In This Report
🚨
Enforcement Alert: As of 2026, only approximately 50% of in-scope firms are fully DORA-compliant. National competent authorities — including BaFin, the CBI, and others — are now conducting active supervisory reviews, cross-checking Register of Information submissions automatically, and issuing the first formal compulsion payments. The informal grace period that characterised early 2025 is definitively over.
01

The Enforcement Reality in 2026

DORA became fully applicable on 17 January 2025, following a two-year transition period after it entered into force in January 2023. Unlike a Directive, DORA is a Regulation — directly binding in its entirety across all EU Member States, with no national transposition required and no room for jurisdictional variation in its core obligations.

The first months of 2025 saw regulators prioritising the collection and validation of Registers of Information — the structured documentation of every ICT third-party service provider relationship held by in-scope financial entities. That foundational data-gathering exercise, with final submission to the European Supervisory Authorities (EBA, EIOPA, ESMA) by 30 April 2025, is now complete. What follows in 2026 is substantive supervisory scrutiny of what institutions have actually built.

In November 2025, the ESAs published their list of designated Critical ICT Third-Party Providers (CTPPs) — a landmark step in the oversight framework. These providers now face direct regulatory engagement and inspection. For financial entities relying on designated CTPPs, this creates secondary compliance obligations: ensuring contractual provisions, audit rights, and exit strategies are all DORA-compliant.

17 Jan
2025 — DORA full application date
~20
Types of financial entity in scope
2%
Global turnover — max fine for serious violations
€1M
Max personal fine for senior management failures
📋
Scope Reminder: DORA applies to banks, payment institutions, e-money institutions, investment firms, insurance undertakings, crypto-asset service providers, central securities depositories, credit rating agencies, and — critically — ICT third-party service providers supplying services to these entities. If you supply technology to a financial institution, you are now directly regulated.
02

DORA's Five Pillars — What Each Demands

DORA's compliance architecture is built around five interconnected pillars. Understanding what each pillar concretely requires — not just its label — is the starting point for any meaningful gap assessment.

🔐
Pillar 1 — ICT Risk Management
Arts. 5–16
A formal, board-approved ICT risk management framework must be in place, integrated with the institution's enterprise risk strategy. This means documented governance policies, clear accountability structures for ICT risk at senior management level, continuous identification and classification of ICT assets, and a regularly tested and updated Business Continuity Plan. The framework must evolve with new threats — annual reviews are the regulatory minimum, not the aspiration.
🚨
Pillar 2 — ICT Incident Reporting
Arts. 17–23
Major ICT-related incidents must be reported to the home competent authority within strict timelines: an initial notification within 4 hours of classification, an intermediate report within 72 hours, and a final report within one month. Significant cyber threats — even those that do not materialise into incidents — must also be notified on a voluntary basis. Classification criteria, escalation procedures, and reporting templates must all be operationalised before an incident occurs, not during one.
🧪
Pillar 3 — Digital Operational Resilience Testing
Arts. 24–27
All in-scope entities must conduct regular ICT resilience testing — at a minimum, annual vulnerability assessments and basic testing. Entities performing critical or important functions must additionally conduct Threat-Led Penetration Testing (TLPT) at least every three years, using approved external testers operating on live production systems. Testing results and remediation plans must be submitted to regulators. Backup systems, failover capabilities, and business continuity arrangements must be tested independently.
🤝
Pillar 4 — ICT Third-Party Risk Management
Arts. 28–44
This is the most operationally complex pillar for most institutions. Every ICT third-party relationship must be documented in a Register of Information (RoI) — submitted to regulators and kept continuously up to date. Contracts with ICT providers must include specific DORA-mandated clauses: exit strategies, audit rights, service level agreements, data location requirements, and incident co-operation obligations. For providers designated as Critical ICT Third-Party Providers (CTPPs) by the ESAs, additional oversight and direct regulatory inspection apply.
🔗
Pillar 5 — Information & Intelligence Sharing
Art. 45
Financial entities are encouraged — and in practice expected — to participate in cyber threat intelligence sharing arrangements with peer institutions and sectoral bodies. Participation must be documented, with records of insights gained and how they have informed resilience posture. GDPR compliance must be maintained throughout all sharing activities. While this is the least-enforced pillar today, it is moving up supervisory agendas as regulators assess the maturity of sectoral threat intelligence ecosystems.
03

The Practical Compliance Checklist

The following checklist is structured by urgency — not by pillar — reflecting what regulators are actually prioritising in their 2026 supervisory reviews. Red items represent immediate exposure; amber items represent areas where gaps frequently emerge; green items are the foundations that, once in place, enable everything else.

