Eliminating the Hidden Costs of DORA

5 Pillars of DORA

DORA focuses on five key compliance areas: transforming ICT risk management into a proactive discipline, establishing clear incident reporting procedures, conducting regular digital operational resilience testing, strengthening oversight of third-party providers, and enabling voluntary information sharing on cyber threats.

In February of 2025, a focused survey was sent to 354 organizations across the financial and insurance sectors. The goal? To better understand how well-positioned companies in these industries are when it comes to complying with DORA. 

Compliance with DORA is non-negotiable. Non-compliant organizations can incur fines up to 2 % of their global annual turnover or €10m, whichever is higher.

The survey targeted professionals responsible for operational risk, regulatory compliance and financial oversight in positions such as CCO, CRO, CISO, CFO, Legal counsel, Internal auditor or IT and Security managers.

From the total outreach, 127 respondents confirmed that their organizations are subject to DORA, while another 8 stated they are not. 24 responses remained incomplete and were excluded from the final analysis. This gave us a solid base of 127 complete, DORA-relevant responses, primarily from organizations in banking, insurance, asset management, and other regulated financial institutions.

How Laborious is DORA compliance?

What quickly became clear is that DORA compliance is not a theoretical concern — it’s a daily, operational reality and a heavy one at that. Respondents reported that on a 1 to 5 scale (5 being the most laborious), over 65% rated their compliance workload at level 4 or 5 in the previous 3 months. And for good reasons: many of these organizations manage thousands of contracts and third-party relationships, each of which needs to be understood, documented, and monitored for DORA-specific criteria. Where DORA specific contract clauses are missing, addendum with suppliers must be drafted, communicated and finalized.

On average, respondents estimated that ensuring compliance with suppliers affected by DORA increases their workload by over 200 hours each month.

How are DORA Reports Generated?

Despite the scale of this work, most organizations aren’t equipped with tools to manage it efficiently. Fewer than 25% have a system that automatically notifies them of contract expirations, and when asked how they plan to generate their mandatory vendor relationship reports, a striking 83% said they would do it manually — either in Excel or by assembling data across a file system.

Even more telling, while 67% are actively looking for a solution to streamline DORA-related compliance, a significant portion still plan to continue with manual processes, unsure of what tools are available.

Only a small fraction of respondents reported having a centralized and sophisticated system. The majority rely on spreadsheets, decentralized tracking, and ad hoc processes that make audits difficult and reporting fragmented.

The Obstacles to DORA Compliance

When asked about the biggest obstacles to DORA readiness, three themes dominated: overwhelming amount of information (sometimes lacking in clarity), complex and time-consuming reporting duties, and the absence of suitable tools. It’s not that organizations don’t take compliance seriously — it’s that they’re overwhelmed by the volume and under-supported by technology.

Using a platform which centralizes contract data, tracks obligations, automates expiration alerts, and generates DORA-compliant reports could reduce compliance-related workloads by over 60%. That translates to saving more than 120 hours of work each month, all while dramatically improving audit readiness and internal oversight, thus mitigating risk associated with fines stemming from non-compliance.

For organizations struggling to keep up, the message is clear: investing in smarter tools now will pay off not only in compliance, but in clarity, consistency, and control. DORA isn’t going away — a thorough revision of contractual relationships not only serves to ensure compliance but also presents a great opportunity to digitize your contract management system.

Want to learn more?

Contact one of our specialists today, to find out how we can help you become compliant with DORA.