DORA Regulation 2025-2026: What Financial Institutions Must Do Now

The Digital Operational Resilience Act (DORA) — EU Regulation 2022/2554 — entered into full application on 17 January 2025. Financial institutions that have not yet completed their compliance programs are now operating in breach of directly applicable EU law.

Who Must Comply

DORA applies broadly across the EU financial sector:

• Credit institutions and payment institutions
• Investment firms and fund managers (AIFMs, UCITS)
• Insurance and reinsurance undertakings
• Crypto-asset service providers (CASPs) under MiCA
• Critical ICT third-party service providers (cloud, SaaS, data)

With over 22,000 entities in scope across EU member states, DORA is one of the most expansive ICT resilience frameworks ever enacted.

The Five Pillars of DORA

1. ICT Risk Management

Entities must maintain a comprehensive ICT risk management framework, including documented policies, business continuity plans, and annual reviews. The framework must cover identification, protection, detection, response, and recovery.

2. ICT Incident Reporting

Major incidents must be reported to competent national authorities within strict timeframes:

• Initial notification: within 4 hours of classification
• Intermediate report: within 72 hours
• Final report: within 1 month

3. Digital Operational Resilience Testing

Entities must conduct regular TLPT (Threat-Led Penetration Testing) using certified testers. For significant institutions, advanced testing is mandatory every 3 years.

4. ICT Third-Party Risk Management

Contracts with critical ICT providers must include specific clauses: audit rights, exit strategies, performance SLAs, and data location. The ESAs maintain a public register of critical third-party providers.

5. Information Sharing

Entities are encouraged (and in some cases required) to participate in cyber threat intelligence sharing arrangements.

Key Compliance Gaps in 2026

Audit findings from early 2026 show common gaps:

• Incomplete ICT asset inventories: Many institutions lack a full map of their critical ICT dependencies
• Contractual gaps with cloud providers: Legacy contracts predate DORA and lack mandatory clauses
• Untested recovery plans: BCP documentation exists but live-drill testing has not been conducted
• Third-party concentration risk: Multiple critical functions rely on the same cloud provider without documented mitigation

Practical Steps for Q2-Q3 2026

1. Complete the ICT risk register and map all critical third-party dependencies
2. Audit existing ICT contracts against DORA Article 30 requirements
3. Schedule TLPT with a qualified test provider (TIBER-EU framework compatible)
4. Implement the incident classification matrix for the 72-hour reporting obligation
5. Engage your competent authority (ACPR for France, BaFin for Germany, etc.) proactively

For detailed regulatory text analysis and compliance templates, dora-finance.fr provides structured resources aligned with the EBA/ESMA/EIOPA joint guidelines.

Sanctions and Supervisory Expectations

National competent authorities have broad powers under DORA including:

• Public statements identifying the non-compliant entity
• Temporary prohibition on senior management functions
• Fines up to 1% of average daily worldwide turnover for each day of non-compliance (for critical ICT providers)

The supervisory expectation in 2026 is clear: DORA is not a checkbox exercise. Regulators expect documented evidence of operational testing, not just policy adoption.