The Enforcement Reality in 2026
DORA became fully applicable on 17 January 2025, following a two-year transition period after it entered into force in January 2023. Unlike a Directive, DORA is a Regulation — directly binding in its entirety across all EU Member States, with no national transposition required and no room for jurisdictional variation in its core obligations.
The first months of 2025 saw regulators prioritising the collection and validation of Registers of Information — the structured documentation of every ICT third-party service provider relationship held by in-scope financial entities. That foundational data-gathering exercise, with final submission to the European Supervisory Authorities (EBA, EIOPA, ESMA) by 30 April 2025, is now complete. What follows in 2026 is substantive supervisory scrutiny of what institutions have actually built.
In November 2025, the ESAs published their list of designated Critical ICT Third-Party Providers (CTPPs) — a landmark step in the oversight framework. These providers now face direct regulatory engagement and inspection. For financial entities relying on designated CTPPs, this creates secondary compliance obligations: ensuring contractual provisions, audit rights, and exit strategies are all DORA-compliant.
DORA's Five Pillars — What Each Demands
DORA's compliance architecture is built around five interconnected pillars. Understanding what each pillar concretely requires — not just its label — is the starting point for any meaningful gap assessment.
The Practical Compliance Checklist
The following checklist is structured by urgency — not by pillar — reflecting what regulators are actually prioritising in their 2026 supervisory reviews. Red items represent immediate exposure; amber items represent areas where gaps frequently emerge; green items are the foundations that, once in place, enable everything else.
-
!Register of Information is complete, accurate, and current. Your RoI must document every ICT third-party provider relationship with the correct naming conventions, file formats, and data fields specified in the ESAs' implementing technical standard. Regulators are cross-checking submissions automatically — errors are being flagged and followed up. If your RoI was submitted in 2025 but has not been reviewed since, it is almost certainly out of date.
-
!Major ICT incident reporting procedures are operational — not documented. Classification criteria, escalation chains, regulatory notification templates, and responsible contact points must be in place and tested. The 4-hour initial notification window is not a target — it is the outer boundary. Regulators are reviewing whether institutions have live, rehearsed procedures, not policy documents sitting in a SharePoint folder.
-
!Board-level ICT risk governance is evidenced. DORA places explicit responsibility on management bodies. Board minutes, management information packs, and governance meeting records must demonstrate that ICT risk is a standing agenda item — actively reviewed and challenged at the appropriate level, not delegated entirely to the CTO or CISO.
-
!DORA-compliant contractual addenda with ICT providers are in place. Every ICT service contract must include the mandatory DORA clauses — audit rights, exit strategy provisions, SLA specifications, incident co-operation obligations, and data location requirements. For large institutions with hundreds of vendor contracts, this is a substantial legal workload. Regulators are asking to see contract inventories and evidence of clause remediation.
-
→Exit strategies for all critical ICT providers are documented and tested. DORA requires documented exit plans that would allow the institution to migrate away from any critical ICT provider without operational disruption. For cloud providers, core banking platform vendors, and payment processing partners, this is non-trivial. A plan that exists only on paper is insufficient — regulators expect evidence that substitutability has been actively assessed.
-
→Resilience testing programme is scheduled and documented for the year. Annual vulnerability assessments are the minimum; entities with critical functions need a TLPT scheduled within the three-year cycle. Testing providers must be pre-approved by your national competent authority. If your TLPT is not yet planned, the scheduling and approval process should begin immediately — lead times are long.
-
→Immutable backup and recovery capability is validated. DORA requires a third, immutable backup physically and logically segregated from primary and secondary sources, with the demonstrated ability to recover critical data within two hours of an incident. This capability must be manually tested at least annually, with results documented and available to regulators on request.
-
→CTPP relationships are specifically assessed and enhanced. If you use any ICT provider now designated as a Critical ICT Third-Party Provider by the ESAs — published November 2025 — your governance of that relationship must reflect the heightened regulatory scrutiny those providers now face. Review contracts, oversight arrangements, and concentration risk assessments for each designated CTPP in your supply chain.
-
→Cyber threat reporting process for significant threats is activated. DORA's voluntary reporting mechanism for significant cyber threats — those that did not cause an incident but could have — is an area regulators are using to assess the maturity of institutions' threat intelligence capabilities. Ensure your Security Operations Centre has a defined workflow for identifying, classifying, and notifying significant threats, separate from the major incident reporting channel.
-
✓ICT asset inventory is complete and linked to criticality classifications. You cannot manage what you cannot see. A comprehensive, continuously maintained inventory of ICT assets — hardware, software, data, network components — is the bedrock of DORA compliance. Assets must be classified by criticality to business functions, which in turn drives testing frequency, recovery time objectives, and third-party risk weighting.
