Fourteen months after the Digital Operational Resilience Act came into force, Europe’s financial institutions are running out of room to improvise. The regulation, which entered into force on 17 January 2025, was supposed to mark the beginning of a new era in digital risk management within the EU. Instead, it revealed how far most firms still have to go.
The numbers tell a blunt story. A McKinsey survey of major European financial institutions found that only a third were confident they would be able to meet all DORA requirements by January 2025. Separate research from Deloitte paints an equally sobering picture: only 50 percent of organizations expect to be fully compliant by the end of 2025, while 38 percent have reached their goals by 2026. to fulfill
These are not theoretical gaps. These are live regulatory risks in a regime that allows fines of up to 2 percent of annual worldwide turnover and personal fines of up to €1 million for senior executives who fail to act.
What DORA actually requires
DORA’s scope is broader than many initially appreciate. The regulation applies not only to banks and insurers, but also to payment institutions, electronic money providers, crypto-asset service providers, investment firms, and especially their ICT service providers. The European Supervisory Authority (ESA) estimates that more than 22,000 financial institutions and the hundreds of technology providers that serve them are covered.
💜 of EU technology
The latest rumblings from the EU tech scene, a story from our wise founder Boris and some questionable AI art. Free in your inbox every week. Register now!
Regulation is based on five pillars: ICT risk management, incident reporting, digital operational resilience testing (including threat-based penetration testing for critical institutions), third-party risk control and information sharing. Each pillar comes with its own technical standards, reporting obligations, and oversight expectations. As we explore in our analysis why 2026 will be the year of managed cybersecurity AIthe regulatory push towards structured supervision is accelerating across the sector.
What sets DORA apart from previous regulations is its emphasis on sustainability. This is not a one-time certification job. It requires organizations to demonstrate ongoing operational continuity with real-time monitoring, documented evidence and the ability to prove compliance at any moment. For teams accustomed to annual audit cycles, the change is significant.
March 2026: Information Registry test
The most immediate pressure point in 2026 is the second annual rollout of the Register of Information (RoI). Under Article 28 of DORA, every financial institution must maintain a comprehensive register documenting all contractual arrangements with third-party ICT service providers. National authorities then consolidate these registers and submit them to the ESAs by 31 March each year.
The reference date for this year’s period is 31 December 2025, which means that the register must record every ICT contract in force at the end of the year. National deadlines vary: Germany’s BaFin requires submissions between March 9 and 30, the Netherlands’ DNB and AFM set March 20 as the cut-off, Malta’s MFSA set March 21, and Luxembourg’s CSSF opened its eDesk portal on February 11 for submissions running until March 31.
The 2025 pilot round revealed serious friction. Many firms have found that they lack a centralized view of their ICT vendor relationship, with contracts scattered across procurement groups, business units and support operations. Data quality issues were significant: incomplete records, missing contract identifiers, and classification of services inconsistent with the ESA taxonomy.
Deloitte’s research confirmed the extent of this challenge, with 46 percent of financial institutions citing the Information Register as the most challenging DORA requirement. For organizations managing hundreds or thousands of vendor relationships in many jurisdictions, it is not possible to manually compile an accurate, audit-ready register at the submission window.
19 providers are under the direct supervision of the EU
In November 2025, ESA published the first A list of 19 critical third-party ICT providers (CTPPs) are under the direct control of the EU. The list includes Amazon Web Services, Google Cloud, Microsoft, Oracle, SAP and Deutsche Telekom, among others. These providers are designated based on four criteria: the systemic impact of a potential failure, the systemic importance of the financial entities that depend on them, the concentration of trust in the banking, insurance and securities sectors, and the substitutability of their services.
For these 19 providers, the ESAs have powers to conduct annual risk assessments, require comprehensive reporting, carry out on-site inspections and coordinate oversight through Joint Examination Teams made up of staff from both the ESAs and national regulators.
The assignment has a cascading effect. Financial institutions relying on designated CTPPs must demonstrate that they have assessed, documented and mitigated the concentration risk arising from these dependencies. That means mapping every critical function running on AWS, Azure or Google Cloud, documenting precautions and proving that a major provider outage won’t disrupt operations. For mid-sized firms building their infrastructure around a single cloud provider, this requirement alone represents months of maintenance.
