Four months into full applicability, the Digital Operational Resilience Act (DORA) is proving more complex than anticipated. Financial institutions are navigating a fast-evolving regulatory landscape shaped by fragmented supervisory readiness, expanding technical requirements, and increasing market expectations.

Key takeaways:
* DORA is not a one-off checklist—it’s a multi-phase transformation touching governance, third-party risk, cyber resilience, and operational continuity.
* Mapping critical processes and ICT dependencies is now foundational.
* Third-party risk management must go beyond tick-box audits—dynamic oversight and contract readiness with cloud providers are essential.
* Operational resilience testing—including Threat-Led Penetration Testing (TLPT)—requires new levels of maturity and coordination.
* Compliance must shift from paper to practice—through automation, testing, and real-world response capabilities.

Strategic priorities for 2025–2026:
* Focus on business-critical ICT dependencies
* Strengthen third-party risk management
* Engage proactively with regulators
* Operationalise continuous compliance

Institutions that embed resilience—not just demonstrate compliance—will gain long-term advantage.