2026 Is Not a Transition Year Anymore
For a long time, 2026 was treated as the year to get around to DORA. That assumption no longer reflects regulatory reality. Auditors are already active, and expectations are clear.
The assumption has expired
For a long time, 2026 was treated as a transition year for DORA. Many organisations assumed there would be additional time to interpret requirements, mature internal processes, and gradually align documentation. That assumption no longer reflects regulatory reality.
DORA is no longer a future requirement — it is already here. Across the EU, auditors are actively reviewing financial institutions, and expectations are clear: operational resilience, ICT risk control, and audit-ready documentation must already be in place.
This applies equally to large institutions and to MiCA-regulated microenterprises and SMEs. Proportionality is allowed. Lack of structure is not.
DORA has been fully applicable since 17 January 2025. There was no grace period then, and there is no transition period now. Supervisory activity in 2025 has confirmed that NCAs are not waiting for firms to catch up — they are checking whether you are already there.
Where DORA becomes difficult
For many firms, the challenge is not understanding what DORA requires. The challenge is executing against it. Common issues include:
- Manual compliance processes that are slow, fragmented, and error-prone — producing documentation that doesn't hold together under scrutiny
- Generic consultants who deliver regulatory theory but not documentation that can be defended in an actual audit
- No clear baseline — teams spend weeks discussing interpretation while remaining uncertain about their actual exposure
The result is effort without outcome: work is done, but the firm is no more defensible than before.
The missing step: know where you stand
Before tools, templates, or expert support, there is one essential first step — understanding where you stand today. Without a clear baseline, DORA efforts tend to be inefficient. Time and budget are spent broadly instead of being focused on what regulators actually expect.
A structured DORA readiness assessment provides that baseline. In practice, it allows organisations to:
- Quickly assess current DORA readiness across all five pillars
- Identify gaps in governance, ICT risk management, resilience, and documentation
- Prepare internally before audits or regulatory reviews
- Focus time and budget only where it is genuinely needed
Most teams waste weeks guessing. A checklist-based approach provides a clear baseline in minutes — and turns a vague anxiety into a specific remediation list.
From baseline to execution
Once you have clarity on your gaps, DORA typically becomes an execution and documentation challenge rather than an interpretative one. At this stage, organisations most commonly need to:
- Align existing policies with DORA-specific requirements — particularly ICT risk management and incident classification
- Formalise operational resilience practices that may already exist informally but are not documented
- Produce documentation that is consistent, traceable, and audit-ready — not just present, but defensible
- Back up written compliance with evidence: test results, BIA, audit reports, and review records
The evidence gap is the most common finding. Firms often have policies in place but cannot show that those policies are being followed, tested, or reviewed. Supervisors do not take policies on faith — they ask for proof.
Compliance is not a one-off project
DORA should not be treated as a box to tick before a deadline. Operational resilience is a continuous regulatory obligation that requires periodic review, testing, and improvement. Establishing a clear baseline today allows organisations to:
- Prioritise remediation efforts realistically against actual regulatory exposure
- Allocate internal and external resources where they have the most impact
- Demonstrate progress over time — which is itself evidence supervisors value
- Maintain audit-ready documentation as supervisory expectations evolve through 2026 and beyond
As regulatory scrutiny increases, organisations that approach DORA systematically — starting with clarity about where they stand — will be better positioned to respond. Those who wait for a specific supervisory prompt will be responding from behind.
Start with the checklist to find your gaps. Then use the documentation set to close them — pre-mapped to the RTS/ITS, scoped for micro-enterprises, built for real audits.