DORA Compliance Guide: Requirements & Deadlines 2026

The EU AI Act is in force, and the compliance picture just changed.

On 7 May 2026, EU institutions reached political agreement on the AI Act Omnibus, deferring the high-risk AI system obligations most organisations were preparing for in August 2026. The new deadlines are later — but the work required to meet them is exactly the same. And several obligations are already enforceable now.

This guide gives you the accurate picture: what applies today, what changed, and what a structured compliance programme looks like in 2026 and beyond.

Looking for a management system framework to operationalise your AI Act obligations? ISO/IEC 42001 is the standard built for this. See our ISO 42001 resources.

DORA is an EU regulation that sets legally binding standards for digital operational resilience across the financial sector. It requires financial entities and their critical ICT providers to withstand, respond to, and recover from ICT-related disruptions, including cyberattacks, system failures, and data breaches.

DORA was published in the Official Journal on 27 December 2022 and entered into force on 16 January 2023. The full compliance deadline was 17 January 2025. All in-scope organisations are now subject to live regulatory obligations and supervisory oversight.

The regulation covers five areas: ICT risk management, incident reporting, digital resilience testing, third-party ICT risk management, and information sharing. These are not aspirational standards. They are enforceable obligations with specific timelines, documentation requirements, and supervisory powers attached.

Key reference: EIOPA Official DORA Information — eiopa.europa.eu

DORA applies to a broad range of financial sector organisations:

1. Banks and credit institutions
2. Insurance and reinsurance undertakings
3. Investment firms and brokers
4. Crypto-asset service providers
5. Payment institutions and e-money issuers
6. Central counterparties and trading venues
7. Crowdfunding platforms
8. Management companies and alternative investment fund managers (AIFMs)

Beyond direct financial institutions, DORA applies to ICT third-party service providers — including cloud service providers, data centres, software platforms, and managed services — that support the core functions of in-scope financial entities. Non-EU vendors supplying digital infrastructure to European financial firms are typically in scope even when headquartered outside the EU.

Critical ICT Third-Party Providers: Designated November 2025

On 18 November 2025, the European Supervisory Authorities (ESAs) published the first list of critical ICT third-party providers (CTPPs) subject to direct ESA oversight. Nineteen providers were designated, including major cloud infrastructure providers: Accenture, Amazon Web Services EMEA, Bloomberg, Capgemini, Colt Technology Services, Deutsche Telekom, Equinix (EMEA), FIS (Fidelity National Information Services), Google Cloud EMEA, IBM, InterXion HeadQuarters, Kyndryl, LSEG Data and Risk, Microsoft Ireland Operations, NTT DATA, Oracle Nederland, Orange, SAP, and Tata Consultancy Services.

Designated CTPPs face direct inspection rights, documentary evidence requirements, and binding recommendations from the ESAs. The CTPP list will be reviewed and updated annually.

Read more: DORA Critical ICT Third-Party Providers Guide

1. ICT Risk Management Framework

Financial entities must operate a formal ICT risk management framework integrated with their broader enterprise risk governance. This is not a paper policy exercise: it requires operational controls, documented accountability, and regular review.

Requirements include:

1. Governance structures that assign clear accountability for ICT risk at board and senior management level
2. Identification, classification, and continuous monitoring of ICT systems and assets
3. Regular risk assessments and independent control testing
4. Documentation of internal and external ICT functions, including outsourced processes

The ICT risk management framework is the foundation of DORA compliance. Batch 1 of the Regulatory Technical Standards — in force from 17 January 2025 — sets out binding detail on what this framework must include.

Read more: DORA Management Body Requirements

2. Incident Reporting

DORA establishes mandatory timelines for reporting significant ICT-related incidents to national competent authorities:

1. 24 hours — initial notification upon classification of an incident as significant
2. 72 hours — detailed interim report
3. 1 month — final report following resolution

These timelines are fixed. Internal logging, root cause documentation, and lessons-learned processes are also required. Reporting thresholds and formats are harmonised across EU member states via the implementation of technical standards.

Read more: DORA Incident Response Governance

3. Digital Operational Resilience Testing

DORA distinguishes between standard annual testing and advanced threat-led penetration testing (TLPT).

Standard testing is required annually for most in-scope entities, covering backup systems, failover capabilities, and business continuity plans.

TLPT applies to entities performing critical or important functions and must be conducted at least once every three years. On 18 June 2025, Commission Delegated Regulation (EU) 2025/1190 — the TLPT Regulatory Technical Standard — was published in the Official Journal and became directly applicable across EU member states on 8 July 2025.

Key TLPT requirements under the RTS:

1. Scope specification must be submitted to the TLPT authority within six months of receiving a testing obligation
2. Active red team testing must run for a minimum of 12 weeks
3. Purple teaming is mandatory in the TLPT closure phase
4. The threat intelligence provider must always be external
5. Every third TLPT must use a fully external red team

The first wave of TLPT notifications is expected in 2026. Organisations that have not built out TLPT capability face a tight window.

Read more: DORA Threat-Led Penetration Testing

4. Third-Party Risk Management

DORA requires active, documented oversight of all ICT third-party relationships — not periodic due diligence.

Financial entities must:

1. Maintain a current, accurate Register of Information covering all ICT-related contracts
2. Incorporate DORA-specific contractual clauses in vendor agreements, including exit rights and continuity obligations
3. Verify that providers maintain appropriate security and operational continuity practices
4. Develop exit strategies to reduce concentration risk in individual providers

NCAs are now cross-checking Register of Information data automatically as part of active enforcement reviews. Incomplete or inaccurate registers have been the leading cause of supervisory letters issued in the first enforcement cycle.

