The European DORA regulation (Digital Operational Resilience Act, EU 2022/2554) became fully applicable on 17 January 2025. One year later, the European Supervisory Authorities (ESAs) and national regulators such as France's ACPR are stepping up inspections. This guide summarises the practical obligations that financial entities must meet in 2026.
Who does DORA apply to?
DORA covers more than 22,000 financial entities in the European Union: banks, insurers, asset managers, investment firms, payment and crypto-asset service providers, and their critical third-party ICT providers (cloud, SaaS, data centres). Penalties can reach 1% of average daily turnover, and critical providers are now supervised directly by the ESAs.
The five pillars of DORA
1. ICT risk management
The management body is personally accountable for the ICT risk management framework. It must approve a documented policy, reviewed annually, covering identification, protection, detection, response and recovery. A complete inventory of ICT assets and critical functions is a prerequisite.
2. Incident management, classification and reporting
Major incidents must be classified against seven criteria (clients impacted, duration, criticality, data loss, etc.) and reported to the regulator within tight deadlines:
- 4 hours after classification as "major" for the initial notification
- 72 hours for the intermediate report
- 1 month for the final report
3. Digital operational resilience testing
All entities must conduct annual testing of their ICT setup. The largest entities (threshold set by the ESAs) must carry out TLPT (Threat-Led Penetration Testing) every three years, in line with the TIBER-EU framework.
4. ICT third-party risk management
DORA requires a complete register of information for every ICT contract, submitted annually to the regulator. Minimum contractual clauses are standardised by EBA regulatory technical standards (RTS). Exit and concentration strategies become mandatory.
5. Cyber threat information sharing
Sharing indicators of compromise and attack tactics between financial entities is encouraged through dedicated communities, subject to GDPR compliance.
2026 timeline
| Deadline | Required action |
|---|---|
| January 2026 | Annual submission of ICT register of information |
| Q1 2026 | Annual review of the ICT risk management framework |
| Q2 2026 | First TLPT exercise for significant entities |
| Ongoing | Major incident reporting within ESA deadlines |
DORA compliance checklist
- ICT risk management framework approved by the management body
- Exhaustive inventory of critical assets and functions
- Operational incident classification process
- Third-party register of information up to date and filed
- DORA clauses embedded in critical ICT contracts
- Annual testing plan documented and executed
- Exit strategy for every critical provider
- Documented DORA training for senior management
- Tested ENISA/ACPR notification procedure
Common mistakes to avoid
ACPR inspections in 2025 highlighted several recurring weaknesses: incomplete ICT registers, missing exit strategies for cloud providers, unclassified incidents due to unclear thresholds, and resilience testing limited to theoretical exercises. The NIS2 directive, complementary to DORA, reinforces these expectations for essential sectors.
Learn more
DORA compliance is not a one-off project but a continuous cycle. ResiPlan centralises the ICT register, automates incident classification against the seven ESA criteria, and generates regulatory reports in the required format.
- CISO and operational resilience solution
- Compliance solution (DORA, NIS2, ISO)
- DORA vs NIS2: which directive applies
- Pricing and demo
Sources: Regulation (EU) 2022/2554, EBA Guidelines EBA/GL/2023/05, ENISA publications 2025, ACPR notes on DORA supervision.