DORA Is Live — What the First Enforcement Wave Tells Us

Enforcement Is Taking Shape

The Digital Operational Resilience Act (Regulation EU 2022/2554) became fully applicable on January 17, 2025. Since then, the enforcement landscape has been taking shape — and it looks different from what many financial institutions expected.

Rather than a sudden wave of fines, the European Supervisory Authorities (EBA, EIOPA, and ESMA) have pursued a structured, data-driven approach. The first year has been about building the supervisory infrastructure: collecting registers of information, designating critical third-party providers, and establishing the oversight mechanisms that will drive enforcement in 2026 and beyond.

For institutions that mistook this measured approach for leniency, the signals are now unmistakable. The enforcement machinery is operational, and the window for catch-up compliance is closing.

The Supervisory Approach: Targeted, Not Passive

The ESAs made their enforcement philosophy clear before DORA even took effect. In their December 2024 statements, as analysed by Skadden, regulators reiterated that they expected comprehensive compliance by the January 17, 2025 deadline — with no grace period.

In practice, enforcement has been targeted rather than comprehensive. Regulators have focused supervisory resources on the areas they consider highest-risk, beginning with the most foundational obligation: the Register of Information.

Registers of Information: The First Test

The Register of Information — a structured inventory of all ICT third-party contractual arrangements — has been the top enforcement priority from day one. Financial entities were required to submit these registers to their national competent authorities, enabling regulators to map the EU financial sector's technology dependencies. The most recent reporting window ran from January 1 to March 21, 2026. Financial entities that missed this deadline face supervisory scrutiny in the coming review cycle.

The data quality varied dramatically. According to the Skadden analysis, banks and insurers submitted registers containing roughly five times as many data points as alternative investment fund managers, reflecting significant differences in baseline compliance infrastructure across the sector.

This register data served a dual purpose. Beyond assessing individual entity compliance, the ESAs used it to identify the ICT providers that the financial sector depends on most — feeding directly into the critical third-party designation process.

The 19 Critical ICT Third-Party Providers

On November 18, 2025, the ESAs published their first list of designated critical ICT third-party providers (CTPPs) under Article 31 of DORA — a landmark moment for EU financial regulation.

Nineteen providers were designated across four categories: hyperscale cloud providers, data centre operators, infrastructure and network providers, and providers of financial services-specific technology. These designated providers now fall under a centralised EU oversight regime coordinated through the Joint Oversight Forum.

The designation process followed three stages: data collection from financial entity registers documenting ICT service contracts; criticality assessment evaluating systemic importance, role in supporting critical functions, and service substitutability; and formal notification with providers receiving their right to be heard.

The implications for designated CTPPs are substantial:

• Direct ESA oversight: The Lead Overseer (one of the three ESAs, assigned per provider) can conduct examinations, request information, and issue recommendations
• EU coordination point: Each CTPP must designate an EU legal entity as its coordination point with regulators
• Annual oversight fees: Designated providers pay fees to the relevant ESA
• Enforcement escalation: If a provider fails to comply with remediation recommendations, regulators may publicise the non-compliance and ultimately require financial entities to suspend use of the provider's services or terminate contractual arrangements

The list will be updated annually, and the ESAs have indicated that the first oversight activities — examining whether CTPPs maintain appropriate risk management and governance frameworks — are already underway. Baker McKenzie's 2026 outlook noted that DORA will trigger its first full oversight cycle for critical ICT providers in 2026, adding scrutiny on cloud and technology dependencies amid rising concerns over concentration and sovereignty.

Where the Industry Actually Stands

The gap between regulatory expectation and industry readiness is substantial. Two independent assessments — from Deloitte and EY — paint a consistent picture.

Deloitte DORA European Survey (2025)

The Deloitte DORA European Survey, conducted across 28 European countries six months after DORA's application date, surveyed CISOs, CROs, and DORA Programme Managers across the financial sector. The findings were sobering:

The single-digit confidence levels for resilience testing and third-party risk management are particularly concerning, given that these are the areas where DORA introduces the most prescriptive requirements.

On costs, 64% of respondents reported planned spending of EUR 2–5 million on their DORA compliance programme, with an average of 5–8 full-time equivalent staff involved. A further 17% were unable to provide definite cost estimates — itself a signal of programme immaturity.

The most revealing finding: 46% of institutions identified the Register of Information as the single most challenging DORA requirement. This is notable because the register is fundamentally a documentation exercise. If nearly half the sector struggles with documenting what ICT services they use and from whom, the operational resilience capabilities that DORA demands — testing, incident response, continuous monitoring — represent a significantly larger challenge.

