The Continuous Monitoring Challenge
How DORA changes expectations for continuous ICT risk monitoring making point-in-time audits obsolete
of institutions have successfully integrated DORA as business-as-usual operations
DORA Article 8 fundamentally changes compliance expectations by requiring financial entities to conduct continuous monitoring of ICT risk management. This isn't a technical preference or best practice recommendation. It's a regulatory mandate that represents a structural shift from periodic assessments and controls assurance to always-on visibility.
Yet the operational reality hits hard. In March 2025, only 4% of institutions have successfully integrated DORA as business-as-usual operations3. And it's not because CISOs don't understand what constitutes continuous monitoring. It's because building the operational capability to deliver real-time evidence of control effectiveness and risk management across vast, complex technology estates is genuinely difficult.
Continuous monitoring means real-time controls assurance
Quarterly or even weekly control testing doesn't satisfy "continuous" in DORA's eyes. Continuous means ongoing, real-time visibility into whether your controls remain deployed and working effectively.
Without automation, this requirement becomes too resource-intensive to manage. Analysts spend hours pulling logs from disparate systems, creating screenshots for evidence packets, manually compiling control status reports, and chasing down ownership teams for missing data. This approach doesn't scale and is what accounts for the resource explosion many organizations are experiencing (manual DORA compliance approaches require 50-100 people for initial implementation phases4).
Fragile continuous monitoring pilot programs aren’t just draining resource. One year into DORA enforcement, they’re also full of coverage gaps as new systems are deployed.
Legacy systems also represent an additional challenge for teams operating within hybrid environments, often lacking modern APIs for real-time data extraction. Creating unified visibility across this fragmented landscape requires specialized integration work that diverts further resource from actual risk management.
The institutions succeeding with continuous monitoring one year into DORA enforcement recognized early-on that it's a specialized operational capability, not a build-your-own architectural project. The organizations still struggling with continuous monitoring underestimated the engineering complexity and ongoing maintenance burden of building capabilities internally.
[3] PwC, Digital Operational Resilience Act; Laying the groundwork for digital resilience and transformation, 2025
[4] Dynatrace, How Automation Helps with DORA Compliance, 2025
Manual DORA compliance approaches require up to
people for initial implementation phases
Strategic steps to overcome this blocker
1. Deploy a purpose-built continuous controls monitoring platform
The operational model for continuous controls monitoring requires more than just better tools. It requires:
- Automated data collection from across your technology estate
- Real-time analysis of control effectiveness against regulatory frameworks
- Automated alerting when controls drift or fail
- Regulatory-ready reporting that translates technical data into compliance evidence
Purpose-built Continuous Controls Monitoring (CCM) platforms do this by design. They're maintained and updated by specialist vendors who track regulatory changes, add new integrations as technology evolves, and support the operational model long-term – instead owning the integrations, maintenance and technical debt all by yourself.
2. Prioritize integration with legacy and critical systems
When deploying a continuous controls monitoring capability, ensure you have real-time visibility into the operational health, security controls, and incident indicators of your Critical Important Functions.
For legacy systems that lack modern APIs, invest in integration layers that extract operational data and transform it into formats your monitoring infrastructure can consume. Purpose-built CCM platforms include pre-built connectors for common legacy technologies (mainframes, AS/400, legacy databases), accelerating integration timelines significantly.
3. Build sustainability through automation, not heroics
This is critical: sustainable DORA compliance requires automation that makes continuous monitoring the default operational state, not a monthly compliance sprint.
The "technical debt trap" affects almost every homegrown monitoring solution. Internal teams spend increasing effort maintaining custom integrations and chasing down manual evidence.
Purpose-built CCM platforms deliver sustainability by design. They handle the technical operations work, freeing your team to focus on the compliance and risk management work that actually matters.