Back to Listing
dora-enforcement-2026-what-financial-entities-must-do-now
  • Dora
  • 29th Jun 2026
  • 1 min read

DORA Enforcement 2026: What Financial Entities Must Do Now

Gabriel Few-Wiegratz
  • Written by
Gabriel Few-Wiegratz
View my profile on
In Short..
  • DORA has been enforceable since 17 January 2025: competent authorities across EU member states are conducting active supervisory reviews, with no grace period.
  • ICT risk management framework board approval is the most common gap: Article 5 requires the management body to define, approve, and be accountable for the framework. CIO ownership alone fails this test.
  • The Register of Information is under direct scrutiny: Commission Implementing Regulation (EU) 2024/2956 specifies exact data fields. Sub-contractors and critical function classifications are the most common omissions.
  • Significant entities must have TLPT programmes underway: Threat-Led Penetration Testing under Articles 24-27 must run at least every three years. Supervisors are asking for programme evidence, not plans.
  • Penalties reach 2% of total annual worldwide turnover: Article 52 sets the ceiling. National competent authorities have full enforcement powers from January 2025.

Competent authorities across the EU are conducting active supervisory reviews of financial entities under DORA, the Digital Operational Resilience Act (Regulation (EU) 2022/2554), which became applicable on 17 January 2025. Findings are being issued. Firms with incomplete programmes face escalating supervisory attention, and in serious cases, sanctions reaching 2% of total annual worldwide turnover under Article 52. This article sets out where enforcement attention is concentrated in 2026, the programme gaps supervisors are finding most consistently, and the priority actions that reduce exposure to supervisory findings.

Expert View

undefined-May-25-2026-06-11-05-9774-PM

 

Matt Davies

Chief Product Officer, SureCloud

LinkedIn

What our experts say about DORA enforcement priorities in 2026

 

 

"The firms getting supervisory findings are the ones whose board never formally approved the ICT risk framework. It exists in the CIO's team and never made it to a board resolution. That's the first thing a competent authority asks to see, and the first thing that's missing."

 

What DORA Enforcement Looks Like in 2026

DORA's five core requirements have been mandatory since January 2025. The regulatory technical standards (RTS) and implementing technical standards (ITS) that specify how each requirement must be met were finalised by the ESAs and adopted by the European Commission through delegated and implementing regulations published throughout 2024. These standards are now law in all EU member states without the need for national transposition.

 

Enforcement runs through national competent authorities, with ESA direct oversight reserved for critical ICT third-party providers (CTPPs). In practice, the national competent authority for each financial entity, determined by its home member state, is responsible for assessing compliance, issuing findings, and imposing sanctions where necessary. The BaFin in Germany, the AFM and DNB in the Netherlands, the Banque de France and ACPR in France, and the Central Bank of Ireland are all implementing the ESAs' joint supervisory convergence priorities in their domestic markets.

 

In the first enforcement cycle, supervisory activity has concentrated in three areas: desk-based reviews of submitted documentation (ICT risk management frameworks and Register of Information submissions), targeted supervisory interviews with Chief Information Officers and heads of operational resilience, and thematic reviews across sectors focused on specific DORA pillars, particularly ICT third-party risk and digital operational resilience testing programmes.

 

ESA Supervisory Priorities for 2026

 

DORA Pillar

Supervisory Focus in 2026

ICT risk management (Articles 5-16)

Quality and completeness of board-approved ICT risk management framework; evidence of top management accountability; integration with enterprise risk management

ICT incident reporting (Articles 17-23)

Completeness and timeliness of major incident classification; operational procedures for the three-stage reporting (initial notification, intermediate, final report); integration with incident management systems

Digital operational resilience testing (Articles 24-27)

TLPT programme planning for significant entities; evidence of basic testing for all entities; gap between testing scope and actual ICT estate

ICT third-party risk management (Articles 28-44)

Completeness and accuracy of Register of Information; ICT concentration risk assessment; contractual compliance for critical ICT services

Information sharing (Article 45)

Participation in information sharing arrangements; classification of threat intelligence outputs

 

The supervisory table below maps each pillar to the specific areas competent authorities are examining in 2026. For a detailed explanation of how the five pillars connect and what each requires in practice, see our guide to the five pillars of DORA.



 

Common Programme Gaps in the First Enforcement Cycle

Based on the ESAs' published supervisory convergence work and national competent authority reviews, the following programme gaps are the most frequently identified across in-scope financial entities.

