Europe’s DORA Compliance Race: Why 2026 Is the Year of Reckoning

Fourteen months after the Digital Operational Resilience Act (DORA) became enforceable, Europe’s financial institutions are running out of room to improvise. The regulation, which took effect on January 17, 2025, was supposed to mark the beginning of a new era in digital risk management across the EU. Instead, it has exposed just how far most firms still have to go.

The numbers tell a blunt story. A McKinsey survey of major European financial institutions found that only about a third were confident they could meet all DORA requirements by the January 2025 deadline. Separate research from Deloitte paints an equally sobering picture: just 50% of institutions expected to reach full compliance by the end of 2025, while 38% pushed their target into 2026. Nearly half (46%) identified the Register of Information, DORA’s mandatory inventory of all ICT third-party contracts, as the single most challenging requirement to fulfill.

Those aren’t theoretical gaps. They are live regulatory exposures in a regime that allows fines of up to 2% of annual worldwide turnover and personal penalties of up to EUR1 million for senior managers who fail to act.

What DORA Actually Demands

DORA’s scope is broader than many initially appreciated. The regulation applies not only to banks and insurers but to payment institutions, electronic money providers, crypto-asset service providers, investment firms, and, critically, their ICT service providers. The European Supervisory Authorities (ESAs) estimate that more than 22,000 financial entities fall within scope, along with hundreds of technology vendors that serve them.

The regulation rests on five pillars: ICT risk management, incident reporting, digital operational resilience testing (including threat-led penetration testing for significant institutions), third-party risk oversight, and information sharing. Each pillar comes with its own technical standards, reporting obligations, and supervisory expectations. As we explored in our analysis of why 2026 will be the year of governed cybersecurity AI, the regulatory push toward structured oversight is accelerating across the sector.

What makes DORA different from earlier regulations is its emphasis on continuity. This is not a point-in-time certification exercise. It requires organizations to demonstrate ongoing operational resilience, with real-time monitoring, documented evidence, and the ability to prove compliance at any moment. For teams accustomed to annual audit cycles, the shift is significant.

March 2026: The Register of Information Test

The most immediate pressure point in 2026 is the second annual submission of the Register of Information (RoI). Under Article 28 of DORA, every financial entity must maintain a comprehensive register documenting all contractual arrangements with ICT third-party service providers. National competent authorities then consolidate these registers and submit them to the ESAs by March 31 each year.

For this year’s cycle, the reference date is December 31, 2025, meaning the register must capture every ICT contract in effect at year-end. National deadlines vary: Germany’s BaFin requires submissions between March 9 and 30, the Netherlands’ DNB and AFM set March 20 as the cutoff, Malta’s MFSA set a deadline of March 21, and Luxembourg’s CSSF opened its eDesk portal on February 11 for submissions running through March 31.

The 2025 pilot round exposed serious friction. Many firms discovered they lacked a centralized view of their ICT vendor relationships, with contracts scattered across procurement teams, business units, and subsidiary operations. The data quality issues were substantial: incomplete records, missing contract identifiers, and inconsistent classification of services against the ESA’s taxonomy.

Deloitte’s research confirmed the scale of the challenge, with 46% of financial entities naming the Register of Information as the hardest DORA requirement. For organizations managing hundreds or thousands of vendor relationships across multiple jurisdictions, compiling an accurate, audit-ready register manually is close to impossible within the submission window.

The 19 Providers Under Direct EU Oversight

In November 2025, the ESAs published their first list of 19 critical ICT third-party providers (CTPPs) subject to direct EU oversight. The list includes Amazon Web Services, Google Cloud, Microsoft, Oracle, SAP, and Deutsche Telekom, among others. These providers were designated based on four criteria: systemic impact of potential failure, the systemic importance of the financial entities that depend on them, concentration of reliance within banking, insurance, and securities sectors, and the substitutability of their services.

For these 19 providers, the ESAs now have powers to conduct annual risk assessments, demand comprehensive reporting, carry out on-site inspections, and coordinate oversight through Joint Examination Teams composed of staff from both the ESAs and national regulators.

The designation has a cascading effect. Financial institutions that rely on designated CTPPs must demonstrate they have assessed, documented, and mitigated the concentration risk arising from those dependencies. That means mapping every critical function that runs on AWS, Azure, or Google Cloud, documenting fallback arrangements, and proving that a major provider outage would not bring operations to a halt. For mid-sized firms that built their infrastructure around a single cloud provider, this requirement alone represents months of remediation work.

Penetration Testing Moves From Optional to Mandatory

DORA’s requirements for threat-led penetration testing (TLPT) add another layer of operational complexity. The regulation requires significant financial institutions (including globally and other systemically important institutions, and payment providers processing more than EUR150 billion annually) to conduct intelligence-driven red team exercises on live production systems at least every three years.

The Regulatory Technical Standards for TLPT, published in June 2025 and applicable across all member states since July 8, 2025, set out precise rules. The threat intelligence provider must always be external. Every third test must use an external red team. Tests must target critical or important functions and the ICT infrastructure supporting them, including relevant third-party providers where appropriate.

