DORA is often introduced as a regulatory requirement, but in practice it reveals a deeper challenge that many organizations are still trying to solve. The issue is rarely a lack of tools or frameworks. Instead, it is the absence of a clear and connected understanding of how critical services actually operate. Many organizations struggle to identify their most important functions, understand how systems support them, and track how dependencies, especially third parties, impact operations during disruptions.
Based on our 2026 DORA Compliance Maturity and Trends Benchmark, combined with hands-on implementation experience at Einar & Partners, a clear pattern emerges. Organizations that build a structured and connected view of their services are not only better prepared for compliance but are also significantly more resilient in practice.
A practical starting point: A 6-step approach to DORA resilience
To address these challenges, we have developed a structured six-step approach that helps organizations move from fragmented processes to a more operational and data-driven model of resilience.
The first step is governance.
Organizations need to establish clear ownership of services and the underlying data that supports them. Without defined accountability, it becomes difficult to coordinate responses during incidents or demonstrate control to regulators.
The second step focuses on defining Critical or Important Functions.
These functions must be clearly identified and consistently registered within the organization. This creates the business context that allows all other processes, including mapping, continuity planning, and reporting, to function effectively.
The third step is mapping.
This is where organizations begin to understand how their environment actually works. By bringing together business and technical stakeholders, they can identify how applications, infrastructure, and services are connected, replacing static documentation with a more accurate and dynamic view.
The fourth step involves tracking third-party dependencies.
Vendors play a critical role in supporting many services, yet they are often managed in disconnected systems. Linking these dependencies directly to services allows organizations to understand risk exposure and maintain a reliable Register of Information.
The fifth step is protection through Business Continuity Management.
Continuity plans should be grounded in real system data, not assumptions. When based on accurate relationships between services and infrastructure, these plans become more actionable and reliable.
The final step is automation.
Manual processes introduce delays and inconsistencies, particularly in regulatory reporting. By automating key activities such as reporting, impact analysis, and compliance checks, organizations can ensure consistency and respond more effectively under pressure.
Where organizations are today
The benchmark shows that many organizations are still in the early stages of defining their critical functions. While a portion of organizations report that they have fully identified and registered their Critical or Important Functions, the majority are still in progress. A smaller group remains in the planning phase, indicating that even foundational steps are not yet complete across the board.
This has important implications. Without a consistent and complete definition of critical functions, it becomes difficult to build accurate dependency models or produce reliable regulatory reports. As a result, many organizations are trying to implement DORA requirements on top of incomplete structures, which limits their effectiveness.
The challenge of dependency visibility
One of the most significant gaps identified in the benchmark relates to third-party dependencies. A large share of organizations report that they have not yet mapped how vendors support their critical functions. Only a small percentage have achieved full visibility in this area, while others are still working toward partial mapping.
This lack of visibility creates real operational risk. During an incident, organizations need to quickly understand which external providers are involved and how disruptions may spread across services. Without this information, response times increase and decision-making becomes more uncertain.
From a regulatory perspective, this also makes it harder to demonstrate control and traceability, both of which are central to DORA.
The reality of reporting and automation
Another key finding is the continued reliance on manual processes for regulatory reporting. Even among organizations that use platforms like ServiceNow, many still generate reports manually. This includes critical outputs such as incident reporting and the Register of Information.
Manual processes introduce several challenges. They are time-consuming, difficult to scale, and more prone to inconsistencies. In high-pressure situations, such as major incidents, these limitations become even more visible.
Automation, therefore, plays a crucial role. Organizations that automate reporting and impact analysis are better able to ensure consistency, reduce delays, and provide accurate, regulator-ready information when needed most.
What this means in practice
Across all findings, a consistent pattern can be observed. Organizations that rely on fragmented data and manual processes tend to struggle with both compliance and operational response. In contrast, those that build a connected and structured view of their services are able to move more confidently from compliance to resilience.
Our DORA benchmark findings at Einar & Partners show that organizations which transition from manual, disconnected setups to integrated, relationship-based service models are significantly better positioned to understand dependencies, provide regulator-ready evidence, and respond effectively during disruptions.
This shift does not happen through tools alone. It requires a change in how data, ownership, and processes are structured and connected across the organization.
