Introduction: The End of the Grace Period and the Dawn of a New Supervisory Era
The Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, represents the most significant evolution in the European Union’s approach to operational risk since the post-financial crisis reforms. Its application date of January 17, 2025, marks a definitive turning point for the entire financial sector, including the rapidly evolving crypto-asset market.1 In a clear and unequivocal message to the industry, the European Supervisory Authorities (ESAs)—comprising the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA)—have confirmed that there will be no transitional or grace period. From this date forward, full compliance is not an aspiration but a mandatory, enforceable reality.
This regulation signals a fundamental paradigm shift. Historically, financial regulation addressed operational risk primarily through capital allocation, treating potential losses as a financial buffer issue.9 DORA fundamentally alters this perspective by establishing a comprehensive, process-driven framework that explicitly targets the operational integrity of Information and Communication Technology (ICT) systems.9 It moves beyond mere financial resilience to demand demonstrable digital operational resilience—the ability to withstand, respond to, and recover from all types of ICT-related disruptions and threats.11 This harmonized framework applies to a vast array of financial entities, from traditional banks and insurance firms to crypto-asset service providers (CASPs) authorized under the Markets in Crypto-Assets Regulation (MiCAR).
While the 2025 deadline imposes immediate obligations across all five pillars of DORA—ICT Risk Management, Incident Reporting, Resilience Testing, Third-Party Risk Management, and Information Sharing—supervisory attention in the initial months will be intensely focused on a critical, tangible deliverable: the Register of Information (RoI).4 Under Article 28(3), all financial entities must maintain and make available to their National Competent Authority (NCA) a comprehensive register of all contractual arrangements with ICT third-party service providers.1 This is not a routine administrative task; it is the first, non-negotiable test of a firm’s readiness. NCAs face a hard deadline of April 30, 2025, to report this consolidated information to the ESAs, making the completeness and accuracy of each entity’s RoI a matter of systemic importance from day one.
The strategic importance of the RoI extends far beyond an initial compliance check. It is the primary data-gathering mechanism that will empower the entire DORA supervisory apparatus for the years to come. The information collected is explicitly required for the “assessment of criticality criteria in relation to ICT services provided,” which forms the basis for the ESAs’ designation of Critical ICT Third-Party Providers (CTPPs). With the first CTPP designations expected in the second half of 2025 and the formal launch of the direct ESA-led oversight framework commencing in 2026, the data submitted in early 2025 becomes the foundational intelligence for this new supervisory regime. An incomplete or inaccurate RoI, therefore, not only constitutes a direct compliance failure but also signals a lack of control over the digital supply chain, immediately marking an entity as a higher-risk proposition and a prime candidate for deeper, more intrusive supervisory scrutiny. The RoI is the first critical link in a supervisory chain of events that will define the enforcement landscape of 2026 and beyond.
Section 1: The Anatomy of DORA Enforcement: Understanding the Powers and Penalties
DORA equips NCAs with a formidable arsenal of supervisory and enforcement powers to ensure compliance. These authorities, designated by each Member State, are empowered to conduct the full spectrum of supervisory activities, including requesting access to any relevant documents and data, carrying out on-site inspections and investigations, and issuing direct orders for entities to take specific security measures or remediate identified vulnerabilities. For financial entities such as CASPs, the designated competent authority will be the same one responsible for their authorization under MiCAR, creating a unified supervisory front for the crypto sector.52
The Financial Consequences of Non-Compliance
The financial penalties for breaches of DORA are designed to be substantial and serve as a powerful deterrent. The regulation mandates that each Member State must establish its own rules on administrative penalties, which must be “effective, proportionate and dissuasive”. While DORA does not harmonize the specific maximum amounts of fines at the EU level, it creates a framework for significant financial consequences.
Furthermore, DORA explicitly extends liability to the individuals responsible within the management body, who can face personal penalties as defined under the national law of the relevant Member State. For designated CTPPs that fail to comply with their direct oversight obligations, the penalty regime is even more severe, including the possibility of periodic penalty payments calculated at up to 1% of their average daily worldwide turnover for the preceding business year, applicable for up to six months until compliance is achieved. This ensures that the entire digital supply chain, not just the financial entities themselves, is subject to significant financial accountability.