EY: The Gap Between Paper and Practice

EY's analysis, published under the title "DORA one year later: from regulatory compliance to strategic resilience," identified a more fundamental problem. The greatest challenge for financial institutions has not been drafting new policies or updating procedures, but embedding DORA requirements into business-as-usual operations.

Key observations from EY's assessment:

• Resource constraints: Smaller firms lack dedicated ICT risk teams, increasing reliance on external consultants. Wealth and asset management firms, which often operate with lean structures, find the implementation of complex ICT risk frameworks particularly demanding
• Governance overhead: DORA mandates continuous reporting of ICT risks to management, adding substantial operational overhead that conflicts with other core activities
• Testing neglected: Digital operational resilience testing is frequently sidelined as organisations focus on other priorities, with many paying disproportionate attention to Threat-Led Penetration Testing (TLPT) rather than developing comprehensive testing programmes
• Ad hoc compliance: Organisations with lower maturity levels often rely on ad hoc solutions, implementing foundational elements like business impact analysis reactively rather than as part of a structured programme

The overarching conclusion: most institutions have achieved compliance on paper but have not yet achieved resilience in practice.

Incident Reporting: The Operational Test

DORA's incident reporting framework (Articles 17–23) represents the most immediate operational test for financial entities. The multi-stage reporting timeline is demanding:

What Makes an Incident "Major"

The classification criteria are defined in Commission Delegated Regulation (EU) 2024/1772. An ICT-related incident is classified as major when critical services are impaired and either the materiality threshold for data loss has been reached, or at least two of the following materiality thresholds are exceeded:

• Duration: Service downtime exceeding 2 hours for ICT services supporting critical or important functions
• Geographic spread: Impact across two or more Member States
• Economic impact: Costs and losses exceeding or likely to exceed EUR 100,000
• Client impact: Number or relevance of affected clients and financial counterparts
• Reputational impact: Severity of reputational damage
• Transaction impact: Number or value of affected transactions

The reporting templates are standardised through Commission Implementing Regulation (EU) 2025/302, which provides the harmonised forms for major incident reports and significant cyber threat notifications.

Early Operational Experience

While no authority has published aggregate incident reporting statistics as of February 2026, the operational reality is that many institutions are still refining their classification and reporting workflows. The 4-hour initial notification window — which begins from the point of classification, not detection — requires pre-established processes, clear escalation paths, and staff who understand both the technical criteria and the reporting mechanics.

The POST Luxembourg cyberattack in July 2025 served as an early real-world test of the framework, demonstrating systemic vulnerabilities and validating the necessity of DORA's operational resilience requirements.

The Regulatory Technical Standards Landscape

DORA's operational detail is largely contained in delegated and implementing regulations adopted by the European Commission on the basis of ESA-developed technical standards. Understanding the RTS/ITS landscape is essential for compliance:

Batch 1 (Published January 2024)

• RTS on ICT risk management framework — detailed requirements for policies, procedures, and controls
• RTS on incident classification criteria (Regulation EU 2024/1772) — materiality thresholds for major incidents
• RTS on Register of Information — structure and content of the ICT third-party register
• ITS on incident reporting templates (Regulation EU 2025/302) — standardised reporting forms

Batch 2 (Published July 2024)

• RTS on TLPT (Threat-Led Penetration Testing) — framework for advanced testing of systemically important entities
• RTS on subcontracting — requirements for oversight of ICT service subcontracting chains
• RTS on oversight harmonisation — cooperation and information exchange between ESAs and national competent authorities

Post-Application Updates

• Delegated Regulation (EU) 2025/532 (adopted July 2, 2025, applicable July 22, 2025) — additional requirements on subcontracting of critical ICT services, including mandatory identification of all subcontractors and contractual clauses for exit strategies
• ECB and ESMA guidelines (released July 24, 2025) — supervisory expectations for operational resilience testing and third-party oversight

The continuing evolution of the RTS landscape means compliance is not a static target. Institutions must maintain awareness of new technical standards and integrate them into their existing frameworks.

The Penalty Framework: What Is Actually at Stake

DORA's penalty framework operates on two levels, reflecting the regulation's dual focus on financial entities and their ICT providers.

For Financial Entities

Article 50 delegates penalty-setting to Member States, requiring only that penalties be "effective, proportionate, and dissuasive." This has created a fragmented enforcement landscape where penalty severity varies by jurisdiction. Member States may also impose criminal penalties under Article 52.

Luxembourg, as a major financial centre, has signalled high supervisory expectations. Other Member States are still establishing their enforcement infrastructure, creating an uneven supervisory landscape across the EU.

For Critical ICT Third-Party Providers

The penalty regime for CTPPs is more specific and harmonised. Under Article 35(8), the Lead Overseer can impose periodic penalties of up to 1% of average daily worldwide turnover for up to six months for non-compliance with oversight requirements. For major technology providers, this can amount to substantial daily penalties.

