Beyond Day One: DORA Enforcement & the Supervisory Landscape
The grace period is over. National regulators and the ESAs are actively supervising — and 2026 marks the start of the mature enforcement phase. Here's what that means for your firm.
The End of the Grace Period
DORA (Regulation EU 2022/2554) became fully applicable on 17 January 2025 — with no transitional grace period. The European Supervisory Authorities were unambiguous: full compliance was mandatory from day one. The question is no longer whether to comply, but how well-prepared your firm is to withstand the scrutiny that is already underway.
DORA represents a fundamental shift from traditional capital-based operational risk management to a comprehensive framework targeting ICT system integrity. It applies to banks, insurers, investment firms, payment institutions, and crypto-asset service providers (CASPs) authorised under MiCAR — any entity operating in EU financial markets.
The Register of Information was the first live test. All financial entities were required to maintain a complete register of ICT third-party service provider contracts by 30 April 2025, when NCAs reported consolidated data to the ESAs. Firms that missed this missed the first supervisory signal they were watching for.
The Anatomy of DORA Enforcement
Penalties are real — and personal
National Competent Authorities now hold extensive enforcement powers: document access, on-site inspections, and direct remediation orders. Member States are required to establish administrative penalties that are "effective, proportionate and dissuasive." Penalties extend to individual members of the management body, who may face personal liability under national law.
For Critical ICT Third-Party Providers (CTPPs), the stakes are higher still: periodic penalty payments of up to 1% of average daily worldwide turnover for up to six months are explicitly provided for in the regulation.
Beyond fines
Enforcement extends well beyond monetary penalties. Regulators can issue:
- Public notices and formal reprimands
- Cease-and-desist orders with binding remediation requirements
- Temporary or permanent withdrawal of authorisation
- Personal liability orders against management body members
Assessments are case-by-case, weighing breach gravity, duration, intent, the entity's financial strength, cooperation level, and prior violations. Strong coordination among Member States signals that enforcement will pursue "de facto harmonisation" — early visible actions against clear-cut failures will establish precedent across the bloc.
The 2026 Supervisory Horizon
2026 marks the mature supervisory phase. The full ESA framework for CTPP oversight is now active, with three ESAs each designating Lead Overseers for designated critical providers — bringing previously unregulated technology companies into direct EU supervisory scope for the first time.
| Authority | 2026 Focus | What It Means for Your Firm |
|---|---|---|
| EBA | CTPP oversight; horizontal thematic reviews of contracts and SLAs | Your cloud and infrastructure contracts will be compared across markets — gaps will surface |
| EIOPA | Management body engagement in ICT risk; "fit for purpose" framework assessments | Board-level ICT oversight is now a supervisory test, not a governance checkbox |
| ESMA | Supervisory convergence across all 27 Member States | The same standard will be applied everywhere — regulatory havens are being closed |
The "trickle-down" effect is real: a single finding against a CTPP cascades across every financial entity that uses that provider, triggering NCA follow-up assessments. Even firms with solid internal frameworks can be caught by their supply chain's failures.
Proportionality and What It Actually Means
Micro-enterprise exemptions are targeted, not blanket
Micro-enterprises (fewer than 10 employees; annual turnover or balance sheet under €2 million) receive specific exemptions — but far fewer people than expected get to use them. The exemptions cover:
- Maintaining a separate ICT risk control function
- Conducting regular internal ICT audits
- Threat-Led Penetration Testing (TLPT)
Core obligations remain regardless of size: a documented ICT risk framework, a digital resilience strategy, major incident reporting, proportionate resilience testing, and a complete Register of Information. Proportionality is not an exemption from compliance — it is a narrower set of how you comply.
Critical point: Proportionality requires robust evidentiary records. Supervisors will not accept passive claims of micro-enterprise status. You must produce documented risk assessments, management decisions, and written justifications. That documentation is your defence during supervisory review.
For CASPs: DORA and MiCAR are inseparable
For Crypto-Asset Service Providers, DORA compliance is not separate from MiCAR authorisation — it is a prerequisite for it. MiCAR defines which services you may offer; DORA defines the operational standards under which you must deliver them. Several Member States are already requiring evidence of DORA readiness as part of the MiCAR licensing process itself.
This makes a defensible DORA framework a direct commercial requirement: firms that cannot demonstrate ICT resilience will not receive — or will lose — their MiCAR licence.
An Actionable Roadmap
Step 1: Establish foundational governance (non-negotiable baseline)
Create a formal management body mandate for ICT oversight and a documented, comprehensive ICT risk framework. This is the floor — the thing supervisors check first. Without it, every other effort is indefensible.
Step 2: Master your digital supply chain
Treat the Register of Information as a live operational document, not a one-time submission. Review every ICT provider contract for mandatory DORA provisions. Identify which of your providers could be designated a CTPP — their supervisory exposure becomes yours.
Step 3: Build your evidentiary record
Implement proportionate, regular testing. Document every risk assessment, every strategic decision, every test result. The supervisory question in 2026 is not "do you have policies?" — it is "how long have those policies been working, and what have you improved?" A framework assembled last month has no track record.
The cost of delay. Supervisory assessments in 2026 will focus on framework maturity, operational integration, and proven effectiveness over time. Late assembly creates a structural disadvantage that cannot be papered over with documentation — the absence of a review history is itself a finding.
The templates are already written, mapped to the RTS/ITS, and used in live EU licensing processes. The fastest path to a defensible framework is not starting from scratch.