-
✓Business Continuity and Disaster Recovery plans are tested and current. BCP/DR documentation that has not been tested within the last 12 months should be treated as expired for DORA purposes. Tests must cover realistic stress scenarios — not just technical failover — and results must be formally reviewed by management with remediation actions tracked to closure.
-
✓Staff training on DORA obligations is completed and evidenced. Operational resilience is not a technology function alone. Front-line staff, operations teams, and senior management all have DORA-relevant roles. Training completion records, awareness programme logs, and tabletop exercise documentation all contribute to a credible evidence base during supervisory review.
-
✓Threat intelligence sharing participation is documented. Whether through formal industry arrangements or bilateral agreements, record your participation in threat intelligence sharing initiatives — the insights received, how they were assessed, and what actions they informed. This evidences the proactive resilience posture that DORA's fifth pillar envisions.
What Non-Compliance Actually Costs
DORA's penalty framework is designed to be materially significant — not a cost of doing business. Crucially, it includes personal liability for senior management, which fundamentally changes the governance calculus at Board and ExCo level.
| Violation Category | Maximum Penalty | Severity |
|---|---|---|
| Most serious violations (e.g. systematic ICT risk management failures) | 2% of total annual worldwide turnover, or €10M, whichever is higher | Critical |
| Certain specific breaches (e.g. reporting failures, testing non-compliance) | 1% of average daily worldwide turnover | Critical |
| Fixed-rate violations (breach of specific Articles) | Up to €5M depending on violation | High |
| Senior management personal liability | Up to €1M per individual | High |
| Critical ICT Third-Party Providers (CTPPs) — daily penalties | Up to 1% of average daily worldwide turnover per day of breach | Critical |
| Non-financial sanctions (public disclosure, service suspension) | Reputational and operational — no monetary cap | Variable |
Where Regulators Are Looking First
Based on the ESAs' published oversight guide (July 2025), the pattern of Register of Information dry-run findings, and supervisory signals from national competent authorities entering 2026, the following areas represent the highest near-term enforcement concentration:
Register of Information accuracy. The ESAs made clear from the outset that RoI submissions would be the top enforcement priority in the initial phase. Regulators are using automated cross-checking tools to identify naming convention errors, missing fields, inconsistent data across related entries, and discrepancies between submitted registers and publicly available information about ICT provider relationships. Institutions should treat their RoI as a live regulatory document, not an annual filing.
ICT incident classification and reporting speed. Regulators are specifically examining whether institutions have the operational capability to classify a major ICT incident and issue an initial notification within four hours — not whether they have written procedures that say they will. Supervisory interviews with CISOs, CROs, and COOs are probing the gap between documented policy and operational reality.
Third-party contract remediation. The volume of legacy ICT contracts that pre-date DORA and lack the mandated clauses is a systemic issue across the sector. Regulators are prioritising contracts with the largest and most operationally critical providers — cloud hyperscalers, core banking platforms, payment processing networks — and are examining whether audit rights are meaningful in practice, not just present on paper.
"Regulators are shifting from reviewing paperwork to demanding real-time proof of resilience. With only 50% of firms fully compliant, 2026 marks the start of active DORA enforcement across Europe."
— DORA Blog, 2026Board-level governance evidence. DORA places the management body at the centre of ICT risk governance accountability. Supervisors are requesting Board and senior committee minutes to verify that ICT risk is genuinely receiving substantive oversight — not checkbox presentations. Where minutes are thin, or where ICT risk appears only in annual risk appetite reviews, regulators are treating this as a governance deficiency warranting remediation.
Conclusion: Resilience Is Now a Baseline, Not a Goal
DORA represents a permanent shift in the regulatory baseline for financial institutions operating in the EU. Digital operational resilience is no longer a best practice aspiration or an IT department objective — it is a legal obligation, actively enforced, with material financial and reputational consequences for failure.
The institutions that will fare best in this environment are not those with the largest compliance budgets, but those that have embedded resilience thinking into their operational culture — where incident reporting is a reflex, third-party risk management is continuous, and the Board treats ICT risk with the same rigour as credit or liquidity risk.
For institutions with significant gaps in their DORA posture, the path forward is structured and achievable — but it requires honest assessment of where those gaps actually sit, not where documentation suggests they should. The checklist in this report is a starting point. A formal gap assessment, conducted independently of the teams responsible for the frameworks under review, is the next step.
At CassConsult, our Banking Regulation & Compliance Practice offers DORA readiness assessments, Register of Information remediation support, TLPT programme design, third-party risk framework development, and Board-level governance advisory — calibrated to the size, complexity, and risk profile of your institution.
Need a DORA Gap Assessment?
Our structured DORA readiness review identifies where your institution stands against each pillar — with a prioritised remediation roadmap, not a list of findings.
Schedule a Free Consultation →