DORA Compliance: Complete Guide to the Digital Operational Resilience Act (2026)
Everything financial entities need to know about DORA compliance in 2026 — ICT risk management, incident reporting, TLPT, third-party risk, enforcement updates, and how to meet the Register of Information deadline.
DORA Compliance: Complete Guide to the Digital Operational Resilience Act (2026)
The Digital Operational Resilience Act (DORA) — Regulation (EU) 2022/2554 — is the EU's dedicated framework for ICT risk management in the financial sector. It has applied since 17 January 2025 and affects virtually every regulated financial entity in the European Union.
Unlike NIS2, DORA is a regulation, not a directive. It applies directly across all Member States without requiring national transposition. The European Supervisory Authorities explicitly stated in December 2024 that "DORA does not provide for a transitional period." If you are in the financial sector, DORA compliance is not optional — and in 2026, regulators have shifted from guidance to enforcement.
What Is DORA?
DORA establishes a comprehensive framework to ensure that financial entities can withstand, respond to, and recover from ICT-related disruptions and threats. It covers five key pillars:
- ICT risk management — Governance framework for managing ICT risks
- ICT-related incident reporting — Standardised reporting of major incidents
- Digital operational resilience testing — Regular testing of ICT systems
- ICT third-party risk management — Oversight of critical ICT service providers
- Information sharing — Voluntary sharing of cyber threat intelligence
The regulation recognises that the financial sector's increasing dependence on technology creates systemic risks that go beyond individual institutions. A single ICT failure or cyberattack can cascade through interconnected financial systems — making operational resilience a matter of financial stability, not just IT security.
Who Must Comply With DORA?
DORA applies to 21 categories of financial entities:
| Category | Examples |
|---|---|
| Credit institutions | Banks |
| Payment institutions | Payment processors, PSPs |
| Electronic money institutions | E-money issuers |
| Investment firms | Brokers, asset managers |
| Crypto-asset service providers | Exchanges, custodians |
| Insurance and reinsurance undertakings | Insurers, reinsurers |
| Insurance intermediaries | Brokers, agents |
| Institutions for occupational retirement | Pension funds |
| Central counterparties | Clearing houses |
| Trade repositories | Transaction reporting |
| Central securities depositories | Securities settlement |
| Trading venues | Stock exchanges, MTFs |
| Securitisation repositories | ABS data |
| Credit rating agencies | Rating providers |
| Crowdfunding service providers | Crowdfunding platforms |
| Data reporting service providers | APAs, ARMs |
| Managers of alternative investment funds | Hedge fund managers, PE managers |
| Management companies | UCITS managers |
| Account information service providers | Open banking providers |
Additionally, critical ICT third-party service providers (CTPPs) — such as major cloud providers serving the financial sector — are subject to a new oversight framework.
Proportionality
DORA applies the principle of proportionality. Requirements scale based on:
- Size and overall risk profile of the entity
- Nature, scale, and complexity of services
- The entity's ICT risk exposure
Microenterprises (fewer than 10 employees and less than €2M turnover) benefit from a simplified ICT risk management framework under Articles 15-16.
