DORA compliance: many financial institutions in Europe are still unprepared.

      Fourteen months after the enforcement of the Digital Operational Resilience Act (DORA), European financial institutions are finding their flexibility diminishing. The regulation, effective from January 17, 2025, was intended to initiate a new chapter in digital risk management across the EU, but instead, it has revealed the significant distance most firms still need to cover.

      The statistics are stark. A McKinsey survey of prominent European financial entities revealed that only around one-third felt confident about fulfilling all DORA requirements by the January 2025 deadline. Similarly, research by Deloitte indicates a sobering reality: only 50 percent of institutions expected to achieve full compliance by the end of 2025, while 38 percent delayed their timelines to 2026. Almost half (46 percent) cited the Register of Information, which is DORA’s mandatory inventory of all ICT third-party contracts, as the most challenging requirement to meet.

      These gaps are not merely theoretical; they represent actual regulatory risks in a system that permits fines of up to 2 percent of global annual turnover and personal penalties of up to EUR 1 million for senior management that fails to act.

      Understanding DORA's Requirements

      DORA’s scope is wider than many initially realized. It applies not only to banks and insurers but also to payment institutions, electronic money providers, crypto-asset service providers, investment firms, and crucially, their ICT service providers. The European Supervisory Authorities (ESAs) estimate that over 22,000 financial entities, along with numerous technology vendors that assist them, fall within its purview.

      DORA is built on five pillars: ICT risk management, incident reporting, digital operational resilience testing (which includes threat-led penetration testing for significant institutions), oversight of third-party risks, and information sharing. Each pillar has its own set of technical standards, reporting obligations, and supervisory expectations. As discussed in our analysis of why 2026 will be the year for governed cybersecurity AI, there is an increasing regulatory push for structured oversight across the sector.

      What distinguishes DORA from past regulations is its focus on continuity. This is more than a one-time certification exercise; it demands organizations to demonstrate continuous operational resilience, with real-time monitoring, documented proof, and the ability to showcase compliance at any time. For teams accustomed to annual audit cycles, this shift is considerable.

      March 2026: Testing the Register of Information

      The most urgent deadline in 2026 pertains to the second annual submission of the Register of Information (RoI). Under Article 28 of DORA, all financial entities are required to keep a detailed register of their contractual arrangements with ICT third-party service providers. National regulatory authorities combine these registers and submit them to the ESAs by March 31 each year.

      For this year's submission, the reference date is December 31, 2025, meaning the register must reflect all ICT contracts that were active at the year-end. National deadlines differ: Germany’s BaFin requires submissions between March 9 and 30, the Netherlands’ DNB and AFM set March 20 as their cutoff, Malta’s MFSA has a deadline of March 21, and Luxembourg’s CSSF opened its eDesk portal for submissions from February 11 until March 31.

      The 2025 pilot submission revealed significant challenges. Many firms discovered they did not have a unified perspective on their ICT vendor relationships, with contracts dispersed among procurement teams, business units, and subsidiary operations. There were substantial data quality issues, including incomplete records, absent contract identifiers, and inconsistent service classification according to the ESA’s taxonomy.

      Deloitte's findings corroborated the scale of the challenge, with 46 percent of financial entities deeming the Register of Information the toughest DORA requirement. For organizations managing hundreds or thousands of vendor relationships across various jurisdictions, accurately compiling an audit-ready register within the submission timeframe appears nearly impossible.

      The 19 Providers Under EU Oversight

      In November 2025, the ESAs published their inaugural list of 19 critical ICT third-party providers (CTPPs) subject to direct EU oversight. Included in this list are Amazon Web Services, Google Cloud, Microsoft, Oracle, SAP, and Deutsche Telekom, among others. These providers were chosen based on four criteria: the systemic risk of potential failure, the importance of financial entities that depend on them, the concentration of reliance within the banking, insurance, and securities sectors, and the substitutability of their services.

      For these 19 providers, the ESAs are now empowered to conduct yearly risk assessments, require detailed reporting, carry out on-site inspections, and coordinate supervision through Joint Examination Teams composed of both ESA and national regulatory staff.

      This designation has a cascading effect. Financial institutions relying on designated CTPPs must show they have evaluated, documented, and mitigated the concentration risk resulting from these dependencies. This means mapping every critical function that operates on AWS, Azure, or Google Cloud, detailing fallback plans, and demonstrating that an outage of a major provider would not