Beyond Fines: Remedial Measures and Reputational Damage
The enforcement toolkit extends far beyond monetary fines. NCAs possess a range of remedial powers that can have a profound operational impact on a non-compliant firm. These include the authority to issue a public notice or reprimand, which can inflict significant reputational damage and erode client trust. They can also issue a “cease and desist” order for the specific conduct constituting the breach and require the entity to take concrete steps to remediate the issue. In the most severe cases of repeated or egregious non-compliance, DORA allows for the temporary or permanent withdrawal of a firm’s authorization to operate, representing the ultimate sanction.
When deciding on the type and level of penalty, authorities will conduct a case-by-case assessment based on a range of factors. These include the gravity and duration of the breach; whether it was intentional or the result of negligence; the financial strength of the responsible entity; the degree of cooperation shown with the authority; and any previous breaches by the entity.54 This discretionary framework allows supervisors to tailor the penalty to the specific circumstances, ensuring that both minor oversights and systemic failures are addressed proportionately but effectively.
Measure Type
Applicability
Potential Severity/Quantum
Administrative Fines (Entity)
Financial Entity
To be defined by Member States; must be effective, proportionate, and dissuasive
Administrative Fines (Individual)
Management Body, Financial Entity
Management Body, Financial Entity
Periodic Penalty Payments
CTPP
Up to 1% of average daily worldwide turnover for up to 6 months
Remedial Orders
Financial Entity, CTPP
Order to cease conduct and remediate specific vulnerabilities
Public Notice/Reprimand
Financial Entity, CTPP
Public disclosure of non-compliance and the identity of the entity
Withdrawal of Authorization
Financial Entity
Temporary or permanent revocation of the license to operate 53
A crucial aspect of the DORA enforcement model is the strong push toward de facto harmonization. While the Level 1 text grants Member States some latitude in defining specific penalties, the highly coordinated development of detailed Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS), combined with the unified 2026 supervisory work programmes of the ESAs, points to a clear intention to ensure consistent and rigorous enforcement across the EU.1 The financial sector has already witnessed how inconsistencies in national supervision can lead to “regulator shopping,” a significant concern within the MiCAR framework.27 To prevent such regulatory arbitrage and establish the credibility of this new, harmonized regime, both NCAs and the ESAs have a vested interest in ensuring that enforcement is swift, visible, and applied with a high degree of consistency. It is therefore highly probable that the initial 12-18 months of DORA’s application will see a series of high-profile enforcement actions targeting clear-cut failures—such as the failure to submit an accurate RoI or report a major incident—to establish a strong precedent and send an unambiguous message to the market.
Section 2: The 2026 Horizon: A Deep Dive into Coordinated European Supervisory Action
While 2025 marks the formal application of DORA, 2026 represents the true beginning of its mature supervisory phase. This new era will be defined by the full operational launch of the joint ESA oversight framework for CTPPs, a mechanism that will fundamentally reshape the relationship between financial entities, their critical technology providers, and their supervisors.19 Under this framework, one of the three ESAs will be designated as a “Lead Overseer” for each CTPP, granting them powers of direct supervision over entities that were previously outside the regulatory perimeter.28 The work programmes published by the EBA, EIOPA, and ESMA for 2026 reveal a coordinated and multi-faceted strategy to leverage this new power and drive a deeper, more effective level of DORA compliance across the entire financial ecosystem.