Penetration testing is moving from optional to mandatory
DORA’s threat-based penetration testing (TLPT) requirements add another layer of operational complexity. The regulation requires significant financial institutions (including global and other systemically important institutions and payment providers with annual transactions of more than €150 billion) to conduct intelligence-based red team exercises on live production systems at least every three years.
The Regulatory Technical Standards for TLPT, published in June 2025 and applicable in all member states from July 8, 2025, set out the precise rules. The threat intelligence provider should always be external. Every third test should use an external red command. Tests should target critical or important functions and the ICT infrastructure that supports them, including relevant third-party providers.
This is no ordinary vulnerability scan. TLPT simulates real-world cyberattacks that occur without the knowledge of an organization’s defense team, providing a true assessment of detection and response capabilities. The cost, coordination, and operational risk of conducting such exercises on production systems is significant, and many organizations are still building internal processes to manage them safely.
The cost of getting it right (and getting it wrong)
Compliance is expensive. Deloitte’s survey found that 96 percent of financial institutions estimated the cost of DORA compliance, with the majority falling between €2 million and €5 million. The McKinsey study adds that 70 percent of respondents expect DORA to result in continued higher costs for technology and technology controls. Approximately 40 percent of surveyed organizations dedicate more than seven full-time employees to DORA compliance tasks alone.
Non-compliance costs more. In addition to headline fines (up to 2 percent of global turnover for financial institutions, up to 5 million euros for critical ICT providers), regulators can impose daily recurring fines of up to 1 percent of global average daily turnover to force immediate recovery. Section 50 of DORA also empowers regulators to suspend licenses or revoke authorization altogether.
National implementation approaches vary, but the direction of travel is clear. While 2025 is widely regarded as a transition year, as regulators review frameworks and identify gaps, 2026 marks the transition to active enforcement. Regulators are moving from reviewing paperwork to demanding evidence: real-time evidence of resilience, automated reports and demonstrable controls over ICT risk.
Where automation fits
The gap between DORA’s requirements and what most organizations can deliver manually has created a growing market for compliance automation. The trend reflects what is happening in adjacent financial regulation: Steward recently raised $5 million to automate AML compliance for investment managers and Cleafy secured €12 million for bank fraud preventionboth reflect a broader shift towards an automated regulatory infrastructure in European financial services. Platforms that can centralize evidence collection, automate control mapping, manage the Information Registry and provide continuous monitoring are seeing increasing demand, particularly from mid-market firms that lack the resources of a large bank’s GRC department.
In Europe, the field of compliance automation includes both well-funded US entrants (Drata, Vanta and Secureframe have expanded the European framework) and a growing cohort of domestic EU platforms built specifically around European regulations. Among them, Vilnius-based CoupletRaised 6 million euros in Series A in February 2026, positioned itself around DORA, NIS2 and ISO 27001 with automation and fractional CISO support. Its dedicated DORA Registry product, designed to automate the ICT registry submission process, addresses specific pain points faced by European firms.
The broader trend doesn’t apply to any one vendor. This is about a structural change in how compliance is done. Manual processes break down when regulations require continuous proof. When delivery windows measure weeks and supplier inventory numbers are in the hundreds, spreadsheets cease to exist. The earliest adopters typically implemented automation by building it into their compliance operations rather than as an afterthought.
What comes next
DORA is not a static regulation. The ESAs are expected to update the list of critical ICT providers annually, with the next revision expected at the end of 2026. Additional technical standards for incident reporting and subcontracting are still being finalized. When the first full cycle of the Register of data submissions is completed, regulators will for the first time have a system-wide view of ICT concentration risk in Europe’s financial sector.
This information will inform future control priorities. If it uncovers the risks of concentration and dependency that regulators suspect, the response could include tighter controls on cloud provider selection, mandatory multi-provider architectures or enhanced exit planning requirements. Broader as the trajectory of the UK calling for a “major” overhaul of digital defense showed that it points to deeper and more prescriptive control of the technological infrastructure throughout the financial system.
The message from DORA’s first 14 months for financial institutions is that compliance is not a project with a finish line. It is a sustainable operational capability that requires a fundamentally different approach to managing investment, infrastructure and technology risk. Firms that do so will be in a better position not only to avoid fines, but also to address the operational disruptions that the regulation was designed to address in the first place.