This is not a routine vulnerability scan. TLPT simulates real-world cyberattacks conducted without the knowledge of the organization’s defense team, providing an authentic assessment of detection and response capabilities. The cost, coordination, and operational risk of running such exercises on production systems are considerable, and many institutions are still building the internal processes to manage them safely.

The Cost of Getting It Right (and Getting It Wrong)

Compliance is expensive. Deloitte’s survey found that 96% of financial institutions have estimated their DORA compliance costs, with most falling between EUR2 million and EUR5 million. McKinsey’s research adds that 70% of respondents expect DORA to result in permanently higher run costs for technology and technology controls. Nearly 40% of surveyed organizations dedicate more than seven full-time employees solely to DORA compliance tasks.

Non-compliance is more expensive. Beyond the headline fines (up to 2% of global turnover for financial entities, up to EUR5 million for critical ICT providers), regulators can impose daily recurring penalties of up to 1% of average daily worldwide turnover to force immediate remediation. Article 50 of DORA also gives regulators the power to suspend licenses or revoke authorization entirely.

National enforcement approaches vary, but the direction of travel is clear. While 2025 was broadly treated as a transition year, with supervisors reviewing frameworks and identifying gaps, 2026 marks the shift toward active enforcement. Regulators are moving from reviewing paperwork to demanding proof: real-time evidence of resilience, automated reporting, and demonstrable control over ICT risk.

Where Automation Fits In

The gap between what DORA demands and what most organizations can deliver manually has created a growing market for compliance automation. The trend mirrors what is happening in adjacent financial regulation: Steward recently raised $5 million to automate AML compliance for investment managers, and Cleafy secured EUR12 million to tackle bank fraud prevention, both reflecting a broader shift toward automated regulatory infrastructure in European financial services. Platforms that can centralize evidence collection, automate control mapping, manage the Register of Information, and provide continuous monitoring are seeing increased demand, particularly from mid-market firms that lack the resources of a large bank’s GRC department.

The compliance automation space in Europe includes both well-funded US entrants (Drata, Vanta, and Secureframe have all expanded their European framework coverage) and a growing cohort of EU-native platforms built specifically around European regulations. Among them, Vilnius-based Copla, which raised EUR6 million in Series A funding in February 2026, has positioned itself around DORA, NIS2, and ISO 27001 with a combination of automation and fractional CISO support. Its dedicated DORA Registry product, designed to automate the ICT register submission process, reflects the specific pain points European firms are encountering.

The broader trend is not about any single vendor. It is about a structural shift in how compliance gets done. When regulations require continuous evidence, manual processes break down. When submission windows are measured in weeks and vendor inventories number in the hundreds, spreadsheets stop being viable. The institutions that adapted earliest have typically done so by embedding automation into their compliance operations rather than bolting it on as an afterthought.

What Comes Next

DORA is not a static regulation. The ESAs are expected to update the list of critical ICT providers annually, with the next revision anticipated later in 2026. Additional technical standards on incident reporting and subcontracting arrangements are still being finalized. And as the first full cycle of Register of Information submissions concludes, regulators will have, for the first time, a system-wide view of ICT concentration risk across Europe’s financial sector.

That data will inform future supervisory priorities. If it reveals the kind of concentration and dependency risks that regulators suspect, the response could include tighter controls on cloud provider selection, mandatory multi-provider architectures, or enhanced exit planning requirements. The broader trajectory, as the UK’s own call for a “colossal” overhaul of digital defences has shown, points toward deeper and more prescriptive oversight of technology infrastructure across the entire financial system.

For financial institutions, the message from the first 14 months of DORA is that compliance is not a project with a finish line. It is an ongoing operational capability that demands investment, infrastructure, and a fundamentally different approach to managing technology risk. The firms that treat it as such will be better positioned not just to avoid fines, but to weather the operational disruptions that the regulation was designed to address in the first place.

Tags: DORA compliance, digital operational resilience, EU financial regulation, ICT third-party risk, cloud provider concentration, threat-led penetration testing, Register of Information, financial technology compliance, regulatory automation, cybersecurity governance

Viral phrases: “Europe’s DORA compliance race,” “2026 is the year of reckoning,” “the cost of getting it wrong,” “automation is no longer optional,” “continuous evidence or bust,” “the 19 providers under EU microscope,” “penetration testing moves from optional to mandatory,” “compliance automation revolution,” “regulatory enforcement shifts into high gear,” “spreadsheets stop being viable”

Viral sentences: “Fourteen months after DORA became enforceable, Europe’s financial institutions are running out of room to improvise,” “The numbers tell a blunt story: only about a third were confident they could meet all DORA requirements,” “For organizations managing hundreds or thousands of vendor relationships, compiling an accurate, audit-ready register manually is close to impossible,” “The cost of non-compliance is more expensive than the cost of compliance,” “When submission windows are measured in weeks and vendor inventories number in the hundreds, spreadsheets stop being viable,” “DORA is not a project with a finish line—it’s an ongoing operational capability,” “The firms that treat compliance as an afterthought will be the ones that fail first,” “2026 marks the shift from transition year to active enforcement,” “The gap between what DORA demands and what most organizations can deliver manually has created a growing market for compliance automation”

,