🔴 Immediate Attention — Highest Supervisory Priority
🟡 High Priority — Common Gap Areas
🟢 Foundation Items — Enablers of Everything Else
04

What Non-Compliance Actually Costs

DORA's penalty framework is designed to be materially significant — not a cost of doing business. Crucially, it includes personal liability for senior management, which fundamentally changes the governance calculus at Board and ExCo level.

Violation CategoryMaximum PenaltySeverity
Most serious violations (e.g. systematic ICT risk management failures) 2% of total annual worldwide turnover, or €10M, whichever is higher Critical
Certain specific breaches (e.g. reporting failures, testing non-compliance) 1% of average daily worldwide turnover Critical
Fixed-rate violations (breach of specific Articles) Up to €5M depending on violation High
Senior management personal liability Up to €1M per individual High
Critical ICT Third-Party Providers (CTPPs) — daily penalties Up to 1% of average daily worldwide turnover per day of breach Critical
Non-financial sanctions (public disclosure, service suspension) Reputational and operational — no monetary cap Variable
⚠️
Real Enforcement Example: A bank suffers a significant cyber attack affecting 50,000 customers but fails to notify its competent authority within the 4-hour initial notification window. Potential consequence under DORA: a fine of 1–2% of annual turnover, plus a mandatory remediation programme under regulatory supervision — with the institution's name publicly disclosed as a DORA enforcement action.
05

Where Regulators Are Looking First

Based on the ESAs' published oversight guide (July 2025), the pattern of Register of Information dry-run findings, and supervisory signals from national competent authorities entering 2026, the following areas represent the highest near-term enforcement concentration:

Register of Information accuracy. The ESAs made clear from the outset that RoI submissions would be the top enforcement priority in the initial phase. Regulators are using automated cross-checking tools to identify naming convention errors, missing fields, inconsistent data across related entries, and discrepancies between submitted registers and publicly available information about ICT provider relationships. Institutions should treat their RoI as a live regulatory document, not an annual filing.

ICT incident classification and reporting speed. Regulators are specifically examining whether institutions have the operational capability to classify a major ICT incident and issue an initial notification within four hours — not whether they have written procedures that say they will. Supervisory interviews with CISOs, CROs, and COOs are probing the gap between documented policy and operational reality.

Third-party contract remediation. The volume of legacy ICT contracts that pre-date DORA and lack the mandated clauses is a systemic issue across the sector. Regulators are prioritising contracts with the largest and most operationally critical providers — cloud hyperscalers, core banking platforms, payment processing networks — and are examining whether audit rights are meaningful in practice, not just present on paper.

"Regulators are shifting from reviewing paperwork to demanding real-time proof of resilience. With only 50% of firms fully compliant, 2026 marks the start of active DORA enforcement across Europe."

— DORA Blog, 2026

Board-level governance evidence. DORA places the management body at the centre of ICT risk governance accountability. Supervisors are requesting Board and senior committee minutes to verify that ICT risk is genuinely receiving substantive oversight — not checkbox presentations. Where minutes are thin, or where ICT risk appears only in annual risk appetite reviews, regulators are treating this as a governance deficiency warranting remediation.

06

Conclusion: Resilience Is Now a Baseline, Not a Goal

DORA represents a permanent shift in the regulatory baseline for financial institutions operating in the EU. Digital operational resilience is no longer a best practice aspiration or an IT department objective — it is a legal obligation, actively enforced, with material financial and reputational consequences for failure.

The institutions that will fare best in this environment are not those with the largest compliance budgets, but those that have embedded resilience thinking into their operational culture — where incident reporting is a reflex, third-party risk management is continuous, and the Board treats ICT risk with the same rigour as credit or liquidity risk.

For institutions with significant gaps in their DORA posture, the path forward is structured and achievable — but it requires honest assessment of where those gaps actually sit, not where documentation suggests they should. The checklist in this report is a starting point. A formal gap assessment, conducted independently of the teams responsible for the frameworks under review, is the next step.

At CassConsult, our Banking Regulation & Compliance Practice offers DORA readiness assessments, Register of Information remediation support, TLPT programme design, third-party risk framework development, and Board-level governance advisory — calibrated to the size, complexity, and risk profile of your institution.

CC
CassConsult Banking Regulation & Compliance Practice
Specialist Consultancy · Payments · Banking Regulation · Process Automation
CassConsult provides expert advisory to financial institutions navigating regulatory complexity and operational transformation. Our team brings direct practitioner experience from banks, regulatory bodies, and supervisory environments across the EU. We deliver pragmatic, evidence-based advice — not generic frameworks.

Need a DORA Gap Assessment?

Our structured DORA readiness review identifies where your institution stands against each pillar — with a prioritised remediation roadmap, not a list of findings.

Schedule a Free Consultation →