DORA Enforcement Intensifies as Financial Sector Faces Operational

The European Union's Digital Operational Resilience Act (DORA) entered active enforcement in January 2026, one year after its January 17, 2025 effective date. Financial sector regulators across EU member states are now conducting operational resilience audits, reviewing Register of Information submissions, and imposing penalties for non-compliance. Financial entities and their ICT service providers face substantial fines—up to 2% of global annual turnover for financial institutions and €5 million for critical ICT providers. Organizations must demonstrate mature, continuously monitored digital resilience programs with thorough third-party risk management documentation.

DORA enforcement framework

DORA establishes harmonized requirements for ICT risk management, incident reporting, resilience testing, and third-party risk oversight across the EU financial sector. The regulation applies to a broad range of financial entities including banks, insurance companies, investment firms, payment institutions, and crypto-asset service providers. Critical ICT third-party providers serving multiple financial entities also fall under direct regulatory oversight.

National competent authorities (NCAs) in each member state hold primary enforcement responsibility for financial entities under their supervision. The three European Supervisory Authorities—EBA, EIOPA, and ESMA—coordinate cross-border enforcement and directly supervise designated critical ICT third-party service providers. This dual-level structure creates consistent enforcement while addressing sector-specific considerations.

The enforcement posture has shifted from advisory guidance to active compliance verification. Regulators are conducting on-site inspections, reviewing submitted documentation, and assessing the maturity of organizations' digital resilience programs. Organizations that treated DORA compliance as a documentation exercise rather than operational transformation face heightened scrutiny.

Enforcement priority areas include the completeness and accuracy of Register of Information submissions, the effectiveness of ICT risk management frameworks, and the robustness of third-party oversight programs. Regulators expect evidence of active risk management rather than static policy documents. Continuous monitoring, regular testing, and documented improvement cycles demonstrate compliance maturity.

ICT risk management requirements

DORA requires financial entities to establish thorough ICT risk management frameworks covering the identification, protection, detection, response, and recovery functions. The framework must be proportionate to the entity's size, complexity, and risk profile. Documented governance structures must assign clear accountability for ICT risk at management body level.

Risk identification processes must maintain current inventories of ICT assets, dependencies, and vulnerabilities. Network and system diagrams, data flow mappings, and criticality assessments provide the foundation for risk-based controls. Regular updates ensure these inventories reflect the actual technology environment.

Protection measures must address identified risks through appropriate technical and organizational controls. Access management, encryption, network segmentation, and change management represent core control categories. Controls must be documented, tested, and monitored for effectiveness.

Detection capabilities require continuous monitoring of ICT systems for anomalies and potential incidents. Security information and event management systems, intrusion detection capabilities, and log analysis support detection requirements. Detection thresholds and alerting mechanisms must be calibrated to the entity's risk profile.

Incident reporting obligations

DORA establishes strict timelines for reporting major ICT-related incidents to supervisory authorities. Initial notification must occur within four hours of incident classification. Intermediate reports providing additional details are required within 72 hours. Final reports with root cause analysis and remediation actions must be submitted within one month.

Incident classification criteria determine whether an event qualifies as major and triggers reporting obligations. Criteria include duration, geographic spread, number of affected clients, data losses, economic impact, and criticality of affected services. Organizations must implement classification procedures enabling rapid determination of reporting obligations.

Reporting templates and submission channels are specified by supervisory authorities. Organizations should familiarize themselves with their NCAs' reporting requirements and establish technical capabilities for timely submission. Delayed or incomplete incident reports can result in enforcement action independent of the underlying incident.

Voluntary notification provisions encourage reporting of significant cyber threats even before incidents materialize. Threat intelligence sharing improves collective resilience across the financial sector. Regulators consider voluntary participation in threat sharing when assessing organizational compliance culture.

Digital operational resilience testing

DORA requires regular testing of digital operational resilience through various methodologies. All covered entities must conduct basic testing including vulnerability assessments, network security testing, and scenario-based testing. Testing frequency and scope must be proportionate to ICT risk profiles.

Threat-led penetration testing (TLPT) applies to significant financial entities identified by supervisory authorities. TLPT requires sophisticated red team exercises simulating advanced threat actor techniques. Testing must be conducted by qualified internal or external testers following established frameworks such as TIBER-EU.

TLPT cycles occur at least every three years, though significant changes to ICT infrastructure or threat environment may trigger earlier testing requirements. Testing scopes must cover critical and important functions identified through business impact analysis. Results and remediation plans require supervisory reporting.

Testing programs must drive actual security improvements rather than serving as compliance checkboxes. Regulators expect evidence that testing findings result in remediation actions and that lessons learned are incorporated into ongoing risk management. Gap analysis between testing results and control improvements demonstrates program maturity.

Third-party risk management

DORA significantly expands third-party risk management obligations for financial entities. Organizations must maintain thorough registers of all ICT third-party arrangements, including subcontracting chains. Due diligence assessments, ongoing monitoring, and exit planning are required for all material ICT relationships.

The Register of Information (ROI) requires detailed documentation of ICT third-party relationships. Required information includes service descriptions, risk assessments, contractual terms, subcontractor arrangements, and evidence of ongoing oversight. Annual ROI submissions to supervisory authorities began in January 2026.