The Five Pillars of DORA
Pillar 1: ICT Risk Management (Articles 5–16)
Financial entities must establish a comprehensive ICT risk management framework that includes:
Governance:
- Management body retains ultimate responsibility for ICT risk
- Dedicated ICT risk management function, independent from operational ICT
- ICT risk management strategy reviewed at least annually
- Management body must complete ICT risk training
Identification:
- Identify, classify, and document all ICT-supported business functions
- Map ICT assets and their dependencies
- Identify all sources of ICT risk
- Conduct risk assessments at least annually
Protection and Prevention:
- Implement ICT security policies and procedures
- Patch management with defined timelines
- Network security and access controls
- Data protection and encryption measures
Detection:
- Continuous monitoring of ICT systems
- Anomaly detection mechanisms
- Multiple layers of control
Response and Recovery:
- ICT business continuity policy
- Disaster recovery plans with recovery time objectives (RTOs) and recovery point objectives (RPOs)
- Crisis communication procedures
- Post-incident reviews
Learning and Evolving:
- Gather threat intelligence
- Post-incident root cause analysis
- Continuous improvement of the framework
Pillar 2: ICT-Related Incident Reporting (Articles 17–23)
DORA standardises incident classification and reporting across the financial sector. Financial entities must classify and report major ICT-related incidents according to strict thresholds:
Major Incident Classification Criteria:
- Number of clients or counterparties affected
- Duration of the incident
- Geographical spread
- Volume of data losses
- Impact on critical services
- Economic impact
Reporting Timeline:
| Timeline | Report Type | Content |
|---|---|---|
| Within 4 hours of classification as major (no later than 24 hours after detection) | Initial notification | Basic facts and classification |
| Within 72 hours of classification | Intermediate report | Updated assessment and impact |
| Within 1 month after the intermediate report | Final report | Root cause analysis, remediation measures |
Financial entities must also notify affected clients without undue delay when incidents impact their financial interests (Article 19(3)). This horizontal communication obligation — to counterparties, not just regulators — is one of DORA's most operationally demanding requirements.
Pillar 3: Digital Operational Resilience Testing (Articles 24–27)
All financial entities must conduct regular testing:
Basic Testing (all entities):
- Vulnerability assessments and scans
- Open source analyses
- Network security assessments
- Gap analyses
- Physical security reviews
- Scenario-based testing
- Compatibility testing
- Performance testing
- End-to-end testing
Advanced Testing (significant entities only):
- Threat-Led Penetration Testing (TLPT) at least every three years
- Must follow recognised frameworks (TIBER-EU or equivalent national framework)
- Conducted by qualified external testers
- Covers critical ICT systems supporting critical or important functions
- Results reported to competent authorities
TIBER-EU (Threat Intelligence-Based Ethical Red Teaming) is the ECB's framework for TLPT — though national variants (like TIBER-DE, TIBER-NL, TIBER-FR) are equally accepted.
Pillar 4: ICT Third-Party Risk Management (Articles 28–44)
DORA creates a comprehensive framework for managing outsourcing and third-party ICT risk. This is one of the most operationally intensive aspects of DORA compliance:
Pre-Contractual Requirements:
- Risk assessment before entering any ICT service contract
- Due diligence on potential providers
- Concentration risk assessment — avoiding systemic dependence on single providers
Contractual Requirements (Article 30): Contracts with ICT third-party providers must include mandatory provisions covering:
- Full description of services and SLAs
- Location of data processing and storage
- Right to audit and access
- Cooperation obligations during incidents
- Data portability and transition support
- Exit strategies and transition plans
Register of Information (Article 28(3)): Financial entities must maintain a structured, continuously updated register of all ICT third-party service provider arrangements. This register is a key supervisory tool — it must be available for inspection at any time and submitted annually to national authorities.
Oversight of Critical ICT Third-Party Providers (CTPPs): The European Supervisory Authorities (EBA, EIOPA, ESMA) can designate providers as CTPPs, subjecting them to direct oversight including:
- Annual risk analyses
- Comprehensive reporting obligations
- On-site and remote inspections
- Joint Examination Teams (JETs)
- Periodic penalty payments of up to 1% of average daily worldwide turnover for non-cooperation
Pillar 5: Information Sharing (Article 45)
DORA encourages — but does not mandate — financial entities to share cyber threat intelligence:
- Share indicators of compromise, tactics, techniques, and procedures (TTPs)
- Exchange information on cyber threats within trusted communities
- Participate in information sharing arrangements
- Notify competent authorities about participation
DORA in 2026: What Has Changed
19 Critical ICT Third-Party Providers Designated
On 18 November 2025, the EBA, EIOPA, and ESMA published the first official list of 19 designated Critical ICT Third-Party Providers under DORA. The list includes major cloud and platform service providers:
- Hyperscale cloud: AWS, Microsoft Azure, Google Cloud
- Financial data and technology: Bloomberg, London Stock Exchange Group, IBM
- IT services and telecom: Tata Consultancy Services, Orange
These providers are now subject to direct oversight by Joint Examination Teams (JETs). Financial entities that rely heavily on any designated CTPP must document this dependency in their Register of Information and assess concentration risk accordingly.