The EBA's 2026 Work Programme: Scrutinizing the Digital Supply Chain
The EBA’s 2026 agenda places a heavy emphasis on scrutinizing the digital supply chain through its new CTPP oversight function.20 Its planned activities will move beyond high-level policy checks to conduct deep, evidence-based assessments of how CTPPs manage risk. Key planned actions include direct engagement with CTPPs on their internal governance, ICT strategy, and risk management processes. Crucially, the EBA plans to conduct horizontal thematic reviews of contracts and Service Level Agreements (SLAs) between CTPPs and the financial entities they serve. This means supervisors will be systematically comparing contractual terms across the market to identify weaknesses and inconsistencies. The EBA will also perform thematic deep-dives and potential on-site inspections focusing on specific high-risk areas within CTPPs, such as their own subcontracting arrangements or their incident response capabilities.20
EIOPA's 2026 Focus Area: Assessing Governance and Fitness for Purpose
For the insurance and pensions sector, EIOPA has confirmed that DORA will be a primary “Focus Area” for 2026, signaling a significant allocation of supervisory resources.26 EIOPA’s supervisory activities will concentrate on the quality and effectiveness of the governance structures underpinning digital resilience. Supervisors will specifically assess the degree of engagement of the Administrative, Management, or Supervisory Body (AMSB) in developing and overseeing the ICT risk management framework. This indicates that board meeting minutes, risk committee reports, and evidence of senior management’s active involvement will be subject to review. Furthermore, EIOPA will assess whether a firm’s ICT risk management framework is genuinely “fit for purpose” given its specific business model and risk profile, and will scrutinize the comprehensiveness of its RoI and the adequacy of its digital resilience testing programme.26
ESMA's 2026 Supervisory Convergence Mission
For the securities and markets sector, 2026 marks the first full year of ESMA’s joint oversight mandate under DORA.19 A central objective of its work programme is to drive supervisory convergence. This means ESMA will work actively with all NCAs to ensure that DORA is applied and enforced with a consistent level of rigor across all 27 Member States. This is a direct effort to prevent the emergence of regulatory havens where compliance standards might be perceived as lower. ESMA will leverage its role in the joint oversight of CTPPs and its direct supervision of entities like trade repositories and credit rating agencies to promote best practices and ensure a level playing field, progressively increasing the intensity of supervisory focus as the industry gains experience with the new requirements.19
Supervisory Authority
Key DORA Priority for 2026
Specific Planned Actions
Direct Implication for Your Firm
EBA
Direct Oversight of CTPPs and Supply Chain Risk
Horizontal thematic reviews of contracts; On-site inspections of CTPPs; Analysis of major ICT incidents 20
Your contracts with major cloud providers will be indirectly audited by the EBA. Any weaknesses found will trigger direct follow-up from your national regulator.
EIOPA
Assessment of Governance and Framework Fitness
Assessment of AMSB (board-level) engagement; Review of ICT risk framework’s “fitness for purpose”; Scrutiny of resilience testing programmes 26
Your board’s documented involvement in ICT risk strategy will be examined. You must be able to prove your DORA framework is tailored to your specific risks.
ESMA
Driving Supervisory Convergence and Consistency
Exercising joint CTPP oversight mandate; Progressively increasing supervisory focus across NCAs; Ensuring full compliance of directly supervised entities 19
Your national regulator will be under pressure from ESMA to apply DORA standards as strictly as any other EU country, eliminating any potential for lenient interpretation.
The coordinated nature of these work programmes reveals a crucial mechanism that will define DORA supervision from 2026 onward: the “trickle-down” supervisory effect. The direct oversight of CTPPs serves as the catalyst for this process. When a Lead Overseer, such as the EBA, conducts an on-site inspection of a major cloud provider and identifies a systemic weakness—for example, in their standard contractual clauses related to exit strategies or in their incident notification protocols—the resulting recommendations will not be confined to that CTPP alone. The DORA framework mandates close cooperation and information sharing between the Lead Overseer and the NCAs of all financial entities that use that provider’s services.1 NCAs will be formally required to follow up on the Lead Overseer’s recommendations by assessing the exposure of the financial entities under their own supervision.20 Consequently, a single finding at the CTPP level in 2026 will trigger a cascading wave of supervisory inquiries and potential remediation orders for hundreds of financial entities across the EU. This powerful, indirect supervisory lever means that firms can no longer treat their relationship with a critical provider as a “black box”; its internal controls and contractual integrity will be laid bare before regulators, and its clients will be held directly accountable for addressing any identified deficiencies.
