DORA Lessons Learned: Real-World Insights from the FinTech Berlin Conference

At this year’s FIBE Conference, one panel took a deep dive into the Digital Operational Resilience Act (DORA) and its real-world impact on financial institutions across Europe. The conversation brought together industry leaders, compliance officers, and regulators to share experiences, challenges and, most importantly, lessons learned during early implementation. While the regulation marks a major step forward in harmonising cybersecurity and resilience standards across the EU, the transition hasn’t been without friction.

From contract management headaches to resource scarcity and the elusive task of ICT provider classification, the discussion painted a clear picture of the road ahead. Here are some of the most valuable DORA lessons financial institutions can take away from the panel.

DORA Builds on Existing Frameworks, but Pushes Further

One of the clearest messages from the panel was that DORA didn’t arrive in a vacuum. In countries like Germany and France, institutions were already operating under stringent national frameworks, such as MaRisk and EBA guidelines. DORA, however, brings a unified European approach and introduces additional layers of scrutiny and responsibility.

The challenge? Figuring out what’s truly new. For many institutions, the biggest hurdle has been identifying what needs to change in their current setup, especially in areas like contract management and outsourcing documentation.

“The institutions didn’t start from zero,” one speaker noted. “But the question became: where do we need to shift?”

Small Institutions Face Disproportionate Burdens

DORA may be proportionate in theory, but in practice, smaller firms are struggling to keep up. Unlike large banks with robust compliance departments, smaller institutions often have only a handful of ICT providers and fewer resources to support added layers of due diligence, documentation, and classification.

Some smaller ICT providers, especially those not exclusively serving the financial sector, have even opted to exit the market entirely, as the costs are too high to stay DORA-compliant.

This ripple effect leaves smaller financial institutions scrambling to find alternatives or bringing ICT services in-house, which requires more hiring, training, and time.

ICT Classification Remains a Grey Area

Another recurring theme was confusion around the classification of ICT service providers. For example, is a real estate data provider using an online platform considered an ICT provider under DORA? What about a vendor that simply facilitates access to non-critical data?

The lack of clarity is causing headaches, especially when vendors refuse to sign DORA-compliant contract amendments or share data that the regulation demands. The result is that institutions are caught between compliance obligations and limited leverage over their service providers.

Cultural Change Is as Important as Compliance

Perhaps one of the most important DORA lessons discussed was the need for a mindset shift within organisations. Technical compliance is only half the battle; the other half is cultural.

Engineers, for example, often resist heavy documentation and gatekeeping processes. The industry needs to share working strategies to engage these teams, such as breaking requirements into digestible “waves” or work packages. The key is to make the work manageable and explain why it matters—not just what needs to be done.

This cultural shift will take time, but it’s essential. As one speaker put it, “You can comply with DORA on paper, but unless your teams truly embrace cyber resilience, you won’t be operationally ready.”

Supervisory Support and Dry Runs Are Driving Progress

One bright spot in the DORA journey has been the level of support from regulators. Supervisory authorities like BaFin and the EBA have provided detailed guidance, regular FAQs, workshops, and even a “dry run” simulation in 2024 for the ICT third-party information register.

More than 1,000 financial entities participated in the dry run, offering valuable feedback that influenced regulatory updates—including the acceptance of additional identifiers beyond just the LEI code.
This shows that the regulation is evolving through real-world testing and feedback, which is an encouraging sign for institutions still navigating their implementation roadmaps.

DORA Lessons for the Road Ahead

Looking forward, panellists agreed on one key point: DORA implementation is not a one-and-done exercise. It’s a continuous process that must evolve alongside the fast-paced digital landscape.

Key takeaways for the next three years include:

• Emphasising awareness and education
  Many professionals across the digital value chain are still unaware of DORA’s scope and implications. Financial literacy and cybersecurity education must be prioritised.
  
• Bringing regulators closer to the ground
  Regulators need to engage directly with practitioners and engineers to understand real pain points, not just dictate rules from above.
  
• Investing in talent
  Financial institutions must continue hiring smart tech and cybersecurity experts to drive resilience from within.
  
• Promoting collaborative threat sharing
  While Article 45 of DORA makes threat information sharing voluntary, many believe mandatory reporting would better serve systemic resilience.

A Foundation for Resilience, But Still a Work in Progress

DORA is clearly pushing the industry in the right direction—toward stronger operational resilience, better cyber threat management, and greater transparency across the ICT landscape. But as the FIBE panel highlighted, the lessons from DORA are as much about adaptation and collaboration as they are about compliance.

With the right balance of regulatory support, cultural change, and cross-sector cooperation, DORA can become more than just a compliance checkbox. It can be a foundation for a truly resilient digital financial ecosystem.