Contents
- DORA Transposition Status: Where EU Member States Stand in December 2025
DORA Transposition Status: Where EU Member States Stand in December 2025
Why the DORA transposition matters?
The Digital Operational Resilience Act (DORA) is a cornerstone of the EU’s regulatory framework for ICT risk management in the financial sector. While Regulation (EU) 2022/2554 is directly applicable, Directive (EU) 2022/2556 requires national transposition to ensure effective supervision, enforcement, and sanctioning at Member State level.
As of 16 December 2025, almost one year after the transposition deadline, the DORA transposition status across the EU remains uneven, with infringement proceedings underway against multiple Member States. For financial institutions, auditors, and compliance functions, understanding this status is essential for regulatory risk management and supervisory preparedness.
DORA as Regulation and Directive
DORA consists of two legal instruments:
- Regulation (EU) 2022/2554
Directly applicable since 17 January 2025, setting out substantive requirements for ICT risk management, incident reporting, resilience testing, and third-party risk management. - Directive (EU) 2022/2556
Requires Member States to transpose rules on:- supervisory powers,
- enforcement mechanisms,
- sanctions,
- and institutional responsibilities.
The transposition deadline for the directive was 17 January 2025.
EU-Wide Overview of the DORA Transposition
As of 16 December 2025, the European Commission reports the following:
- 22 Member States have communicated full transposition measures
- 2 Member States have communicated partial transposition measures
- 3 Member States have not communicated any transposition measures
Despite this apparent progress, the Commission has initiated infringement proceedings against 13 Member States, highlighting persistent deficiencies in notification or completeness.
Member State Breakdown
Member States with No Transposition Measures Communicated
The following countries have not notified any national transposition measures:
- France
- Portugal
- Spain
These Member States are in breach of their obligation to communicate national implementing laws for Directive (EU) 2022/2556.
Member States with Partial Transposition
Partial transposition measures have been communicated by:
- Denmark
- Slovenia
Partial transposition typically indicates gaps such as:
- incomplete supervisory mandates,
- missing sanctioning regimes, or
- unclear allocation of responsibilities between authorities.
Member States with Full Transposition Communicated
The following 22 Member States have notified full transposition measures:
Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Estonia, Finland, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Romania, Slovakia, Sweden.
However, full communication does not automatically mean full compliance, as evidenced by ongoing infringement procedures.
Infringement Proceedings: A Critical Signal
Member States Subject to Commission Action
Infringement proceedings for non-communication, delayed notification, or incomplete transposition are pending against:
Belgium, Bulgaria, Denmark, France, Greece, Latvia, Lithuania, Malta, Poland, Portugal, Slovenia, Sweden, Spain.
This list includes several Member States that are otherwise classified as having “fully transposed” the directive, indicating qualitative or formal deficiencies rather than purely timing-related issues.
Implications for Financial Institutions
DORA Applies Regardless of National Transposition
A key regulatory principle remains unchanged:
- DORA obligations apply as of 17 January 2025, independent of national transposition delays.
- Institutions cannot rely on missing or incomplete national law to justify non-compliance.
Supervisory authorities may bridge legislative gaps through administrative practice, guidance, or intensified inspections.
Audit and Compliance Considerations
For compliance officers, internal audit, and external auditors, the current transposition status implies:
- increased supervisory attention in Member States with infringement procedures,
- higher expectations for documented DORA readiness,
- limited tolerance for “legal uncertainty” arguments.
A regulation-first compliance approach is therefore essential.
DORA Compliance Cannot Wait
While the majority of EU Member States have formally transposed Directive (EU) 2022/2556, the DORA transposition status in December 2025 remains legally and practically fragmented. Active infringement proceedings demonstrate that the European Commission is enforcing transposition obligations with increasing intensity.
For financial entities, the message is clear:
Digital operational resilience under DORA is not optional, not deferred, and not dependent on national legislative maturity.
Compliance strategies must be anchored directly in the DORA framework itself, supported by robust governance, documentation, and audit-ready evidence.