DORA: Why Managed Environments Outpace Legacy Infrastructure in the Enforcement Era

Under DORA Article 5, your Board of Directors is now legally accountable for IT risk. With annual attestations in full swing,  infrastructure gaps have become discoverable evidence in litigation, backed by a dual-threat penalty system.

While financial entities face administrative fines of up to 2% of total annual worldwide turnover, critical ICT providers can now be hit with periodic penalty payments of up to 1% of average daily worldwide turnover for every day a breach persists. In 2026, staying in-house is a direct threat to your C-suite’s legal and financial standing.

Continue reading to:

• See why a single 138-minute outage can result in over $1 million in direct losses and regulatory penalties.
• Learn how managed hosting absorbs the operational strain of mandatory Threat-Led Penetration Testing (TLPT).
• Secure your international operations without building local ICT frameworks from scratch.
• Turn your IT infrastructure into a documented asset that satisfies the most stringent regulatory audits.

The Five Pillars of DORA vs. The In-House Reality

The Digital Operational Resilience Act (DORA) has established itself as the definitive framework built on five distinct pillars. For firms operating across international borders, these pillars can guarantee resilience:

1. ICT Risk Management: Setting the strategy and governance for digital risks.
2. Incident Reporting: Modernizing how and when major ICT-related incidents are logged and reported.
3. Digital Operational Resilience Testing: Establishing a risk-based program for the regular, comprehensive testing of ICT systems to validate defense and recovery capabilities. 
4. ICT Third-Party Risk: Managing the risks associated with outside service providers.
5. Information Sharing: Encouraging the exchange of cyber threat intelligence.

The conflict lies in the gap between these mandates and the physical reality of unmanaged legacy infrastructure.

While in-house setups offer physical possession, they often fail to keep pace with shifting legal requirements.

Vertiv/Ponemon research highlights the vulnerability of non-specialized sites, which suffer an average of 2.4 shutdowns annually. Under DORA, these unplanned outages are treated as immediate breaches. Unlike unmanaged systems that struggle with the real-time, centralized logging required for reporting, professionally managed environments are built for transparency.

The true DORA advantage lies in continuous adaptation. While internal IT teams are often consumed by daily maintenance, a managed partner like Comarch guarantees that infrastructure evolves alongside new Technical Regulatory Standards. This shift ensures that “control” is not just a feeling of ownership, but a documented state of compliance. By utilizing managed hosting, firms move from reactive patching to a proactive, audit-ready posture that satisfies the most rigorous year-over-year resilience testing without draining internal resources.

Managing DORA Third-Party Risk with Certified Managed Hosting Partners

Under DORA, your infrastructure model is a core component of your regulatory standing. For firms managing their own legacy platforms, the burden of vetting and maintaining these environments to evolving standards is immense. Companies expect to spend between €2 million and €5 million to maintain compliance, a cost largely driven by the need for specialized IT and legal staff to oversee non-managed systems.

Choosing an unmanaged in-house environment places this entire financial and operational weight on your internal team. In contrast, Comarch provides a professionally managed environment that guarantees continuous alignment with changing regulations. By leveraging a partner whose core business is regulatory infrastructure, you inherit pre-certified redundancy protocols and audit-ready reporting. This shifts the burden of regulatory monitoring to a dedicated team of experts, ensuring your control is backed by professional-grade agility.

Surviving Mandatory DORA TLPT: Risks of Testing Legacy Infrastructure

DORA has institutionalized high-stakes technical validation through mandatory Threat-Led Penetration Testing (TLPT). For critical financial entities, high-end simulations of cyberattacks are no longer optional. However, for those relying on unmanaged legacy silos, these tests present a significant risk: as National Competent Authorities (NCAs) tighten oversight, mandatory stress tests are exposing the fragility of systems that haven't evolved alongside modern security requirements.

Why “Testing to Fail” is a Legacy Risk

The primary risk of legacy infrastructure is the lack of regulatory agility.

