DORA, one year in.

The shape of the first year

The Digital Operational Resilience Act came into force on 17 January 2025. The first three months were paperwork — registers, contract amendments, sub-processor disclosures. The middle of 2025 was incident-reporting drills as supervisors pushed financial entities to test the four-hour, 72-hour, and one-month timelines on tabletop exercises. The autumn was the first wave of operational reviews. By the end of December, three patterns had become clear.

Pattern one — supervisors asked for evidence, not policy

The pre-DORA expectation in many compliance teams was that the supervisor would ask questions about ICT risk policy and accept written answers. The 2025 reviews went the other direction. Examiners asked for evidence: the actual incident log for a named incident, the actual residency proof for a named UTC day, the actual sub-processor notification email sent on a named date.

Vendors that had documented their compliance posture in PDFs but not surfaced it as machine-readable evidence found themselves in awkward positions. The customer's compliance team needed an artefact they could forward; the vendor needed a week to produce it. The week was longer than the supervisor's patience.

Pattern two — the third-party register had to be live

Article 28 requires financial entities to maintain an up-to-date register of all ICT third-party arrangements. The natural reading is "a spreadsheet, updated quarterly." The 2025 reviews showed examiners reading the register for currency. A sub-processor added by the vendor in October needed to be in the customer's register by the time the examiner asked in November. Quarterly updates did not survive that timing.

Vendors that pushed sub-processor changes through a Confluence page that the customer had to discover by polling were the ones whose customers got the awkward findings. The vendors that pushed changes via a webhook plus an email plus a 30-day comment window gave their customers an automated path to keep the register current. The compliance architecture leaked through to the customer's supervisory exposure, in either direction.

Pattern three — exit plans got tested

A small number of large vendors changed their pricing or sub-processor posture during 2025 in ways that triggered customer exit clauses. The vendors that had a documented 90-day exit process honoured it without drama. The vendors that had a sales-team commitment but no operational mechanism took 130 to 180 days to deliver the export, and in two cases the export was incomplete. In both incomplete cases, the supervisor was told and the supervisor took notes.

The cost of an incomplete exit is not the immediate friction. It is the next contract renewal across that vendor's entire customer base, when every regulated buyer asks to see the exit plan in operational form before signing. By the end of 2025 we were getting that question in every single sales conversation.

What we did with the year

The Estøkad design centre was set in 2024 against the public DORA text. Most of what changed during 2025 was operational rather than architectural. We added the per-customer incident webhook in October, the sub-processor change-notification webhook in November, and the per-region status page in December. The DORA evidence pack ships every workspace with five new sections compared to the January 2025 version, each driven by a specific examiner question we heard during a customer review.

The architectural pieces have not had to move. The audit chain is still hash-linked, the residency proofs still daily-signed by the regional KMS, the exit plan still contractually enforceable inside 90 days. The right architecture in January 2025 turned out to be the right architecture in January 2026; what shifted was the surface area customers needed to expose to their supervisors.

What we expect in the next twelve months

The first formal enforcement actions land in 2026. The supervisory consensus we are hearing is that the first round will target critical ICT third-party providers — the tier of vendor formally designated by the European Supervisory Authorities under Article 31 — rather than smaller providers like us. That does not let smaller vendors off the hook; the customer's compliance team transmits the supervisor's preferences into the procurement process for everyone else.

The other shift we expect is national-supervisor divergence. The Belgian, Luxembourgish, and Dutch supervisors have been clearer about per-country residency expectations than the BaFin or the AMF have been so far. The next twelve months will tell us whether that divergence narrows or widens. We architected for the strict end of the spectrum because the architecture is harder to add later than to ship from day one.

The state of the platform at /changelog; what is coming at /roadmap. The compliance posture for buyers preparing for their own DORA reviews at /trust.