 

ICT risk management framework: board approval required

DORA Article 5 requires the management body of the financial entity to define, approve, oversee, and be accountable for the ICT risk management framework. A framework sitting within the CIO function falls short of this requirement unless the board has formally endorsed it. Supervisors are specifically asking for board resolutions or equivalent evidence of formal approval.

 

Register of Information: completeness and accuracy gaps

Article 28(3) requires financial entities to maintain and update a complete register of contractual arrangements with all ICT third-party service providers. Commission Implementing Regulation (EU) 2024/2956 specifies the exact data fields. Reviews have consistently found sub-contractors uncaptured in most submissions, service classification data incorrect, and the distinction between critical and non-critical functions missing from the majority of submissions.

 

Incident classification thresholds: operationalisation gaps

DORA's incident reporting framework requires financial entities to classify ICT-related incidents as major or minor based on criteria including the number of clients affected, duration, geographic spread, data losses, and reputational impact. Article 18 sets the classification criteria, and the RTS on major incident reporting specifies the thresholds.

 

The gap is operational: classification criteria need to be mapped to live monitoring and alerting systems. Many entities have the policy framework in place; the connection to their actual monitoring infrastructure is what's absent.

 

TLPT programme: significant entities yet to start

Threat-Led Penetration Testing (TLPT) under DORA Articles 24-27 applies to significant entities designated by competent authorities. TLPT is a complex, structured exercise based on the TIBER-EU framework, requiring red team testing across live production systems. It must be conducted at least every three years. Many designated entities have yet to initiate their TLPT programme, making it one of the clearest and most verifiable supervisory findings in the current enforcement cycle.

 

ICT concentration risk: assessment obligation outstanding

Article 29 requires financial entities to identify and manage ICT concentration risk: the risk from over-reliance on a single ICT third-party provider or a small number of providers across critical functions. Many financial entities have completed their Register of Information but have yet to conduct the concentration risk analysis Article 29 requires. The Register is the input; the analysis is the obligation.

Priority Actions for Financial Entities

For entities with incomplete DORA programmes, the following actions carry the highest priority in 2026, based on supervisory focus and the enforcement risk associated with each gap.

 

Immediate (0-3 months)

  1. Obtain board approval for the ICT risk management framework. Schedule a board or board committee presentation. Document the approval with a board resolution or equivalent minute.
  2. Complete and validate the Register of Information against the Commission Implementing Regulation (EU) 2024/2956 template. Verify service classifications, critical function flags, and sub-contractor data for every provider.
  3. Operationalise incident classification procedures. Map DORA Article 18 classification criteria to your existing monitoring alerts. Test the three-stage reporting workflow: initial notification within 4 hours of major incident classification, intermediate report within 72 hours, final report within one month.

Near-term (3-6 months)

  1. Conduct an ICT concentration risk assessment using the completed Register of Information. Identify services where more than one critical function depends on the same provider.
  2. Review ICT third-party contracts for DORA Article 30 compliance: exit plan provisions, audit rights, service continuity obligations, and sub-contracting controls.
  3. For entities designated for TLPT, engage a TIBER-EU accredited red team provider and initiate programme scoping. Act before a supervisory review arrives.
  4. Establish an information sharing mechanism by joining a sector ISAC (Information Sharing and Analysis Centre) or by setting up bilateral threat intelligence sharing arrangements.

Programme maturity (6-12 months)

  1. Integrate DORA's ICT risk management framework with enterprise risk management. ICT risks should appear in the board risk report alongside financial and operational risk.
  2. Establish basic digital operational resilience testing for all entities: scenario-based testing covering critical ICT systems, recovery time objective testing, and business continuity exercise outcomes.
  3. Implement ongoing monitoring of the Register of Information. Contractual changes, new ICT providers, and critical function reclassifications must be reflected in real time.

Managing a DORA compliance programme across all five pillars generates a volume of documentation that spreadsheet-based tracking can't sustain. Gracie AI Agents with Personas and Skills performs activities across Register of Information maintenance, control evidence collection, and incident classification workflows, cutting audit preparation time by 75%. That means your compliance evidence is already assembled and auditable when a supervisory review arrives. See our DORA compliance guide for a structured framework covering all five pillars.

What Competent Authorities Can Do to Non-Compliant Entities

DORA has been fully enforceable since 17 January 2025. Competent authorities have had full enforcement powers from that date, and the regulation requires national law to provide for administrative penalties that are effective, proportionate, and dissuasive. Article 52 requires penalties of up to 2% of total annual worldwide turnover for financial entities in serious breach. The specific sanctions available vary by member state, but the enforcement framework is active across all EU jurisdictions.