• Environment Parity: Aging systems often lack the scalability to spin up the identical, high-fidelity test environments required for DORA, forcing firms into low-fidelity simulations that fail to satisfy rigorous audit standards.
• Resource Drain: Stress-testing unmanaged hardware consumes disproportionate internal resources and risks exposing vulnerabilities that legacy architectures (often maintained by generalist staff) cannot patch quickly enough to meet compliance windows.
• Operational Fragility: Without the professional management layer, a compliance check can easily turn into a service catastrophe if the testing impacts production environments.

The Managed Advantage: Resilient by Design

By moving to a professionally managed environment, organizations shift from unpredictable risk to a state of continuous readiness.

• Engineered for Recovery: These ecosystems are backed by 99.9% to 99.99% uptime SLAs and are specifically designed for rapid recovery and "business as usual" continuity.
• Expert Oversight: Comarch provides the specialized IT and legal expertise required to oversee these complex systems, ensuring that TLPT is a documented success rather than a discovery of failure.
• Continuous Adaptation: Instead of reactive patching, you benefit from infrastructure that evolves with new Technical Regulatory Standards, ensuring your testing environment is always audit-ready.

Ensuring Data Sovereignty and DORA Compliance for International ICT Expansion

Traditionally, the primary driver for maintaining in-house infrastructure has been the desire for absolute control. There is a common assumption that physical possession of servers is the only way to guarantee strict data sovereignty and meet GDPR-level requirements.

However, DORA changes the definition of “control.” Under this new regime, control means continuous adaptability. A well-maintained on-premise installation can facilitate reporting, but the challenge arises when that infrastructure is a legacy platform not managed by specialized IT staff. Without professional management, “control” quickly turns into a liability as legal requirements evolve faster than the internal team can adapt.

The Challenges of Cross-Border Compliance

• Regulatory Evolution: Each new jurisdiction brings a different interpretation of DORA’s Technical Regulatory Standards. Legacy teams often struggle to keep up with these localized shifts.
• Audit Inconsistency: Managing a patchwork of unmanaged local sites makes it nearly impossible to maintain a "North Star" of uniform resilience and reporting.
• The Management Gap: Small, local IT teams are often generalists. DORA requires specialists who understand the intersection of ICT security and financial law.

Managed Sovereignty: Compliance without Infrastructure Debt

Comarch Enterprise Hosting provides the “Managed Sovereignty" model. We offer the data localization and control traditionally associated with on-premise setups, but with the added security of a professionally managed environment.

• Continuous Adaptation: Comarch guarantees that your environment is constantly updated to meet changing legal requirements, including the latest DORA mandates.
• Inherited Compliance: When you expand into a new market with Comarch, you aren't starting the regulatory climb from scratch. You inherit an infrastructure that is already audit-ready and managed by experts.
• Unified Reporting: We provide a single, professional point of contact for all international operations, turning a patchwork of sites into a streamlined, DORA-compliant ecosystem.

ROI of DORA Compliance: The Math of Resilience

The business case for a professionally managed environment is written in the cost of silence. For financial entities, IT downtime is a direct hit to the P&L, with industry benchmarks placing costs between $300,000 and $540,000 per hour. When core data centers average 2.4 facility shutdowns annually, the financial risk is staggering: a single two-hour outage can drain up to $1.1 million.

• Per-Minute Impact: ~$5,600
• A Single 2-Hour Outage: $600,000 – $1.1 Million
• The Regulatory Multiplier: These figures exclude DORA’s potential 2% global turnover fines.

Under DORA, these figures are just the baseline. The Regulatory Multiplier (including daily penalties) can turn a single morning of downtime into a quarterly loss.

By shifting from CAPEX-heavy legacy silos to a managed OPEX model, you trade unpredictable liability for guaranteed 99.9%–99.99% uptime. A managed hosting contract pays for itself by preventing a single outage and transferring accountability to a partner that ensures continuous adaptation to evolving legal requirements.

Is Your Infrastructure Costing More Than You Realize?

The enforcement era is here, and for those tethered to unmanaged legacy infrastructure, the fall will be expensive. DORA has solidified the link between IT resilience and board-level legal liability.

But DORA compliance is only one part of the financial equation. Legacy data centers carry hidden costs in maintenance, energy, and lost agility that rarely appear on a standard line item. Before you submit your next annual attestation, compare your current operational spend against the managed model—get the full analysis: The True Cost of On-Premise Data Centers.