities’ Expectations 

In Luxembourg, the CSSF and CAA enforce DORA compliance. Non-compliance can result in: 

• Administrative fines up to EUR 5,000,000 for natural persons. 
• Up to EUR 5,000,000 or 10% of annual turnover for legal entities. Public disclosure of sanctions may also apply, amplifying reputational risk.

From obligation to opportunity: Building resilience for the digital future 

One year after DORA’s implementation, the challenge is shifting from compliance to resilience:  

1. Embed ICT Risk into Enterprise Governance 

• Integrate ICT risk into frameworks like COSO ERM and NIST CSF. 
• Ensure board-level accountability with clear reporting lines and KPIs. 

2. Strengthen Third-Party Risk Management 

• Maintain a comprehensive register of ICT service providers and subcontractors. 
• Implement continuous monitoring tools for outsourcing chains. 
• Develop robust exit strategies for critical services. 

3. Leverage AI and Automation 

• Use AI-driven contract analysis to identify and remediate non-compliant clauses. 
• Deploy predictive analytics for early detection of ICT vulnerabilities. 
• Automate incident reporting and compliance checks to reduce manual effort. 

4. Build a Culture of Resilience 

• Conduct regular training for staff and leadership on ICT risk awareness. 
• Embed resilience metrics into performance dashboards and risk appetite statements. 

5. Prepare for Supervisory Engagement 

• Align documentation with CSSF and CAA expectations. 
• Test resilience through threat-led penetration testing (TLPT) and scenario exercises. 
• Establish clear escalation and communication protocols for ICT incidents. 

How EY Can Help 

Navigating DORA’s complex requirements demands more than compliance—it requires strategic transformation. EY Luxembourg offers end-to-end support to help firms turn regulatory obligations into resilience and competitive advantage. 

1. Gap Analysis & Roadmap Design 

• Assess current ICT risk frameworks against DORA requirements. 
• Develop a tailored roadmap for compliance and operational resilience. 

2. ICT Risk Framework Implementation 

• Align governance structures with CSSF and CAA expectations. 
• Integrate ICT risk into enterprise-wide frameworks such as COSO ERM and NIST CSF. 
• 3. Third-Party Risk Management (TPRM) 
• EY Managed Services for TPRM:  
  • Continuous monitoring of third-party and subcontractor risks. 
  • Automated risk scoring and alerts for critical ICT providers. 
  • Vendor onboarding and due diligence workflows managed by EY experts. 
• Creation of comprehensive registers of ICT service providers. 
• Contract remediation support, including AI-driven clause analysis. 

4. AI & Automation Solutions 

• Deploy AI tools for contract review, compliance checks, and predictive analytics. 
• Implement automated incident reporting and resilience dashboards. 

5. Resilience Testing & Supervisory Readiness 

• Conduct threat-led penetration testing (TLPT) and scenario-based exercises. 
• Prepare documentation and evidence for CSSF/CAA inspections. 

6. Training & Awareness 

• Board-level workshops on ICT risk governance. 
• Staff training programs to embed a culture of resilience. 

EY’s approach transforms compliance into resilience, enabling firms to meet regulatory expectations while building trust and competitive advantage.