Section 3: The Proportionality Principle and the MiCAR Nexus: A Guide for Micro-Enterprises and CASPs
DORA is built on a principle of proportionality, recognizing that a one-size-fits-all approach would be unduly burdensome for smaller entities. This principle is particularly relevant for the target audience of this report: micro-enterprises and specialized firms like CASPs. However, a nuanced understanding of what proportionality means in practice is critical, as a misinterpretation could lead to significant compliance gaps.
Proportionality in Practice: Targeted Exemptions for Micro-Enterprises vs. the Simplified Framework
DORA is built on a principle of proportionality, but it is crucial to distinguish between the specific “simplified ICT risk management framework” of Article 16 and the targeted exemptions granted to micro-enterprises elsewhere in the regulation. The simplified framework under Article 16, which significantly scales back requirements, does not automatically apply to all small entities. Instead, this regime is exclusively reserved for a specific list of financial firms, such as small and non-interconnected investment firms, certain payment and e-money institutions (depending on national implementation), and small institutions for occupational retirement provision.35
Micro-enterprises, defined as entities employing fewer than 10 persons and having an annual turnover or balance sheet total that does not exceed EUR 2 million, benefit from a different set of specific, targeted exemptions that are “sporadically” located throughout DORA’s provisions.37 These simplifications are significant but do not constitute a blanket exemption from core DORA principles. For instance, micro-enterprises are not required to establish a separate, independent control function for ICT risk, are exempt from the requirement for regular internal audits of their framework, and need only conduct periodic reviews rather than annual ones.37 Further exemptions exist in other areas, such as being exempt from advanced Threat-Led Penetration Testing (TLPT) and not being required to assign a specific role to monitor third-party ICT arrangements.37 However, core obligations remain firmly in place: micro-enterprises must still establish a sound, documented ICT risk management framework that includes a digital operational resilience strategy, report major incidents, conduct proportionate testing, and maintain a complete Register of Information (RoI).34
DORA Pillar
Full Requirement
Specific Simplification/Exemption for Micro-enterprises
Key Action Required
ICT Risk Management
You must still have a documented framework and strategy, and be able to justify your risk-based decisions and review frequency to auditors.
Incident Reporting
Establish processes to detect, manage, classify, and report major ICT-related incidents according to strict timelines and detailed templates.
You must have a robust incident response and reporting process capable of meeting the same strict timelines as larger entities.
Resilience Testing
Establish a comprehensive testing programme, including advanced Threat-Led Penetration Testing (TLPT) for significant entities.
You must implement and document a regular testing schedule that is appropriate for your specific systems and risk profile.
Third-Party Risk Mgmt.
Maintain a detailed Register of Information (RoI) on all ICT providers and ensure all contracts contain mandatory DORA clauses.
You must create and maintain the RoI and review all ICT contracts for DORA compliance, just like any other financial entity.
The central challenge of proportionality lies in the burden of proof. The DORA framework explicitly states that it is the responsibility of the competent authority to review the consistency of an entity’s ICT risk management framework.34 In the heightened supervisory environment of 2026, where EIOPA will be assessing “fitness for purpose” and ESMA will be driving consistent standards, an NCA will not simply accept a claim of proportionality at face value.19 Supervisors will demand to see the documented risk assessments, the management body’s decisions, and the clear justifications that led the firm to adopt its scaled-down approach. A failure to provide this evidence will not be seen as a valid application of the proportionality principle, but as a fundamental failure of governance and a clear compliance breach. Proportionality is therefore not a passive right to be claimed, but an active, evidence-based defense that must be meticulously prepared and maintained.34
The MiCAR-DORA Symbiosis: A Dual Compliance Imperative for CASPs
For Crypto-Asset Service Providers, DORA is not a separate, secondary regulation; it is an inseparable and foundational component of their license to operate under MiCAR. While MiCAR defines what services a CASP can offer (e.g., custody, exchange, trading), DORA defines how those services must be delivered from an operational and technical resilience standpoint. The two regulations are symbiotic: robust DORA compliance is a non-negotiable prerequisite for obtaining and, crucially, maintaining a MiCAR authorization.
