DORA Implementation at Financial Institutions: Exclusive Industry Insights

With the Digital Operation Resilience Act (DORA), the European Union is requiring financial service providers to improve their operational resilience—but what is the current situation in practice?

In collaboration with the market research firm Lünendonk, we conducted a survey asking industry participants to assess their own readiness. Around 100 banks, insurance companies, and information and communication technology (ICT) service providers were surveyed for this purpose. The results are remarkable.

DORA Implementation at Financial Institutions: Study Highlights the Need for Action

The current situation reveals a significant discrepancy: at 97 percent, nearly all financial service providers surveyed consider digital resilience to be important by 2028—but only 12 percent rate their own level of maturity as “very high.” This underscores the need for action—and DORA requires robust evidence rather than isolated measures. The survey also shows that while many initiatives have been launched at the operational level within companies, they have not yet been consistently embedded. In many places, DORA has not yet been fully integrated into the organizational structure, with consequences for verifiability and control capabilities.

Download the study now

picture_as_pdf

Studie

Lünendonk® Study: Digital Resilience in the Financial Sector – Status of DORA Implementation and Developments in Artificial Intelligence

We are analyzing the current state of the industry based on a survey. A key finding: there is room for improvement in many areas. Get the results, analysis, and practical tips now.

A concise overview of the study results

360

Regular compliance checks are in place at 83 percent of the companies surveyed; 56 percent conduct scenario-based end-to-end tests, and 64 percent regularly track performance using KPIs. It is now essential to consistently translate test results into key performance indicators.

360

For 71 percent of respondents, DORA-related processes are either fully or largely integrated into their internal control system (ICS), and for 73 percent, into their operational risk management. Where this integration is lacking, gaps emerge in the ability to provide evidence and in the speed of decision-making.

360

61 percent see risks of dependency, and 82 percent are already involving third-party ICT providers in their resilience measures.

360

Following the ECB’s example, 33 percent have already conducted cyber resilience stress tests, 34 percent plan to do so, and 26 percent have not put it on their agenda. The level of maturity increases noticeably when end-to-end testing and customer/provider integration are combined.

360

Currently, only 22 percent consider AI-supported processes to be of great importance; by 2028, 80 percent expect them to be highly significant. While AI has been used only to a limited extent in business-critical processes so far, the trend is rising sharply. As a result, 73 percent are focusing on establishing AI governance and compliance.

360

Just under half of companies still rely on Excel for DORA, while low-code platforms such as the Microsoft Power Platform enable fast, secure, and scalable implementation.

Our experts analyze the survey results in the study and provide recommendations for the comprehensive implementation of DORA in financial institutions.

Submit RFP now