One Year of DORA: A Year of Lessons, Adjustments, and Emerging Best Practices

Published on 17/02/2026

It’s been over a year since the Digital Operational Resilience Act (DORA) came into effect and it’s safe to say that the EU’s financial sector has certainly felt its impact. What was introduced as a major regulatory framework aimed at strengthening ICT resilience swiftly became a catalyst for deeper cultural and operational change across a wide range of financial institutions.

A year on, organisations are realising that DORA goes way beyond being a tick‑box compliance exercise. At its core, the regulation represents a fundamental shift in mindset, one that demands greater visibility, stronger accountability, and demonstrable resilience across the entire digital supply chain. As firms continue to uncover gaps in their operational readiness, Software Escrow has emerged as a practical, compliance-friendly tool that helps meet some of DORA’s most challenging requirements.

How Has DORA Reshaped the EU Finance Sector?

1. Third‑party risk management has become far more rigorous

Prior to the arrival of DORA, many financial entities relied heavily on trust and long‑standing vendor relationships. However, in the present day, they must prove that critical ICT suppliers can support operational resilience.

Over the past year, we’ve seen:

  • More detailed vendor assessments.
  • Increased scrutiny of SLAs and service dependencies.
  • Mandatory mapping of critical ICT services.
  • Greater pressure on vendors to demonstrate resilience.

Interestingly, this has revealed significant gaps in legacy contracts and underscored the need for more robust exit and recovery mechanisms.

2. Boards are now actively involved in ICT resilience

DORA places accountability directly on the management body. As a result, boards are demanding clearer evidence that resilience measures are not only in place but are effective and reliable.

This has led to:

  • More frequent reporting on ICT risk.
  • Greater demand for independent assurance.
  • Increased focus on documented and testable continuity plans.

Software Escrow, especially when paired with verification, has become a common request at board level as part of demonstrating operational readiness.

3. ICT providers are adapting (but not always quickly enough)

Over the past year, vendors have had to respond to a multitude of new contractual and operational requirements. Whilst some have embraced this, others are still catching up.

Financial entities have reported challenges such as:

  • Vendors reluctant to provide transparency.
  • Limited support for exit planning.
  • Insufficient documentation on recovery frameworks.
  • Concerns around vendor insolvency or acquisition.

In response to such obstacles, Software Escrow has increasingly been utilised to provide financial entities the assurance they need without forcing vendors to expose IP prematurely.

4. Supervisory expectations are becoming stricter

Regulators across the EU have spent the past year clarifying the expectations attached to DORA. The message is consistent…operational resilience must be evidenced, practically not theoretically.

This has accelerated the adoption of tools that provide tangible evidence, including Escrow agreements with regular verification.

Where Organisations Are Still Struggling with DORA

Despite progress, several areas remain challenging:

  • Creating realistic, actionable exit strategies for critical software application.
  • Proving recoverability if a vendor fails or withdraws support.
  • Ensuring uninterrupted access to source code for bespoke or niche applications.
  • Testing business continuity plans in a way that satisfies auditors.
  • Managing legacy systems where documentation is incomplete and/or outdated.

These gaps align closely with the capabilities of modern Software Escrow solutions.

How Software Escrow Supports DORA Compliance

Over the years, Software Escrow has transitioned from being a “nice‑to‑have” tool to a recognised resilience mechanism that directly supports DORA’s requirements. Here’s why:

1. It strengthens exit strategies.

DORA requires firms to maintain viable exit plans for critical ICT services. Escrow provides:

  • Guaranteed access to source code if a vendor fails.
  • The ability to maintain or transition systems.
  • A practical, testable recovery path.

This turns exit strategies from paper exercises into operational capabilities.

2. It provides evidence of operational continuity.

Verification services involve deposited materials being tested to ensure that they are complete, correct, and can be successfully redeployed. This gives organisations confidence that:

  • The code can be compiled.
  • The application can be deployed.
  • Documentation is complete.
  • Recovery is genuinely achievable.

This is exactly the kind of demonstrable resilience regulators expect.

3. It reduces dependency risk.

Software Escrow mitigates the risk of overly relying on a single vendor by ensuring that:

  • Critical knowledge isn’t locked inside the supplier.
  • The organisation retains a path to self‑sufficiency.
  • Vendor failure doesn’t equate to system failure.

This supports DORA’s emphasis on managing ICT concentration risk.

4. It supports governance and audit readiness.

Escrow agreements provide clear, auditable evidence of:

  • Due diligence.
  • Risk mitigation.
  • Contingency planning.
  • Ongoing monitoring.

This helps management bodies meet their accountability obligations under DORA.

5. It protects vendor IP while enabling compliance.

Software Escrow offers a balanced solution that support financial entities with getting the assurance they need, whilst helping vendors with maintaining control of their intellectual property (unless a release condition is triggered).

This has contributed to Software Escrow’s emergence as a widely accepted tool across both sides of the supply chain.

The Verdict After One Year: Escrow Is Becoming a Compliance Standard

A year into DORA, the industry has made progress…but the regulation has also exposed gaps in resilience, documentation, and vendor dependency. Software Escrow has gained widespread recognition as a practical, regulator‑aligned solution that helps organisations meet several of DORA’s most demanding requirements.

As DORA continues to shape the operational landscape, Escrow is no longer just a safeguard, it’s becoming a core component of digital and operational resilience.

To learn more or to arrange a call with one of our experts, please get in touch.

Find out how SES can help your business
Contact us

Contact us

If you would like further information, discuss your requirements, get a free no obligation quotation or just a friendly chat on how we could possibly help please fill in the details below and one of our team will get back to you as soon as possible.
Tick the box to receive regular updates and industry insights