DORA Readiness Survey: 2024 Statistics, Trends, and Analysis
Just 44% of financial institutions were confident they'd meet DORA's January 2025 deadline (BCI Operational Resilience Report, 2024). Luxembourg's CSSF found only 1 of 389 entities fully ready in September 2024. The ESAs' dry run found 6.5% of registers passing all data quality checks; Deloitte's 2025 survey found 8% fully compliant across both testing and third-party risk management pillars.
Methodology
The statistics on this page draw from five primary and Tier-1 sources published between June 2024 and early 2025.
The Commission de Surveillance du Secteur Financier (CSSF), Luxembourg's financial regulator, conducted a formal DORA readiness survey across approximately 494 supervised entities in August and September 2024. Of those, 389 responded, a participation rate of around 80%. Findings were published on 7 October 2024. This is one of the few regulator-initiated, publicly disclosed readiness assessments conducted before the January 2025 enforcement date, covering credit institutions, investment firms, alternative investment fund managers, payment institutions, and electronic money institutions supervised in Luxembourg.
The Business Continuity Institute (BCI) Operational Resilience Report 2024 surveyed practitioners globally on their organisations' posture across major resilience frameworks, including DORA. McKinsey's DORA readiness analysis, published June 2024, drew from surveys of major European financial institutions. Deloitte's DORA European Survey 2025 covered 36 financial services entities across 28 countries, with fieldwork conducted around the January 2025 enforcement date. The European Supervisory Authorities (EBA, ESMA, and EIOPA) ran a dry run exercise during 2024 to test the data quality of DORA information registers, publishing results in December 2024.
All figures reflect self-reported compliance confidence or readiness assessments, not independent supervisory verification. The CSSF survey covers Luxembourg-supervised entities only; BCI and Deloitte surveys draw from broader European and global populations. Comparisons across surveys should account for this scope difference.
Full data table
| Source | Metric | Figure | Reference Date | Population |
|---|---|---|---|---|
| CSSF DORA Readiness Survey | Entities self-reporting as "fully ready" | 0.3% (1 of 389) | September 2024 | ~494 Luxembourg entities |
| CSSF DORA Readiness Survey | Entities "partially ready" | 71% | September 2024 | 389 respondents |
| CSSF DORA Readiness Survey | Entities "mostly ready" | 23% | September 2024 | 389 respondents |
| CSSF DORA Readiness Survey | Entities "not ready" | 6% | September 2024 | 389 respondents |
| CSSF DORA Readiness Survey | ICT third-party contract negotiations named as top barrier | 54% | September 2024 | 389 respondents |
| BCI Operational Resilience Report 2024 | Firms confident or very confident of meeting January 2025 deadline | 44.4% | 2024 | Global |
| McKinsey DORA Survey | Major European FIs confident of meeting all requirements by deadline | ~33% | June 2024 | Major European FIs |
| Deloitte DORA European Survey 2025 | Fully compliant with ICT Risk Management pillar | 25% | Early 2025 | 36 entities, 28 countries |
| Deloitte DORA European Survey 2025 | Fully compliant with DORA Testing and TPRM pillars | 8% | Early 2025 | 36 entities, 28 countries |
| Deloitte DORA European Survey 2025 | Named Register of Information as hardest requirement | 46% | Early 2025 | 36 entities, 28 countries |
| ESAs DORA Dry Run | Registers passing all 116 data quality checks | 6.5% | December 2024 | EU-wide submission pool |
Sources: CSSF (October 2024), BCI Operational Resilience Report 2024, McKinsey (June 2024), Deloitte DORA European Survey 2025, ESAs DORA Dry Run Summary Report (December 2024).
Key findings
The gap between completing a gap analysis and actually closing the gaps turned out to be the defining story of DORA's implementation window.
The CSSF survey is the most granular pre-deadline dataset available from a supervisory authority. By September 2024, 90% of respondents had completed a DORA gap analysis. But completing an analysis is not completing compliance. The overall readiness score was 2.8 on a scale where 1 equals full readiness and 4 equals none. That places most entities well past the midpoint toward "facing real difficulties." Only 1 of 389 entities considered itself fully ready. Credit institutions were the most advanced type, with over 97% having completed gap analysis; payment institutions and electronic money institutions ranged from 74% to 84%. Even among the best-prepared segment, the majority were still working through implementation.
Third-party contract renegotiation was the dominant operational bottleneck. 54% of CSSF respondents named ICT third-party contract negotiations as their top challenge. DORA requires specific contractual provisions in all agreements with critical ICT providers. Many firms discovered that existing vendor contracts lacked those clauses and that renegotiating global agreements with large providers takes longer than any compliance timeline.