Personal Liability

Like NIS2, DORA places direct accountability on management bodies. Board members and senior executives must approve cybersecurity risk management measures and oversee their implementation. Failure to do so can result in personal liability — an aspect that many boards are only now beginning to internalise.

What to Do Now: Priorities for Institutions Still Catching Up

Based on where the enforcement focus sits and where the industry's gaps are widest, here are the immediate priorities for institutions that have not yet achieved full compliance:

1. Complete and Validate Your Register of Information

This is the single most visible compliance obligation and the one regulators are actively reviewing. Ensure your register is complete, accurate, and structured according to the ITS templates. If you submitted an incomplete register in 2025, update and resubmit proactively.

2. Build Operational Incident Reporting Capability

Paper procedures are not enough. Run tabletop exercises against the 4-hour/72-hour/1-month timeline. Ensure your teams can classify an incident, trigger the reporting workflow, and produce the required content within the mandated windows. The standardised templates from ITS 2025/302 should be pre-populated with standing entity information.

3. Address Third-Party Risk Systematically

With 19 CTPPs now under direct oversight, regulators will increasingly scrutinise how financial entities manage their own third-party ICT risk. Review and update contracts with critical suppliers to include DORA-mandated clauses. Establish continuous monitoring rather than annual questionnaire-based assessments. The new subcontracting RTS (Delegated Regulation 2025/532) requires identification of all subcontractors in critical ICT service chains — many legacy contracts do not support this level of transparency.

4. Invest in Resilience Testing

With only 8% of institutions considering themselves compliant with Pillar III, digital operational resilience testing represents the sector's largest compliance gap. The TLPT Regulatory Technical Standards were published in June 2025, and the ECB confirmed alignment between DORA TLPT and the updated TIBER-EU framework in February 2025. Significant financial entities must complete their first TLPT by January 17, 2028 — three years from DORA's application date. Competent authorities have already begun issuing formal notification letters to designated entities, triggering preparation timelines. Begin with basic testing of all ICT systems supporting critical functions, then develop a structured roadmap toward TLPT readiness.

5. Engage Your Board

DORA's governance requirements are not optional. Board members must approve cybersecurity risk management measures and receive regular briefings on ICT risk. Document everything — board minutes, training records, risk reports. When regulators examine governance compliance, they look for evidence of genuine engagement, not rubber-stamping.

Looking Ahead: 2026 and Beyond

The European Commission is required under Article 56 to review DORA's effectiveness and report to the European Parliament and Council. This review, due in January 2026, will assess whether the regulation's objectives are being met and whether adjustments are needed.

Meanwhile, the ESAs' first full oversight cycle for designated CTPPs is underway, meaning 2026 will produce the first concrete supervisory findings on the EU's most systemically important technology providers.

For financial institutions, the message is clear: DORA enforcement is not theoretical. The supervisory infrastructure is built, the data collection is complete, and regulators are moving from assessment to action. Institutions that have treated DORA as a documentation exercise rather than an operational transformation will find themselves increasingly exposed as enforcement intensifies.

The organisations that will navigate this successfully are those that have moved beyond compliance checklists to build genuine digital operational resilience — treating DORA not as a regulatory burden, but as a framework for the operational discipline that the financial sector's growing technology dependence demands.

Sources

Official EU Sources

• DORA Regulation (EU 2022/2554) — EUR-Lex

• RTS on Incident Classification (EU 2024/1772) — EUR-Lex

• ITS on Incident Reporting Templates (EU 2025/302) — EUR-Lex

• ESAs Designate Critical ICT Third-Party Providers — EBA Press Release (Nov 2025)

• DORA Oversight — EBA

• DORA Oversight — ESMA

• ECB — TIBER-EU Alignment with DORA TLPT (Feb 2025)

Industry Research

• Deloitte — DORA European Survey, 2025 Edition
• Deloitte Survey Finds Only 25% Confident in DORA Compliance — Chronicle.lu
• EY — DORA One Year Later: From Regulatory Compliance to Strategic Resilience

Legal Analysis

• Skadden — Countdown to DORA: Four Takeaway Points From Regulators' December Statements
• Morgan Lewis — DORA: EU Regulators Announce List of Critical ICT Third-Party Providers
• PwC Legal — ESAs Publish First List of Critical ICT Third-Party Providers Under DORA
• DLA Piper — Application of DORA: Key Considerations
• Baker McKenzie — 2026 Top Issues to Watch for Global Data and Cyber Legal Risks
• DLA Piper — DORA Penalty Regimes: Divergence Among Member States (Oct 2025)