 

For CTPPs under direct ESA oversight, DORA Article 35 gives the Lead Overseer the power to conduct investigations and on-site inspections, issue recommendations, and impose periodic penalty payments. The first CTPP oversight programmes are underway in 2025-2026 and are being closely watched by the financial entities that depend on those providers, since Article 30 requires CTPPs to cooperate with oversight and to ensure their financial entity clients can meet their DORA obligations.

 

For practical guidance on what board-level DORA reporting requires, see our guide to DORA board reporting and ICT risk.

Build Your DORA Compliance Evidence Trail with SureCloud

Gracie AI Agents with Personas and Skills manages your Register of Information, automates control evidence collection, and gives your board the reporting it needs to satisfy supervisory review. Financial entities using SureCloud's GRC platform report a 75% reduction in audit prep time.
Book your Demo TODAY!
Related articles:
  • DORA

The 5 Pillars of DORA Explained – Building Digital Resilience in Financial Services

  • ISO 27001
  • DORA

DORA vs NIS-2 vs ISO 27001: Where They Overlap & How to Combine Them

  • Compliance Management

Compliance Management Software: Top 10 Tools for DORA, NIS2 & FCA 2026

Share this article

FAQ’s

When did DORA become enforceable?

DORA, the EU Digital Operational Resilience Act (Regulation (EU) 2022/2554), became applicable on 17 January 2025, following a two-year implementation period from its entry into force in January 2023. All in-scope financial entities were required to be compliant from that date. There was no grace period or phased enforcement start.

Competent authorities have had full supervisory powers since January 2025, and the ESAs' joint supervisory convergence work confirms that active enforcement reviews are underway across all major EU financial markets. If your programme wasn't complete by January 2025, it's already late.

Which financial entities are in scope for DORA?

DORA Article 2 lists in-scope entities. They include credit institutions, payment institutions, account information service providers, electronic money institutions, investment firms, crypto-asset service providers, central securities depositories, central counterparties, trading venues, trade repositories, alternative investment fund managers, management companies, insurance and reinsurance undertakings, and credit rating agencies, among others.

Microenterprises may benefit from proportionality provisions in several DORA articles. UK-based financial entities aren't directly subject to DORA, but entities that are part of EU groups, or that provide ICT services to EU-regulated entities, may have indirect obligations that their legal teams should assess.

 

What is the Register of Information under DORA?

The Register of Information is a complete inventory of all contractual arrangements between a financial entity and its ICT third-party service providers, required under DORA Article 28(3). It must be maintained, kept up to date, and submitted to the competent authority on request or as part of annual reporting. Commission Implementing Regulation (EU) 2024/2956 specifies the exact fields, including the provider's legal entity identifier, the nature of ICT services provided, whether those services support critical or important functions, and the jurisdiction in which the service is provided.

Financial entities must also capture sub-contracting arrangements for services supporting critical or important functions. That's where most submissions have gaps: the primary provider is captured; their sub-contractors aren't.

What are the DORA incident reporting timelines?

DORA distinguishes between major ICT-related incidents and other incidents. For major incidents, Article 19 requires financial entities to submit an initial notification to their competent authority as soon as possible, and no later than 4 hours after classification as major (and no later than 24 hours after becoming aware of the incident). An intermediate report must follow within 72 hours of the initial notification. A final report is due within one month.

The classification criteria for major incidents are set out in DORA Article 18 and specified in the RTS on major incident reporting, covering the number of clients affected, duration, data integrity, geographic spread, and reputational impact. The reporting obligation starts from the moment of classification as major, so the classification process itself needs to be fast and operationally tested.

What is TLPT and which entities must complete it?

Threat-Led Penetration Testing (TLPT) is a structured red team exercise conducted under Articles 24-27 of DORA, based on the TIBER-EU framework. It tests the resilience of live production systems against realistic threat scenarios derived from actual threat intelligence for the entity's sector. TLPT must be conducted at least every three years and requires engagement of a TIBER-EU accredited external red team provider.

TLPT applies to significant entities designated by their competent authority. The designation criteria include systemic importance, ICT risk profile, and the nature of the entity's critical functions. If you've been designated, you can't substitute basic vulnerability testing or penetration testing for TLPT. The scope, methodology, and approval process are specified in the DORA RTS on TLPT, and supervisors are actively checking programme status.