DORA (Digital Operational Resilience Act, EU regulation 2022/2554) entered into application on 17 January 2025. One year later, 2026 marks the first complete audit cycle of financial entities by competent authorities. This article describes what the ESAs (European Supervisory Authorities — EBA, ESMA, EIOPA) and national regulators (ACPR, BaFin, CNMV, FINMA, AMF…) will examine in priority, the 2026 timeline, expected deliverables, and possible penalties.
The 2026 first audit cycle calendar
| Period | Deadline |
|---|---|
| Q1 2026 | Mandatory submission of the Register of Information (RoI) Art. 31 to your national regulator, ESAs ITS 2024/2956 format |
| Q1–Q2 2026 | First on-site documentary audits (ACPR France, BaFin Germany) — focus on ICT risk and CIFs |
| T2 2026 | Half-yearly reporting of major Art. 17 incidents if applicable |
| Q3 2026 | TLPT scheduling for tier 1 entities (systemic banks, market infrastructures) — Art. 26-27 |
| Q4 2026 | First annual DORA compliance report to the management body, signed by CEO/CRO/CISO |
The 7 priority control points
1. The Register of Information (Art. 31)
The RoI is the pivot of the DORA audit. Standardized format by the ESAs: 7 templates covering entity, contracts, ICT providers, critical functions, subcontracting, certifications, concentration risk report.
Typical errors observed in Q4 2025:
- Missing or incorrect LEI (Legal Entity Identifier).
- CIFs not reconciled with their ICT providers (empty mappings).
- ICT subcontracting (Art. 29) not traced to tier-N.
- Hosting country and cloud service type undeclared.
The auditor will compare the RoI with your actual mapping and flag any inconsistency.
2. ICT governance (Art. 5)
The management body must have approved the ICT risk management framework, and review it regularly. The auditor looks for:
- Committee minutes approving the framework,
- Quarterly reports to CISO/CRO and annual to the board,
- Track of decisions on critical functions (CIFs) and critical providers.
See /features/cif-evaluation for the methodology.
3. The CIF cartography and their RTO/RPO/MTPD
Each CIF must have quantified and tested continuity targets. The auditor verifies:
- Criticality justification compliant with Art. 3(22) (4 criteria),
- RTO/RPO/MTPD declared and proven through exercise,
- Recovery plan documented for each CIF.
See our BIA practitioner's guide and RTO vs RPO 2026.
4. Critical ICT third-party management (Art. 28)
For each ICT provider supporting a CIF, the auditor verifies:
- Exit strategy Art. 28(7)(j) — documented and testable.
- Mandatory contract clauses Art. 30 (continuity, security, audit, termination).
- Concentration risk Art. 29 calculated and documented.
- See CRA contract clauses (close pattern).
5. Major incident notification (Art. 17)
Workflow and deadlines aligned with the ESA ITS: early warning 4 h, notification 24 h, intermediate report 1 month, final report ≤ 30 d post-closure. The auditor will examine your 2025 incidents:
- Did you notify on time?
- Was the content complete (impact, root cause, remediation, lessons learned)?
- Did you notify clients whose services were impacted?
6. Resilience tests (Art. 24-25)
Annual test program, comprising at minimum:
- Continuity tests (DRP, BCP, trigger scenarios),
- Penetration tests on critical ICT systems,
- For tier 1 entities: TLPT (Threat-Led Penetration Test) every 3 years, scenarios driven by threat intelligence.
7. Management body traceability
The management committees must prove they spent time on ICT resilience: agendas, minutes, documented decisions. No "rubber-stamping".
DORA penalties for non-compliance
The ESAs and national regulators can impose:
- Administrative fines up to 2% of total annual worldwide turnover for serious breaches.
- For critical ICT third-party providers designated by the ESAs: up to 1% of average daily worldwide turnover per day of breach, capped at 6 months.
- Public warnings, withdrawal of authorisation in case of recidivism.
The ACPR confirmed in March 2026 that it will prioritize warnings and remediation plans for the first cycle, but serious breaches (unidentified CIFs, missing or false RoI, unnotified incidents) will be sanctioned immediately.
60-day checklist to pass the 2026 audit
D-60 → D-45 : Internal audit of RoI vs actual cartography.
Launch review of all CIFs (justification, RTO/RPO).
D-45 → D-30 : Complete missing CIF ↔ ICT provider mappings.
Verify Art. 30 contract clauses on 100% of contracts.
D-30 → D-15 : Test the incident notification workflow (exercise).
Document ICT governance (committee minutes last quarter).
D-15 → D-7 : Mock audit with external consultant or internal auditor.
D-7 → D-0 : Prepare audit file (minutes, RoI, reports, KPIs).
Align CEO/CRO/CISO on key messages.
D-0 : Audit. Responses prepared, access to artifacts.
How ResiPlan accelerates your DORA 2026 compliance
ResiPlan ships pre-wired:
- Automated RoI Art. 31 generation (ESAs templates 1-7) — see /features/dora-cif.
- CIF evaluation methodology Art. 3(22) — see /features/cif-evaluation.
- Incident workflow Art. 17 (4h/24h/1month/post-closure).
- DORA compliance dashboard in real time.
- TLPT scenarios + integration with certified penetration testers.
Start a free ResiPlan trial — your RoI ready in 2 weeks.