The "honeymoon" period for the Digital Operational Resilience Act (DORA) has officially come to an end. As we move through 2026, the initial wave of audits conducted by National Competent Authorities (NCAs) has sent a clear message: the European Union is no longer satisfied with compliance that only exists on paper. For financial entities and their critical ICT service providers, the focus has shifted from "Are you ready?" to "Prove that you can survive."
The first year of active enforcement has revealed significant gaps in how firms interpret resilience. While many organizations successfully updated their policy manuals in 2025, the reality of live testing and rigorous incident reporting has caught several off guard.
Here are the critical lessons learned from the first wave of DORA audits and how to ensure your firm remains on the right side of the regulator.
The Gap Between Policy and Practice
One of the most frequent findings in recent audits is the "documentation delusion." Many firms presented auditors with beautifully crafted ICT Risk Management Frameworks that looked perfect in a PDF but failed to translate into operational reality. Auditors are now looking for "evidence of life" for these policies.
It is not enough to say you have a disaster recovery plan; you must show the logs of the drills, the results of the post-mortem analysis, and the subsequent changes made to the system based on those findings. If your board of directors hasn’t seen a resilience report in the last six months, your firm is likely failing the DORA governance requirement. Resilience must be a top-down culture, not just an IT checklist.
The Third-Party Blind Spot
DORA changed the game by bringing critical third-party ICT providers directly into the regulatory fold. However, the first wave of audits showed that many financial firms still struggle with "concentration risk." They rely on a single cloud provider or a niche software vendor without a viable "exit strategy" or a multi-vendor fallback.
Auditors are now scrutinizing the "register of information" concerning third-party providers. Many firms failed because their registers were incomplete or they lacked the contractual "right to audit" clauses required by the Act. In 2026, your vendors are effectively part of your perimeter. If they aren't resilient, the regulator views you as vulnerable.
The 24-Hour Reality: Incident Reporting
The timeline for reporting major ICT-related incidents is one of DORA’s most punishing aspects. The requirement to provide an initial notification within 24 hours of detection has proven to be a major hurdle.
Early audit lessons show that firms often lack the internal "triage" capability to distinguish between a routine glitch and a "major" incident fast enough to hit the 24-hour window. Firms that rely on manual reporting chains are failing. The successful ones have implemented automated incident classification systems that alert both the CISO and the legal team simultaneously, ensuring that the regulatory clock doesn't run out while someone is waiting for an email response.
From Basic Testing to Threat-Led Penetration Testing (TLPT)
While basic vulnerability scanning is now standard, DORA’s requirement for "Advanced Testing" or Threat-Led Penetration Testing (TLPT) is where many firms stumbled in 2026. This isn't just a standard "pen test"; it is a sophisticated, red-team exercise that simulates real-world attacks.
Common pitfalls identified in the first wave include:
- Lack of Scope: Testing only the "easy" systems while ignoring the legacy core banking apps.
- Poor Remediation Tracking: Finding the holes but failing to document exactly how and when they were patched.
- Inadequate Threat Intelligence: Running tests based on generic threats rather than the specific actors currently targeting the European financial sector.
Conclusion: Turning Compliance into Confidence
The first wave of DORA audits has been a wake-up call, but it also offers an opportunity. Firms that view DORA as a strategic roadmap rather than a regulatory burden are finding that they are not only more compliant but also more competitive. In a digital-first economy, the most resilient firm is the most trusted firm.
The lessons are clear: automate your evidence collection, tighten your vendor relationships, and move from "planning to be resilient" to "proving it every day."
Ready to see how your current resilience framework stacks up against the lessons from the first wave of DORA audits? Let's talk about mapping your path to audit-ready maturity.
