Where DORA sits today
DORA came into enforcement on 17 January 2025. It applies to EU financial entities and to the critical ICT third-party providers that serve them. Sixteen months on, the enforcement bodies are still in the early days of a new regulation, not coming in heavy-handed, just identifying gaps. But it is now possible to see what those gaps are.
- The EBA has published its observations from the first round of register of information submissions, listing the common data quality issues.
- France’s ACPR has named its three ICT supervisory priorities for 2026 : incident management, implementation of ICT risk frameworks, and the compliance of contracts with IT service providers.
- Germany’s BaFin set DORA as a 2026 priority in its Risks in Focus document and called out ICT third-party concentration risk on hyperscalers.
- The CSSF in Luxembourg is publishing live updates on submission rates and where firms are falling short.
The pattern is the same across all of them. They are documenting what they are finding and telling the market where to fix things.
From attempting to in motion
But it means that organisations where DORA applies need to go from attempting to sort out DORA to having something in motion. From my own experience, many organisations have got a lot of the pieces in place. What’s missing is the governance process to check that things are actually happening.
For example, you could have a pretty solid leavers process to make sure that hardware is returned when somebody leaves. But is there a check to make sure that process is actually happening, and is there a safety net underneath it? This is not the sexy part of IT, it’s housekeeping, but it proves that the process is actually working and allows IT operations to run smoothly based on data we can rely on.
This is a proactive practice. It means stepping away from the day-to-day pressure of the latest audit, the latest negotiation, or the latest project to be supported, and really leaning into what’s missing.
What DORA actually looks for
That’s just one example. What DORA actually looks for is:
- Accurate, complete asset records
- Configuration and dependency mapping
- A register of your ICT third-party providers and the relationships there
- Continuous risk assessments
- Governance of all of the above
- An evidence trail
The asset definition collision
There is a definition problem hiding inside that list. The ITAM world uses “asset” to mean an item of value to the organisation, normally hardware or software, with the ISO/IEC 19770-1 standard as the reference. DORA uses two terms: “ICT asset” for the hardware and software, and “information asset” for the information those ICT assets hold and move, which DORA treats as a worth-protecting asset in its own right. The two are not interchangeable.
What that means in practice is that a typical ITAM register tracks the laptop and the licence, but it does not track the customer database that runs on the server, or the loan origination workflow that depends on it. DORA expects all three, linked together, with criticality classified end to end. The asset view is the foundation. It is not the whole thing.
The governance GPS
When we look at ISO 19770-1, it provides a governance GPS. The mechanism underneath is the PDCA cycle: plan, do, check, act. Have we got a method to address the risk, quantify it, take minutes about what was agreed, execute those changes, and see what worked, then try to improve again? This is what is missing from many organisations. It’s the actual governance element, not the processes.
The numbers back this up. Even in the ESAs’ pre-enforcement Dry Run, only 6.5% of submitted registers of information passed all data quality checks. The picture in live enforcement is no easier: as of 16 March 2026, only 40% of financial entities required to submit their register to the CSSF had done so. Deloitte’s European DORA survey found 46% of financial entities naming the register as the single most challenging requirement to fulfil. That is the governance and data quality gap.
Governance boards, and measurement
What does that mean in reality? It means some form of executive, like a governance board or a steering group, with a group of stakeholders who are sufficiently interested and motivated to fix things. They are looking at the performance of ITAM and seeing, piece by piece of the elephant, what can we fix this quarter or this month? Then they go ahead and fix it, and move the needle on performance in a continual service improvement fashion.
So one element is the governance board. The other element is measurement. You’ve heard me bang on repeatedly in the past about trustworthy data. Without measurement, how do we know we’re actually making a difference? How accurate is our data? Has anyone measured the accuracy of the CMDB, or the asset register, or whatever you’re using to measure assets in? And are we taking steps to improve that accuracy?
The takeaway
The organisations that struggle in year two of DORA enforcement will not be the ones missing the processes. They will be the ones missing the safety net underneath them. Stand up the governance board. Put measurement on the agenda and prove the accuracy of your data. Treat ITAM as a practice, not a project. The regulator is looking for an evidence trail; the only way to produce one is to do the unglamorous housekeeping continuously, with someone accountable for whether it actually happened.
