At Mimacom, I support clients across many regulated industries. Banks, insurance companies, and financial institutions are currently focused on DORA, and for good reason: The regulation becomes mandatory in January 2025. Yet the reality in the DACH region is sobering. Analysis from KPMG shows that none of the German banks surveyed had fully complied with DORA as of the reporting date. The average implementation rate stands at around two-thirds of the requirements, and nearly half of all financial firms in Germany are struggling with significant gaps.
This is understandable if compliance is approached the way it was in the past; nonetheless, the real question isn’t whether you can meet the requirements. It’s how much faster and with how much less effort that would be possible if you used the right methods.
I’m sure you use AI as a matter of course for all your daily tasks: writing emails, transcribing conversations, summarizing presentations. But what about more complex, regulatory-sensitive tasks? What about processes where a mistake isn’t just inefficient, but has real consequences?
That’s exactly where things stop being so straightforward. Suddenly, questions arise: How do you scale AI to address a topic like DORA? Where exactly is the added value, and how do you ensure that the results are reliable and usable for regulatory purposes? I see this regularly: The same organizations that use AI for minor tasks hesitate precisely when the potential impact would be greatest.
Anyone who knows me knows this: I’m not satisfied until we’ve tapped into the full potential, and when it comes to speed, efficiency, and quality, AI is the game-changer for DORA. Not despite the complexity, but precisely because of it.
Most financial institutions are asking the wrong question. They ask: How do we comply with DORA? And they work backward from there: checklists, documentation, evidence. The result is a compliance program that ties up resources without truly advancing the organization.
The numbers speak for themselves:
According to a Europe-wide Deloitte survey of CISOs, CROs, and DORA program managers from 28 countries, only 25% of institutions feel they are truly compliant in the area of ICT risk management, even though DORA has been in effect since January 2025.
Only 8% consider themselves up to speed on the requirements for resilience testing and third-party risk.
And 46% cite the Register of Information as their biggest single challenge – a document that is essentially a database task, not a strategic issue.
What these figures show: The problem isn’t a lack of will. It’s the method. Those who approach DORA backwards – that is, from the requirement to the solution – create a never-ending burden. Every new round of regulation, every change in technical standards, every supervisory audit restarts the cycle.
The more productive question is therefore: How do we make our processes leaner, more transparent, and faster? How do we create ICT structures that are visible in real time, accurately map third-party providers, and respond to incidents in minutes rather than days? Those who ask this question and answer it consistently will ultimately realize: DORA is already fulfilled. Not as a goal, but as a result.
This is exactly what we observe in our project work. For a Swiss cantonal bank, we fundamentally redesigned its digital onboarding and KYC processes with the primary goal of accelerating workflows and making risks operationally visible. The result was not a compliance solution on paper, but a platform that generates regulatory evidence as a byproduct of efficient processes.
The same bank had batch systems that were too slow for operational reality, regardless of DORA. Building a real-time infrastructure based on Kafka not only made the 24-hour reporting requirement feasible but also improved the organization’s overall responsiveness.
And we have been supporting Migros Bank – now one of the most digital banks in Switzerland – for years through numerous projects, demonstrating where a consistently modernized ICT landscape leads: to systems that respond faster, are cheaper to operate, and are robust from a regulatory standpoint because they were built that way from the start.
That is the difference between compliance as a mandatory exercise and compliance as the result of good architecture.
So, what does this look like for companies looking to get started now? According to our analysis, there are five areas where AI has the greatest impact in DORA and where we see concrete results:
What traditionally takes weeks (the structured analysis of an ICT landscape against DORA requirements) can be reduced to days using AI-supported methods. This isn't to say the process will lack rigor; quite the opposite. Patterns are recognized, data is consolidated, and gaps are systematically identified without every step having to be performed manually.
One of the biggest hidden burdens in DORA is the documentation workload (evidence, runbooks, vendor registers, incident reports). AI not only generates these documents faster but also keeps them up to date. This is a crucial difference, especially when it comes to the Register of Information.
DORA requires complete transparency regarding all third-party ICT providers, including subcontractors. More than half of institutions fail precisely in this area. AI can analyze contract data, create risk profiles, and identify gaps in the governance chain to an extent that is simply not realistic to achieve manually.
AI-powered code generation and automated testing result in fewer errors, shorter development cycles, and an infrastructure built for resilience from the ground up. In practice, this translates to approximately 30% less engineering effort while maintaining or improving quality.
Starting in 2026, regulators will no longer require documentation but will demand real-time evidence. With AI-powered monitoring based on tools like Elastic, DORA compliance shifts from a periodic exercise to a permanent, visible state. Regulators, auditors, and board members can see where the institution stands at any time.
The question, then, is what sets apart institutions that are stuck in place with DORA from those that are building compliance into an operational strength? It’s less about the technology and more about the strategy used to approach the issue.
The first step is an honest assessment of the current situation, not as a theoretical exercise, but as a practical inventory: What is in place? What can actually be verified? And where do operational reality and regulatory expectations diverge?
The second step is architecture before documentation. Those who first build robust, scalable processes and systems, then build the compliance layer on top of them, end up with both and don’t have to start from scratch with every regulatory cycle. Those who do the opposite build paper compliance that won’t hold up at the next audit.
The third step is visibility. Compliance that cannot be measured is not compliance, but a mere assertion. Real-time dashboards that display the status across all five DORA pillars are not a technical “nice-to-have.” They are the control instruments that management, supervision, and the board of directors need to make informed decisions.
The bottom line is this: investments in compliance should be scalable. What is built today for DORA should support NIS2, upcoming EBA guidelines, and future EU regulatory initiatives – not as a byproduct, but as a deliberate architectural decision.
Institutions that stop thinking about compliance in a backward-looking way don’t just build systems that comply with regulations, they build better systems: faster, more transparent, and more resilient. They create the flexibility they need, not just for DORA, but for everything that comes after it. DORA is then not the goal. It is the result.