DORA has been applicable since January 2025. Supervisors are moving from implementation guidance to active assessment. Key gaps we are identifying across client portfolios: incomplete Registers of Information, weak ICT incident classification, and insufficient third-party concentration analysis.
