DORA Enforcement Intensifies as Data Sovereignty Rules Tighten

From Preparation to Enforcement: The DORA Turning Point

DORA existed for years as a distant regulatory horizon. Financial institutions and their technology partners spent considerable effort preparing for its requirements, debating interpretations, and in some cases deferring action. That phase has ended. According to the source material, the framework is now complete, supervisors are mobilising, and enforcement scrutiny is intensifying across the industry.

The most significant recent development was the arrival of the Delegated Regulation on Subcontracting, which took effect on 22 July 2025. This legislation fills the final gaps in how subcontracting chains supporting critical functions must be governed. Financial entities can no longer rely on vague assurances from service providers about downstream dependencies. The rules are now explicit and enforceable.

Data Sovereignty: The Backbone of Operational Resilience

Data sovereignty has become the central focus of DORA compliance and supervisory oversight. For EU-based data, the expectation is uncompromising: it must remain within the EU unless strict safeguards are in place. Organisations must demonstrate full visibility and control over data location at all times.

As financial institutions deepen reliance on cloud services and distributed systems, the question of where data resides and who controls it has moved to the centre of regulatory discussions. GDPR continues to anchor these obligations, but DORA adds a new operational layer by forcing firms to interrogate their providers’ architectures, subcontracting arrangements, and data-handling practices in greater depth. Without certainty about data location, no organisation can credibly claim operational resilience.

Supervisory Authorities Intensify Oversight

The ECB, the FCA, BaFin, and the Banque de France have all signalled that operational resilience will be central to their oversight in 2026. Their messaging is consistent: DORA is not a compliance box-ticking exercise. Firms will be judged on demonstrable, measurable resilience, not merely the existence of policies.

Incident reporting processes, risk management frameworks, and third-party oversight arrangements are already under closer examination. The European Insurance and Occupational Pensions Authority (EIOPA) published its DORA Oversight Guide, clarifying how supervision of third-party service providers will work in practice, including the role of the “Lead Overseer” concept.

The Readiness Gap: Industry Falls Behind Regulatory Expectations

Despite regulatory momentum, industry readiness tells a troubling story. A major survey published in August 2025 revealed that 96% of European financial institutions do not yet feel fully resilient under DORA’s standards. Many cite budget pressures, rising supplier costs, and the complexity of mapping subcontracting chains.

A global survey by 11:11 Systems of 800+ IT leaders found that 46% identified cyber incident recovery planning complexity as their biggest challenge. This widening gap between regulatory expectations and operational reality may soon become visible in supervisory findings, potentially triggering enforcement actions.

What Comes Next: The Enforcement Phase Begins

The window for preparation has closed. Supervisors are moving into enforcement mode, with subcontracting chains and third-party oversight as the hottest areas of scrutiny. Incident reporting expectations are now fully defined and active.

Regulators may take a pragmatic but firm approach given widespread resource constraints, yet the message to financial institutions and service providers is unambiguous: operational resilience is no longer a future ambition. It is a present-day obligation, and scrutiny will only intensify as authorities begin enforcement examinations across European markets.