Fewer than half of institutions were confident they'd meet the deadline. The BCI Operational Resilience Report 2024 found only 44.4% of respondents confident or very confident. McKinsey, surveying major European institutions in June 2024, put the share confident of meeting ALL requirements at approximately one in three. These figures aren't contradictory: McKinsey measured comprehensive compliance confidence, BCI measured general deadline confidence. Both point to the same conclusion.
Post-deadline gaps persisted across almost every DORA pillar. Deloitte's early 2025 survey found ICT Incident Management was the highest-scoring area at 48% full compliance. ICT Risk Management sat at 25%. Digital Operational Resilience Testing and Third-Party Risk Management were both at 8%. 50% of institutions expected full compliance by end of 2025; 38% pushed their target to 2026.
Register of Information quality failures were widespread. The ESAs' December 2024 dry run found only 6.5% of submitted registers cleared all 116 data quality checks. Invalid Legal Entity Identifiers drove 32% of rejections. Missing SLAs accounted for 27%. These aren't architectural failures; they're data hygiene failures at scale.
Year-over-year trends
DORA was adopted in December 2022 and gave financial institutions a two-year implementation window before the January 17, 2025 enforcement date. The data shows that most firms treated the first 18 months as planning time and the last six months as execution time. That's too compressed.
By June 2024, McKinsey's analysis described the sector as being in "a sprint." Most major institutions were still in gap analysis or early design phase. Confidence that all requirements could be met by the deadline was sitting at roughly one in three firms.
The CSSF snapshot, taken three months later in September 2024, confirmed the picture. Despite near-universal gap analysis completion, readiness scores hadn't translated into implementation. The overall readiness score of 2.8 held across entity types. Three of the five most-cited barriers (third-party contract negotiations at 54%, group coordination dependencies at 42%, resource shortages at 40%) were structural, not technical. That matters because structural barriers don't resolve quickly.
The ESAs' December 2024 dry run on information registers was the final major measurement before the deadline. Only 6.5% of registers passed all checks. The top failure modes were not exotic: missing LEI codes, incomplete SLAs, broken supply chain tracing beyond first-tier providers. These are data entry and process problems, not architecture problems. The implication is that most firms hadn't operationalised their registers as live documents.
Post-deadline, the Deloitte 2025 survey shows a sector still in catch-up. Compliance by pillar ranges from 8% to 48%. Estimated compliance costs, where calculated, fell mostly in the €2 million to €5 million range, with 47% of UK firms and 38% of EU firms reporting they'd already spent over €1 million (Infosecurity Magazine, 2024). The trajectory is improvement. The pace is slow.
What this means for compliance teams
DORA's compliance gap has two distinct causes. One is scope underestimation: most compliance teams didn't anticipate how much of their ICT vendor base required contractual renegotiation, how many sub-contractors needed to be mapped, or how specific the data quality requirements for the Register of Information were. The other is resource constraints: the CSSF found 40% of entities cited resource shortages, and 42% cited dependence on group-level coordination for requirements that regulators assess at entity level.
The Register of Information is the most immediate remediation target. The ESAs have been explicit that it's a supervisory-grade, continuously maintained document. Firms that haven't built an automated, validated process for maintaining third-party ICT inventories will keep failing data quality checks. A regulatory compliance automation programme that validates LEI codes against the GLEIF database, tracks SLA coverage, and maps sub-contractor dependencies in real time is what closes that gap.
The third-party risk dimension has an architecture component. DORA requires meaningful oversight of ICT suppliers, including sub-contractors beyond the first tier. Connecting a zero trust security solutions architecture to third-party access controls provides real operational visibility. A contract clause tells you what a vendor should do; continuous access monitoring tells you what they're actually doing.
DORA's digital operational resilience testing requirements build on existing instrumentation. Firms that have already invested in transaction monitoring and API security for financial services are starting from a stronger position for threat-led penetration testing. You can't test resilience on systems you don't monitor.
Supervisors have signalled tolerance for good-faith effort since the January deadline passed, but not indefinitely. Completing a structured enhanced due diligence review of ICT providers, with documented findings and remediation timelines, gives supervisors evidence of seriousness. "We're targeting 2026" isn't evidence of seriousness. A milestone-based remediation roadmap, reviewed at board level, is.
Sources
- CSSF, "Results of the DORA readiness survey conducted in September 2024," October 2024
- Business Continuity Institute, BCI Operational Resilience Report 2024
- McKinsey & Company, "Europe's new resilience regime: The race to get ready for DORA," June 2024
- Deloitte Luxembourg, DORA European Survey 2025
- EBA / ESAs, "The ESAs' Dry Run exercise shows the goal of reporting of registers of information under DORA in 2025 within reach," December 2024
- Infosecurity Magazine, "DORA Compliance Costs Soar Past €1m for Many UK and EU Businesses," 2024
Turn these numbers into fewer of your own
FluxForce AI agents cut false positives, clear SAR backlogs, and keep audit-ready evidence, so the next statistics report cites the industry, not you.