This linkage is becoming increasingly explicit in the expectations of supervisors. Regulatory authorities in several EU Member States, concerned about the potential for inconsistent standards, are already calling for reforms that would mandate an independent IT security audit before a CASP can be granted a MiCAR license.27 This proposal is a leading indicator of future supervisory practice, positioning a firm’s demonstrable DORA posture as a critical gateway to market access.
This dynamic transforms DORA from a mere compliance burden into a significant commercial imperative for CASPs. In a crypto market that is rapidly maturing and experiencing a flight to quality and regulation, a CASP’s ability to demonstrate a mature, well-documented, and effective DORA framework becomes a key competitive differentiator. It will serve to de-risk and accelerate the MiCAR licensing process, build essential trust with institutional clients and banking partners who are themselves subject to DORA, and become a core element of due diligence for investors. Conversely, a failure to meet DORA’s standards will increasingly be perceived not just as a regulatory risk, but as a fundamental threat to a CASP’s business viability and long-term sustainability in the regulated European market.
Section 4: The Strategic Imperative: Building a Defensible and Future-Proof DORA Framework
Achieving and maintaining compliance with DORA, particularly in anticipation of the intensified supervisory landscape of 2026, requires a strategic approach that transcends a simple, one-off project. For smaller entities and CASPs, this presents unique challenges, including significant constraints on financial and human resources, a lack of in-house specialized expertise, the complexity of managing an expanding web of third-party dependencies, and the operational disruption of integrating new, rigorous requirements into existing processes.11 Overcoming these hurdles demands a shift from a reactive compliance mindset to the proactive cultivation of an organizational culture centered on digital operational resilience.
From Compliance Project to Operational Culture
The supervisory expectations of 2026—focused on board-level engagement, framework maturity, and demonstrable effectiveness—cannot be met with a last-minute, “tick-box” exercise. DORA places ultimate responsibility for the management of ICT risk squarely on the entity’s management body. Supervisors, particularly from EIOPA, have explicitly stated their intent to assess the depth of this engagement.26 This requires a cultural shift where digital resilience is not siloed within the IT department but is understood as a core business function, integrated into strategic planning, risk appetite statements, and day-to-day operations.
Micro-enterprises, defined as entities employing fewer than 10 persons and having an annual turnover or balance sheet total that does not exceed EUR 2 million, benefit from a different set of specific, targeted exemptions that are “sporadically” located throughout DORA’s provisions.37 These simplifications are significant but do not constitute a blanket exemption from core DORA principles. For instance, micro-enterprises are not required to establish a separate, independent control function for ICT risk, are exempt from the requirement for regular internal audits of their framework, and need only conduct periodic reviews rather than annual ones.37 Further exemptions exist in other areas, such as being exempt from advanced Threat-Led Penetration Testing (TLPT) and not being required to assign a specific role to monitor third-party ICT arrangements.37 However, core obligations remain firmly in place: micro-enterprises must still establish a sound, documented ICT risk management framework that includes a digital operational resilience strategy, report major incidents, conduct proportionate testing, and maintain a complete Register of Information (RoI).34
An Actionable Roadmap for 2026 Readiness
To build a compliance posture that will withstand the scrutiny of the coming years, entities should adopt a structured, forward-looking approach.
1
Establish Foundational Governance (The 2025 Baseline)
The immediate priority is to establish the core governance structures that DORA mandates. This involves formally assigning responsibility for ICT risk oversight at the management body level and creating a sound, comprehensive, and well-documented ICT risk management framework. Even for micro-enterprises availing of the simplified regime, this documented framework is the non-negotiable foundation upon which all other compliance activities are built. This is the essential baseline for surviving the initial supervisory checks of 2025.
