DORA has now had a full operating year. The institutions that read it as compliance produced compliant paper. The institutions that read it as operating-model work are getting a different result.
The Digital Operational Resilience Act is not a cyber regulation. It is an operating-model regulation, and the firms treating it that way are quietly opening a real capability gap.
The compliance reading of DORA produces an ICT risk framework, a third-party register, a testing programme, and an incident reporting protocol. All necessary. All visible to the regulator. None, on its own, materially changes the firm's resilience posture.
The operating-model reading of DORA asks a deeper question: are our critical business services genuinely independent of single points of failure across providers, geographies, and infrastructure layers? The answer in most institutions is no — and DORA is the first regulation to ask the question in a way that forces a real answer.
Eighteen months in, three gaps are now visible in supervisory feedback. First, third-party concentration. Many firms have technically diversified ICT providers but operationally depend on a handful of hyperscale and SaaS counterparties whose failure would cascade. Regulators are starting to ask about this directly.
Second, scenario testing depth. Firms that scripted clean scenarios for their resilience exercises are now being asked for adversarial ones — ransomware encryption of critical infrastructure, provider insolvency, simultaneous regional outage. Third, board engagement. The DORA expectation that operational resilience is a board-level matter has not yet produced the board cadence and authority that genuinely matches it in most firms.
For institutions catching up, three moves matter most. First, map critical business services against actual provider concentration, not contractual diversification. Second, redesign scenario testing around realistic adversarial conditions, with explicit board involvement. Third, build the board's operational resilience cadence into the year-end calendar — a documented, exercised, evaluated process, not a memo.
Institutions that do this are producing real uplift. The ones that do not will be re-litigating it with the regulator in 2027.
This is the kind of problem we work on. If you are leading a DORA programme that has produced compliance evidence but limited resilience uplift, the team at Grant & Graham would be pleased to talk. We provide operational resilience advisory and board-level transformation across regulated financial services to financial services COOs, CROs, and audit committees. Contact us.