DORA’s Continuous Monitoring in Practice

As we pass the first anniversary of DORA (Digital Operational Resilience Act) enforcement, the financial services industry faces an uncomfortable compliance truth. Only 32% of regulated financial entities fully comply with all DORA compliance requirements, while 40% are only partially fulfilling their obligations, according to KPMG's analysis of EU financial institutions. More concerning, 43% of UK financial services institutions missed last year's DORA compliance deadline entirely. Yet the European Supervisory Authorities made their expectations clear in December 2024. National authorities across the EU - from Austria's FMA to Ireland's CBI - are already actively conducting supervisory visits and enforcement actions. The countdown is over - the spotlight is now firmly on how well organization’s can evidence DORA compliance. The regulators are no longer watching the clocking, they’re watching your controls, your continuous monitoring approaches and your controls assurance practices. For CISOs and their teams, the realities of DORA represent more than just a compliance checkbox exercise. It’s driving a fundamental redesign of how financial institutions approach risk visibility, control architecture, and operational resilience. It's a structural shift in how you operate. This guide examines the five biggest compliance blockers that security leaders face right now and provides strategic, actionable guidance for overcoming them, with particular focus on Critical or Important Functions (CIFs) and the role of continuous controls monitoring in evidencing ICT control effectiveness.