DORA also mandates that financial entities maintain a comprehensive registry of contracts with third-party IT service providers, which impacts how various financial service providers operate in the region.

Concerns have been raised by industry experts, such as Cathy Yoon from Wormhole Foundation, regarding the ability of smaller service providers and startups to meet DORA compliance due to limited capital.

As smaller organizations increasingly rely on external service providers for compliance management, they may face additional costs and risks.

DORA's proportionality principle allows compliance requirements to be tailored based on an organization's size and complexity, potentially easing the burden on smaller firms.

Larger financial institutions are generally expected to adapt to DORA requirements more quickly than their smaller counterparts.

A recent survey indicated that 43% of UK financial services firms are not fully compliant with DORA, citing barriers such as insufficient prioritization and a lack of skills.

Non-compliance with DORA could lead to serious repercussions, as central banks will supervise adherence to the regulation and enforce sanctions.

Compliance costs have been significant, with nearly half of organizations spending over €1 million in the past two years to meet DORA and other regulatory measures.

Organizations will also need to navigate additional cybersecurity regulations, such as the Network and Information Security Directive 2 (NIS 2) and the Cyber Resilient Act, which impose new requirements alongside DORA.

The Digital Operational Resilience Act (DORA) is a significant European regulation designed to enhance IT risk management and bolster resilience against cyber threats in financial organizations.

A critical aspect of DORA is the requirement for businesses to report significant incidents within 24 hours, emphasizing the need for improved incident reporting protocols.

The World Economic Forum's 2025 Global Security Outlook noted an 8% increase in the cybersecurity skills gap since 2024, complicating compliance efforts for many firms.