Transitioning From "Compliance Checklists" to True Cyber Resilience

The deadline of January 17, 2025, has come and gone. The initial scramble to map assets and update contracts is over, and on paper, the European financial sector appears "DORA-compliant."
‍

But being compliant isn’t the same as being secure. As we wrap up the first year of the Digital Operational Resilience Act (DORA), the grace period is ending. Regulators are moving from "education mode" to "supervision mode," and the focus is shifting from simple paperwork to actual survival in the face of a cyberattack. At Crossbow, we’ve analyzed the first wave of post-implementation challenges. Before we look at the data, we must ask: Are you just checking boxes, or are you actually resilient?

‍

The DORA Mandate

For those viewing this through a strategic lens, DORA is not just an IT checklist; it is a binding framework for business continuity. It mandates that financial entities must withstand, respond to, and recover from all ICT-related threats across five pillars:

• ICT Risk Management: Governance and internal controls.
• Incident Reporting: Standardized, high-speed reporting (4-hour window).
• Digital Operational Resilience Testing: From vulnerability scans to TIBER-EU Red Teaming.
• Third-Party Risk Management (TPRM): Oversight of critical vendors.
• Information Sharing: Voluntary exchange of threat intel.

With this framework in mind, here is what we learned in 2025—and where many firms are unknowingly vulnerable.

‍

1. The "Register of Information" Reality Check

The Register of Information (RoI) submission in April 2025 was a wake-up call. Many organizations regarded this as a mere static spreadsheet exercise.

The Insight: DORA requires your RoI to be a living document. In recent audits, regulators have flagged discrepancies between the reported ICT supply chain and the actual usage of shadow IT.

• The Hidden Risk: If your incident reporting data (Article 17) doesn’t match your asset register, you are effectively flagging your own non-compliance to the regulator.
• The Course Correction: Shift from manual updates to continuous discovery. Your compliance posture must match your live environment.
  ‍

2. Incident Reporting: Speed vs. Accuracy

• DORA’s strict timeline for reporting major incidents—submitting an initial notification within 4 hours of classification—has posed significant challenges for firms without integrated Security Operations Centers (SOC).
• We observed that a significant number of "late reports" stemmed not from a lack of detection, but from classification paralysis. Teams debated whether an incident was "major" while the clock ticked.
• Actionable Advice: Update your playbooks with pre-defined "DORA triggers." If a core banking system is down for >X minutes, the decision must be automated. Test the administrative reporting chain, not just the technical fix.
  
  ‍

3. Third-Party Risk is the New Perimeter

Article 28 (ICT Third-Party Risk Management) remains the biggest hurdle. Many firms successfully updated their contracts by January, but they haven't operationalized the monitoring.

Having a "Right to Audit" clause is useless if you never exercise it. In 2026, regulators will likely request evidence of ongoing monitoring of critical third-party providers (CTPPs), rather than just reviewing signed contracts.

‍

4. Looking Ahead to 2026: Proving Effectiveness

• If 2025 was the year of "checking the box" on implementation, 2026 is the year of proving operational effectiveness. The regulators' "education phase" is concluding, and the focus is shifting toward whether your resilience framework can survive a real-world stress test.
• The TLPT Countdown: From Theory to Practice
• For entities designated as "Significant," the three-year window for Threat-Led Penetration Testing (TLPT) is now officially open. Unlike standard vulnerability scans, these TIBER-EU-style exercises are rigorous, intelligence-led simulations of actual adversary tactics.
• The Challenge: These exercises are not "off-the-shelf" tests. They require months of meticulous scoping, threat intelligence gathering, and coordination with external providers.
• The Mandate: If you are within the scope for TLPT, 2026 is the year to move from planning to execution. Waiting until year three of the cycle creates a bottleneck that could leave you exposed—and out of compliance.
  
  ‍

Article 5: The Boardroom is the Front Line

• DORA is unique because it pushes ICT risk out of the basement and into the boardroom. Article 5 mandates that the Management Body holds ultimate responsibility for the entity’s ICT risk management.
• The "Paper" Trap: Many firms have updated their governance documents, but few have actually tested their leadership's response to a crisis.
• The Requirement: Regulators are looking for evidence of a "Resilience Culture." This means conducting high-level Board Tabletop Exercises. If your Board hasn't sat through a simulated systemic outage or a sophisticated ransomware scenario this year, you are likely failing the governance requirements of DORA.
  
  ‍

Conclusion: From Compliance to Capability

DORA is not a "set and forget" regulation; it is a blueprint for survival in an increasingly hostile digital landscape. If your organization is still treating it as a one-time compliance checklist, you are vulnerable not just to regulatory fines, but to the very systemic threats DORA was designed to mitigate.

As we move into Year Two, the focus shifts from documentation to demonstration. It is time to stress-test your resilience before the regulators or an adversary does it for you.

‍