Contract requirements specify minimum provisions that must be included in agreements with ICT service providers. Service level agreements, audit rights, security requirements, incident notification obligations, and exit/termination provisions must be documented. Existing contracts require review and amendment to meet DORA standards.

A two-year transitional period for reviewing existing arrangements was granted, but enforcement expectations are increasing. New contracts and renewals must fully comply with DORA requirements immediately. Organizations should prioritize contract remediation for their most critical third-party relationships.

Penalty framework

DORA establishes significant penalty authority for supervisory regulators. Financial entities face administrative penalties up to 2% of total annual worldwide turnover for serious infringements. Individual managers may face personal liability for compliance failures within their areas of responsibility.

Critical ICT third-party service providers under direct ESA supervision face fines up to €5 million or 1% of daily worldwide turnover. Periodic penalty payments can accrue for ongoing non-compliance. In extreme cases, regulators can require financial entities to suspend or terminate arrangements with non-compliant providers.

Penalty calculations consider factors including the seriousness and duration of infringements, degree of responsibility, financial strength of the entity, profits gained or losses avoided, and cooperation with authorities. Systematic failures or repeated violations result in enhanced penalties.

Beyond financial penalties, regulators can impose operational restrictions, require specific remediation actions, or issue public statements identifying non-compliant entities. Reputational consequences of public enforcement actions may exceed direct financial penalties for many organizations.

Actions for the next two months

• Complete and validate Register of Information submissions for all ICT third-party arrangements.
• Assess ICT risk management framework maturity against DORA requirements.
• Review incident classification and reporting procedures for DORA compliance.
• Evaluate digital resilience testing programs against proportionality requirements.
• Prioritize contract remediation for critical ICT service provider relationships.
• Brief management bodies on DORA compliance status and enforcement risk.
• Document governance structures and accountability assignments for ICT risk.
• Establish ongoing compliance monitoring to demonstrate continuous improvement.

Analysis summary

DORA enforcement in January 2026 marks a significant shift from compliance preparation to active regulatory oversight. Financial entities must demonstrate operational resilience programs that are mature, documented, and continuously monitored. The focus has shifted from policy development to evidence of effective risk management practices.

Third-party risk management receives particular scrutiny given the financial sector's dependence on ICT service providers. The Register of Information requirements create unprecedented transparency into third-party relationships. Organizations with complex ICT supply chains face significant documentation and ongoing monitoring obligations.

The penalty framework provides substantial enforcement incentive. Fines up to 2% of global turnover create material financial exposure for non-compliance. Personal liability provisions ensure that individual managers cannot treat compliance as solely an organizational responsibility.

This analysis recommends that financial entities and their ICT providers prioritize DORA compliance verification against active enforcement expectations. Static documentation is insufficient; regulators expect evidence of operational resilience practices that are integrated into daily operations and continuously improved through testing and monitoring cycles.

More on this topic

Further reading from our research library.

Compliance · Credibility 93/100 · January 16, 2025

Preparing for DORA: Europe's Digital Operational Resilience Act, effective January 17 2025

DORA went live on January 17, 2025. If you are a financial institution in the EU, you need ICT risk management frameworks, resilience testing, incident reporting, and third-party oversight in place. Here's what the…

Compliance · Credibility 94/100 · February 13, 2026

EU Digital Operational Resilience Act First Enforcement Wave Reveals ICT Risk Management Gaps Across Financial Sector

The European Supervisory Authorities have initiated the first coordinated enforcement actions under the Digital Operational Resilience Act, issuing supervisory findings to over forty financial institutions across…

Compliance · Credibility 91/100 · December 20, 2025

DORA and NIS2 Harmonization Efforts Address Regulatory Overlap

If you are juggling both DORA and NIS2 compliance, there is finally some clarity: DORA counts as the primary framework for financial entities, so meeting DORA requirements generally satisfies your NIS2 obligations. The…

Compliance · Credibility 86/100 · October 20, 2025

Compliance — Cybersecurity regulation

New York DFS cybersecurity amendments hit their final compliance deadline on 27 October 2025, requiring covered entities to evidence improved third-party risk governance, asset inventories, and incident notification…

Compliance · Credibility 88/100 · January 17, 2025

DORA and Financial services compliance

EU Digital Operational Resilience Act (DORA) obligations apply from 17 January 2025, requiring financial entities to prove ICT risk management, incident reporting, testing, and critical third-party oversight.

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• SOX Modernization Control Playbook

  Modernize Sarbanes-Oxley (SOX) compliance by aligning PCAOB AS 2201, SEC management guidance, and COSO 2013 controls with data-driven testing, automation, and board reporting.

• Global Privacy Enforcement Readiness Guide

  Build privacy programs that withstand GDPR, CPRA, LGPD, and Singapore PDPA enforcement by integrating regulator expectations, data governance, and cross-border response playbooks.

• Third-Party Risk Oversight Playbook

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

Source material

1. Is Your DORA Strategy Ready for 2026? — panorays.com
2. Digital Operational Resilience Act (DORA) — eiopa.europa.eu
3. DORA in 2026: Why Cloud Resilience Will Define Financial Services Compliance — greshamtech.com