DORA is signed. Fourteen months is less time than it sounds.
The Digital Operational Resilience Act is now on the books, and its application date, January 17, 2025, has the comfortable ring of the distant future. Fourteen months. Two budget cycles. Time enough, surely.
We have watched enough regulatory countdowns, GDPR most memorably, to offer a prediction: the institutions that will be ready are the ones treating this interval as short, because for the work that matters most, it is.
What actually takes fourteen months
Policy documents can be written in a quarter. What cannot be compressed is evidence infrastructure. DORA's register of information demands a complete, current map of ICT third-party dependencies against critical functions. Its incident regime assumes you can reconstruct what happened within hours. Its testing obligations assume failover is something you have rehearsed, not something you believe in.
None of those capabilities can be bought in the autumn of 2024. They accrete: an inventory that becomes trustworthy because it is generated from live traffic rather than interviews; records that exist because the platform writes them by default; a failover that works because it has failed in rehearsal twice already.
GDPR's lesson was not that preparation started too late. It was that preparation started with documents when it should have started with data.
The trap of the comfortable deadline
Fourteen months feels generous, and that feeling is the danger. A distant deadline invites the organization to start with the work that is visible and satisfying, the policy framework, the governance charter, the vendor selection, and to defer the work that is slow and unglamorous. But it is the slow, unglamorous work that actually consumes the interval, and it cannot be accelerated by throwing effort at it in the final quarter.
Consider what "reconstruct an incident within hours" really requires: records that were already being kept, in a usable form, before the incident occurred. If those records do not exist in October 2024, no amount of preparation in December will bring back the data that was never captured. The capabilities DORA tests are the kind that must be in place and quietly accumulating evidence for months before they are needed. That is why the countdown is shorter than it looks.
A sensible sequence
- Now to spring: build the dependency inventory from the integration layer outward, and reconcile it against the contract register. The gaps you find are your real backlog.
- 2024: make incident timelines reconstructable from records, and run one full failover exercise per critical service. Write down what broke.
- The final quarter: reserve it for the paperwork, which will be easy if the evidence exists and impossible to fake if it does not.
Fourteen months is enough time to do this well, once. It is not enough time to do it twice. Institutions running their estates on governed platforms start with most of the raw material in place; for everyone else, the countdown has already begun.