Register of Information — 2026 Deadlines
The 2026 Register of Information (ROI) cycle covers ICT third-party arrangements with a reference date of 31 December 2025. National submission deadlines vary:
| Jurisdiction | Competent Authority | 2026 Submission Deadline |
|---|---|---|
| Netherlands | AFM | 31 March 2026 |
| Luxembourg | CSSF | Portal open from 11 February 2026 |
| Malta | MFSA | Jurisdiction-specific deadline |
| Belgium | FSMA | Supervisory review period before 30 April |
| EU consolidated | EBA/EIOPA/ESMA | 30 April 2026 |
A critical warning: In the ESAs' 2024 dry-run exercise, only 6.5% of nearly 1,000 firms across the EU successfully passed all 116 data quality checks. The most common failures involved incomplete contract data, missing subcontractor information, and incorrect criticality classifications. The 2026 submission must be significantly more thorough.
Enforcement Has Shifted
According to AQMetrics, 2026 marks the transition from paperwork compliance to proof of operational resilience. Regulators now expect real-time, data-driven evidence of resilience — not just policy documentation. The new supervisory posture is described as "interventionist supervision."
Deloitte research found that:
- Most institutions estimated DORA compliance costs between €2–5 million
- Only 50% of institutions expected to achieve full compliance by end of 2025
- 38% are targeting 2026 for full compliance
- Senior management personal liability is now explicitly on regulators' agenda
DORA vs NIS2: Understanding the Relationship
For financial entities, both DORA and NIS2 may be relevant. DORA is lex specialis — it takes precedence where its requirements are more specific:
| Aspect | DORA | NIS2 |
|---|---|---|
| Legal form | Regulation (directly applicable) | Directive (requires transposition) |
| Scope | Financial sector + critical ICT providers | 18 cross-sector categories |
| Incident reporting | 4h initial (from classification) / 72h intermediate / 1 month final | 24h early warning / 72h notification / 1 month final |
| Testing | TLPT every 3 years for significant entities | Effectiveness assessment (less prescriptive) |
| Third-party risk | Detailed framework with oversight regime | Supply chain security requirements |
| Precedence | Takes priority for financial entities | Applies where DORA doesn't cover |
Financial entities comply with DORA for ICT-related requirements. NIS2 may still apply for aspects not specifically covered by DORA — and GDPR obligations run in parallel for personal data processing. For a detailed side-by-side analysis of scope, incident timelines, penalties, and dual-obligation strategy, see our DORA vs NIS2 comparison guide.
DORA Compliance Penalties
DORA does not fully harmonise monetary penalties for financial entities at EU level. Article 50 instead requires Member States to establish effective, proportionate, and dissuasive penalties and remedial measures, so exact fines depend on national law and the relevant competent authority.
For Financial Entities:
- Remediation orders and binding deadlines
- Public statements and supervisory notices
- Restrictions on management functions
- Suspension or withdrawal of authorisation
- Administrative penalties under applicable national law
For Critical ICT Third-Party Providers:
- Lead overseer recommendations and follow-up measures
- Remediation requirements under the oversight framework
- Periodic penalty payments for non-compliance or non-cooperation
Senior management accountability is explicit under DORA, but the exact monetary exposure for financial entities depends on the national regime.