5. Information Sharing Arrangements

DORA encourages voluntary participation in cyber threat intelligence sharing. Requirements for participation include:

1. Sharing relevant, resilience-focused data
2. Confidentiality protections and restricted-use provisions
3. Clear governance rules within the sharing arrangement

Participation is voluntary, but it supports the regulatory expectation of a proactive resilience posture.

DORA's obligations are made specific through Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) developed by the ESAs.

Batch 1 — in force 17 January 2025: Five standards covering the ICT risk management framework, ICT-related incident classification, third-party policy, the Register of Information template, and aggregated costs methodology. These are binding EU law.

Batch 2 — finalised late 2024, applying progressively through 2025–2026: Covers subcontracting arrangements, TLPT methodology (published as Commission Delegated Regulation EU 2025/1190), ESA oversight of CTPPs, CTPP designation criteria, and related measures.

Organisations should map their ICT risk management frameworks, vendor contracts, and testing programmes against the published RTS before NCA reviews.

DORA's compliance deadline has passed. The regulation is live, and enforcement has entered its active phase.

Read more: DORA Compliance Roadmap 

DORA is no longer a preparation exercise. As of 2026, national competent authorities are conducting active enforcement reviews.

2025: The Supervisory Dialogue Phase

The first year of DORA applicability was broadly characterised by supervisory dialogue rather than formal sanctions. NCAs engaged with firms on readiness, issued guidance, and allowed institutions to demonstrate progress on gap remediation. Incomplete registers received formal supervisory letters requiring remediation within 60 days.

2026: Active Enforcement

That tolerance has ended. NCAs are now:

• Conducting formal DORA supervisory reviews
• Cross-checking Register of Information data automatically
• Issuing compulsion letters to firms with material compliance gaps
• Preparing the first formal enforcement actions under Article 5

Industry surveys at the end of 2025 indicated that only approximately only 50% of institutions expected to reach full compliance by end of 2025, with 38% pushing their target into 2026 (Deloitte).

For institutions still working through remediation, the priority areas flagged in early supervisory letters are: accuracy of the Register of Information, incident classification procedures, and TLPT readiness for in-scope entities.

Penalties for Non-Compliance

Penalties are set by member states within DORA's maximum parameters.

For financial entities:

1. Up to 2% of total annual worldwide turnover or €10 million (whichever is higher) for the most serious violations
2. Up to 1% of average daily worldwide turnover for certain ongoing or repeated breaches
3. Personal fines of up to €1 million for individual senior managers found responsible

For critical ICT third-party providers:

1. Up to €5 million fixed penalty
2. Plus up to 1% of average daily worldwide turnover for ongoing violations

Member state variations apply. Italy's ceiling is €20 million or 10% of annual turnover. Ireland allows up to €10 million or 10% of turnover.

For organisations still working through DORA compliance, a structured approach across three areas delivers the most immediate regulatory risk reduction.

Step 1: Audit the Register of Information

The Register of Information is the first thing NCAs cross-check. Audit for completeness, accuracy, and DORA RTS alignment. Every ICT-related contract must be logged, including subcontracting chains for critical functions.

Step 2: Build a Cross-Functional Compliance Task Force

DORA cannot be owned by a single team. Assign framework ownership to named individuals across:

1. Risk and compliance leadership
2. IT and infrastructure heads
3. Legal and procurement
4. Business continuity and operations leads

Step 3: Close ICT Risk Management Gaps

Map your ICT risk management framework against the Batch 1 RTS. Update documentation, run new risk assessments, and ensure all controls are tested and evidenced for supervisory review.

A structured GRC platform accelerates this process and generates the audit trail required for NCA review.

DORA does not operate in isolation. Compliance teams working across multiple frameworks can reduce duplication by identifying shared obligations.

DORA vs NIS2 vs GDPR vs EBA Guidelines

Where Frameworks Overlap

1. Incident reporting: DORA and GDPR both impose rapid reporting obligations. Unified incident response plans can satisfy both simultaneously.
2. Vendor risk: All four frameworks require active third-party oversight. A single vendor management programme, aligned to DORA's more prescriptive requirements, typically meets the others.
3. Governance: Board-level accountability is required under all four frameworks. Unified governance policies eliminate inconsistency.

DORA and the UK

DORA does not directly apply to UK-regulated firms unless they operate in or serve EU clients. UK regulators have moved in a parallel direction. The Prudential Regulation Authority's SS1/26 sets comparable operational resilience expectations for UK financial institutions.

UK firms with EU operations or EU-based clients must meet DORA requirements for those activities.

Read more: PRA SS1/26 — UK Operational Resilience

Read more: DORA vs NIS2 vs ISO 27001

SureCloud's GRC platform maps to DORA's five pillars through configurable, audit-ready workflows.

ICT Risk Management

1. Create and manage DORA-compliant risk frameworks aligned to the Batch 1 RTS
2. Map controls to framework requirements and track remediation
3. Connect ICT risks to enterprise-level governance and board reporting

Incident Response and Reporting

1. Pre-built workflows supporting the 24-hour, 72-hour, and 1-month reporting obligations
2. Secure multi-team collaboration for incident investigation
3. Customisable outputs for national competent authority formats

Digital Resilience Testing

1. Built-in resilience assessment templates
2. TLPT planning and outcome documentation
3. Remediation tracking linked to test findings

Third-Party Risk Management

1. Centralised Register of Information aligned to DORA Batch 1 RTS requirements
2. Automated due diligence workflows
3. Contract tracking with DORA clause management
4. Concentration risk scoring and exit strategy planning for critical providers

Information Sharing

Track participation in threat intelligence sharing networks, maintain data controls documentation, and generate audit evidence from a single platform.

Read more: DORA Compliance Software Compared