If you had asked me in 2024 how seriously firms were taking DORA, my honest answer would have been that only around the top 20 per cent of impacted organisations were truly focused on it. These were typically the more risk averse, forward thinking businesses that tend to move early on regulatory change. Even then, many struggled to embed DORA into compliance as usual activities, whether because of stretched resources, limited budgets or complications within their IT supply chains.
Now, more than halfway through 2025, the picture has shifted significantly. Organisations are beginning to understand just how demanding DORA really is. It is no longer viewed as a future requirement. It is appearing in onboarding questionnaires and supplier due diligence processes. In some cases, it is influencing commercial decisions and costing organisations lucrative deals. Like many new regulations, it enjoyed a brief honeymoon period where it was seen as progressive but not yet widely enforced. That phase has passed. DORA is now moving into the same territory as GDPR, where compliance is increasingly expected rather than admired.
The Real Barriers to Compliance
There are several hurdles that firms are encountering.
First, there is the ongoing challenge of supplier oversight. Ensuring IT providers have the appropriate controls in place has always been complex, but DORA raises the bar by placing additional emphasis on resilience testing and incident response capabilities. With supply chains becoming longer and more layered, maintaining visibility and assurance across every link is becoming significantly harder.
Then there is compliance fatigue. Many organisations feel they are constantly responding to new regulatory demands. DORA is, in practical terms, another framework that needs to be interpreted, implemented and evidenced. That can create resistance internally, particularly where teams are already managing ISO standards, GDPR obligations and sector specific requirements.
Cost is another significant barrier. Threat Led Penetration Testing, which is a core requirement under DORA for certain entities, can be eye wateringly expensive. We are talking figures that can exceed one hundred thousand pounds. While this testing is typically required once every three years, it still represents a substantial investment. On top of that, firms must fund resilience improvements, tooling, training and further testing activities.
A final challenge is timing. DORA came into force in January 2025, yet many firms only began taking it seriously around that date. As a result, they are now playing catch up. Some are technically non compliant while they work through remediation programmes. That creates both regulatory risk and commercial pressure.
The Most Challenging Areas
In my experience, two elements of DORA stand out as particularly demanding.
The first is resilience testing. Beyond cost, the scale and coordination required can be considerable. A threat led penetration test that meets DORA requirements is not a routine scan. It is a complex exercise that requires an experienced third party and significant internal engagement. Someone within the organisation must own the process, coordinate stakeholders and ensure findings are addressed properly.
The second challenge lies in legal and contractual complexity. Achieving compliance across layered vendor relationships is not straightforward, especially where smaller providers are involved. Many existing IT contracts simply do not meet DORA standards. That means legal reviews, amendments to agreements and potentially difficult conversations with suppliers.
Those changes can introduce friction and strain commercial relationships.
What Happens Next
One of the realities of any new regulation is that clarity evolves over time. GDPR is a useful example. Each new fine or enforcement notice has provided the market with clearer guidance on what is acceptable and what is not. DORA will follow a similar path.
While that eventual clarity is helpful, the period before it arrives can be uncomfortable. Organisations may invest heavily in controls and processes that they genuinely believe meet regulatory expectations, only to find later that interpretations have shifted or that supervisory authorities expect something more. That uncertainty can lead to frustration.
There is also a risk that some firms will delay action altogether, choosing to wait until enforcement patterns are clearer. I would not recommend that approach. The longer organisations postpone meaningful progress, the more difficult and expensive compliance becomes.
How Organisations Can Get on the Front Foot
The most effective starting point is to engage a qualified DORA specialist who understands both the regulatory intent and the practical implications. A structured gap assessment against current DORA requirements provides a clear baseline. From there, an action plan can be developed, prioritising areas of highest risk and impact.
At the same time, organisations should plan early for Threat Led Penetration Testing. These exercises can take months to prepare and execute. From a financial perspective, it is important to budget for this on a recurring three year cycle so that the cost does not come as a surprise.
Ultimately, the journey can be simplified into three stages. First, check what you have against what is required. Second, fix what is missing or insufficient. Third, maintain and audit your position to ensure compliance remains embedded rather than reactive.
DORA is not a passing regulatory trend. It represents a structural shift towards operational resilience and demonstrable assurance. Firms that treat it as a strategic priority rather than a compliance burden will not only reduce regulatory risk but strengthen their commercial credibility. Those who delay will find the cost of catching up far greater than the effort of starting now.
Author: Luke Peach, Head of Compliance – Bulletproof from WorkNest