2
Master Your Digital Supply Chain (The 2026 Preparation)
The supervisory focus on CTPPs and third-party risk in 2026 makes mastering the digital supply chain a critical strategic priority. The first step is the meticulous creation and ongoing maintenance of the Register of Information. This should be treated as a living document, not a static report. Concurrently, firms must begin the process of reviewing and, where necessary, remediating all contracts with ICT service providers to ensure they include the mandatory contractual provisions required by DORA, particularly for those providers supporting critical or important functions.
3
Document, Test, and Justify (The Evidentiary Record)
The principle of proportionality requires a robust evidentiary record. Firms must implement a proportionate and regular digital operational resilience testing programme. This could range from basic vulnerability assessments and tabletop exercises for micro-enterprises to more sophisticated tests for others.33 Critically, every risk assessment performed, every strategic decision made regarding the ICT framework, and every test result must be meticulously documented. This creates the essential body of evidence needed to justify and defend the firm’s proportional approach when supervisors inevitably ask, “Show us why this is adequate for your risk profile”.34
The Strategic Cost of Delay
The central conclusion of this analysis is that the supervisory deep-dives planned for 2026 and beyond will not be assessing the mere existence of DORA policies, but their maturity, integration, and proven effectiveness. A framework hastily assembled in late 2024 to meet the deadline will inherently lack the track record of reviews, the evidence of continuous improvement based on testing, and the documented history of board-level engagement that supervisors will be seeking. Waiting to act places a firm at a significant strategic disadvantage, increasing the risk of being found non-compliant and facing the full spectrum of enforcement actions. Proactive and comprehensive preparation is not merely about meeting the January 2025 deadline; it is about building the institutional resilience and the defensible compliance record necessary to navigate the far more intense and data-driven supervisory environment that lies ahead.
Works cited
1. Timeline for dora implementation – EIOPA, accessed October 10, 2025,
https://www.eiopa.europa.eu/document/download/2888a8e8-4a20-4e27-ad51-7ad4e5b511f7_en?filename=5_2023-10-10_EIOPA%20Reporting%20event.pdf
2. Digital Operational Resilience Act (DORA) – | European Securities and Markets Authority, accessed October 10, 2025,
https://www.esma.europa.eu/esmas-activities/digital-finance-and-innovation/digital-operational-resilience-act-dora
3. Digital Operational Resilience Act (DORA) – Central Bank of Ireland, accessed October 10, 2025,
https://www.centralbank.ie/regulation/digital-operational-resilience-act-dora
5. Digital Operational Resilience Act (DORA) Compliance | DORA Cybersecurity – Fortra, accessed October 10, 2025,
https://www.fortra.com/compliance/dora
6. DORA’s compliance deadline is here: How prepared is your organization? | BCI, accessed October 10, 2025,
https://www.thebci.org/news/dora-s-compliance-deadline-is-here-how-prepared-is-your-organization.html
9. Digital Operational Resilience Act (DORA) | Updates, Compliance, Training, accessed October 10, 2025,
https://www.digital-operational-resilience-act.com/
11. DORA: The 10 key challenges of a successful compliance journey – PwC, accessed October 10, 2025,
https://www.pwc.com/gx/en/issues/risk-regulation/dora-whitepaper-jan2024.pdf
19. ESMA22-50751485-1604 Annual Work Programme 2026, accessed October 10, 2025,
https://www.esma.europa.eu/sites/default/files/2025-10/ESMA22-50751485-1604_Annual_Work_Programme_2026.pdf
20. EBA/REP/2025/25 – EBA Annual work programme 2026 , accessed October 10, 2025,
https://www.eba.europa.eu/sites/default/files/2025-10/b9fe2713-117b-440f-aae0-bdcb8832c3e0/EBA%20Work%20programme%202026.pdf
21. Implementing and delegated acts – DORA – Finance – European Commission, accessed October 10, 2025,