DORA Compliance Roadmap
Step 1: Assess Applicability and Proportionality
Determine which DORA requirements apply to your entity based on:
- Entity type (which of the 21 categories applies)
- Size (microenterprise vs. standard vs. significant entity)
- ICT risk exposure and criticality of operations
Step 2: Conduct a DORA Gap Analysis
Map your current ICT risk management framework against DORA's five pillars. Common gaps identified in 2025 supervisory assessments include:
- Incomplete or absent Register of Information
- Incident classification thresholds not defined
- No TLPT programme for entities qualifying as significant
- Third-party contracts missing DORA-mandatory provisions
- Concentration risk not formally assessed
Step 3: Build Your ICT Risk Management Framework
Establish or update your framework to cover Articles 5–16 requirements:
- Document the management body's formal ICT risk oversight role
- Create or update ICT risk strategy, appetite, and policies
- Establish independent ICT risk management function
- Implement continuous monitoring and anomaly detection
Step 4: Build Incident Reporting Capability
The 4-hour initial notification (from classification as major) is operationally demanding — it requires:
- Pre-defined incident classification criteria and thresholds
- 24/7 detection and escalation procedures
- Pre-agreed notification templates
- Named regulatory contacts at each NCA
- Client notification workflows (Article 19(3))
Step 5: Implement a Resilience Testing Programme
For all entities:
- Annual vulnerability assessments and network security testing
- Scenario-based business continuity exercises
For significant entities:
- Identify and engage qualified TLPT testers
- Align with TIBER-EU or national equivalent
- Agree scope with competent authority in advance
Step 6: Fix Your Register of Information
This is the most urgent practical priority in 2026. Requirements:
- Document all ICT third-party service arrangements in the ESA-specified template
- Include: provider details, contract scope, service locations, subcontractors, criticality classification
- Assess concentration risk for providers serving multiple critical functions
- Submit by your national NCA's deadline
Step 7: Implement Continuous Compliance
DORA compliance is not a point-in-time exercise. Build continuous processes for:
- Ongoing monitoring of ICT third-party providers' security posture
- Quarterly review of the Register of Information
- Annual review of the ICT risk management framework
- Annual review of incident classification thresholds
How Orbiq Supports DORA Compliance
Orbiq helps financial entities manage DORA's operational requirements continuously:
- Register of Information management: Maintain a complete, structured inventory of ICT third-party arrangements — always ready for supervisory submission
- Vendor monitoring: Continuous assessment of third-party ICT providers' security posture and compliance status, including designated CTPPs
- Evidence management: Automated collection and organisation of compliance evidence for regulatory inspections and TLPT processes
- Trust Center: Demonstrate your operational resilience posture to counterparties, auditors, and regulators — fulfilling the Article 19(3) horizontal communication obligation
- Supply chain visibility: Real-time view of your ICT dependency landscape, concentration risk scoring, and CTPP exposure mapping
- Continuous monitoring: Automated controls monitoring that generates inspection-ready evidence without manual effort
Built for European financial services from day one, with EU data residency and GDPR-native architecture. If you're also evaluating EU compliance software across NIS2, GDPR, and CRA — not just DORA — see our EU Compliance Software Buyer's Guide for a structured comparison framework.
Key DORA Deadlines in 2026
| Deadline | Requirement |
|---|---|
| 30 April 2026 | Register of Information submission to ESAs (via national NCAs) |
| Ongoing | Continuous monitoring of ICT third-party providers |
| Annually | ICT risk management framework review |
| Every 3 years | TLPT for significant entities |
Further Reading
- DORA Incident Reporting and Provider Monitoring: Articles 19, 28, 30
- NIS2 Compliance Guide — For requirements beyond DORA's scope
- NIS2 Supply Chain Security — Complementary third-party risk guidance
- Vendor Assurance Platform — How Orbiq manages ICT third-party risk at scale
Sources & References
- Regulation (EU) 2022/2554 — DORA Full Text — Official EU Journal source for all article references
- ESAs designate critical ICT third-party providers under DORA, 18 November 2025 — First CTPP list: 19 providers including AWS, Microsoft, Google Cloud, IBM, Bloomberg, LSEG, TCS, Orange
- DORA 2026: End of the Grace Period for Digital Resilience — AQMetrics — Shift to interventionist supervision; enforcement posture update
- DORA Register of Information 2026 — CSSF Luxembourg — CSSF submission deadlines and portal details
- DORA Register of Information 2026 — FSMA Belgium — FSMA supervisory expectations for 2026
- DORA Compliance Checklist 2026 — Thomas Murray — Compliance progress statistics; 50% full compliance rate
- DORA Penalties and Fines Guide 2025 — Fine structures: 2% turnover, €1M personal, €5M for CTPPs
- Jones Day: DORA Now in Effect for Financial Sector, January 2025 — ESA statement on no transitional period
- TIBER-EU Framework — European Central Bank — TLPT recognised framework reference