https://finance.ec.europa.eu/regulation-and-supervision/financial-services-legislation/implementing-and-delegated-acts/digital-operational-resilience-regulation_en
22. DORA Regulatory Technical Standards | Deloitte Ireland, accessed October 10, 2025,
https://www.deloitte.com/ie/en/services/consulting-risk/research/dora-regulatory-technical-standards.html
26. UNION-WIDE STRATEGIC SUPERVISORY PRIORITIES … – EIOPA, accessed October 10, 2025,
https://www.eiopa.europa.eu/document/download/fdfbb617-881e-451c-a98d-b09b1cddeb87_en?filename=Union-wide%20strategic%20supervisory%20priorities%20-%20Focus%20areas%20for%202026.pdf
27. Aufsichtsbehörden fordern MiCAR-Reform – Bird & Bird, accessed October 10, 2025,
https://www.twobirds.com/en/insights/2025/germany/aufsichtsbeh%C3%B6rden-fordern-micar-reform
28. Preamble 81 to 90, Digital Operational Resilience Act (DORA)., accessed October 10, 2025, https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng
29. EBA/REP/2025/25 – EBA Annual work programme 2026 , accessed October 10, 2025,
https://www.eba.europa.eu/sites/default/files/2025-10/b9fe2713-117b-440f-aae0-bdcb8832c3e0/EBA%20Work%20programme%202026.pdf
30. The EBA publishes its 2026 Work Programme and takes action for a more efficient regulatory and supervisory framework in the EU | European Banking Authority, accessed October 10, 2025,
https://www.eba.europa.eu/publications-and-media/press-releases/eba-publishes-its-2026-work-programme-and-takes-action-more-efficient-regulatory-and-supervisory
31. Union-wide strategic supervisory priorities – focus areas for 2026 – EIOPA, accessed October 10, 2025,
https://www.eiopa.europa.eu/publications/union-wide-strategic-supervisory-priorities-focus-areas-2026_en
32. Union-wide strategic supervisory priorities – focus areas for 2026 – PwC Plus, accessed October 10, 2025,
https://pwcplus.de/en/article/251052/union-wide-strategic-supervisory-priorities-focus-areas-for-2026/
35. BaFin Issues Guidance on Simplified DORA Requirements for ICT Risk Management, accessed October 10, 2025,
https://www.bafin.de/SharedDocs/Veroeffentlichungen/EN/Fachartikel/2025/neu/fa_250821_interview_brueggemann_aufsichtsmitteilung_dora_en.html?cms_expanded=false
36. DORA and Simplified ICT Risk Management Framework – FIN LAW, accessed October 10, 2025,
https://fin-law.de/en/2024/12/02/getting-ready-for-dora-part-vii-which-financial-companies-benefit-from-the-simplified-ict-risk-management-framework/
37. DORA Compliance for Microenterprises: Key Articles and …, accessed October 10, 2025,
https://erislaw.se/artiklar/dora-compliance-for-microenterprises-key-articles-and-exemptions/
38. Digital Operational Resilience Act (DORA), Article 6, accessed October 10, 2025,
https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng
39. Preamble 41 to 50, Digital Operational Resilience Act (DORA)., accessed October 10, 2025,
https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng
41. The Regulation on Digital Operational Resilience in the Financial Sector (DORA) – AMF, accessed October 10, 2025,
https://www.amf-france.org/en/news-publications/depth/dora
42. Markets in Crypto Assets Regulation (MiCAR) – Central Bank of Ireland, accessed October 10, 2025,
https://www.centralbank.ie/regulation/markets-in-crypto-assets-regulation
43. Digital finance – European Commission, accessed October 10, 2025,
https://finance.ec.europa.eu/news/digital-finance-2024-12-19_en
50. The EU’s Digital Operational Resilience Act (DORA) – 2024 Update | Insights, accessed October 10, 2025,
https://www.skadden.com/insights/publications/2024/07/the-eus-digital-operational-resilience-act
51. How the DORA Regulation applies to CASPs – ORWL, accessed October 10, 2025,
https://www.orwl.fr/en/dora-regulation-casps-eu/
52. Digital Operational Resilience Act (DORA), Article 46, accessed October 10, 2025,
https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng
54. Digital Operational Resilience Act (DORA), Article 51, accessed October 10, 2025,
https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng