While DORA officially took effect on 17 January 2025, the first year was largely a transition period. Supervisors reviewed frameworks, identified gaps, and gave institutions time to catch up. That era is over.

From Paper Compliance to Proof of Resilience

In 2026, European regulators are fundamentally changing their approach. They are moving from reviewing documentation to demanding real-time evidence of resilience: automated reporting, demonstrable control over ICT risk, and live proof that systems can withstand disruption.

Regulators have deployed sophisticated automated tools that cross-reference ICT registers across the EU. Inconsistencies, technical gaps, or late updates in filings are now flagged immediately by these systems.

The Commission Review: January 2026

By 17 January 2026, the European Commission will submit a comprehensive report following consultations with the ESAs and the Committee of European Auditing Oversight Bodies. This review will assess:

  • Whether statutory auditors and audit firms should fall under DORA scope
  • The effectiveness of current supervisory approaches
  • Potential expansion of DORA requirements to additional financial entities
  • The adequacy of existing penalty frameworks

Compliance Reality Check

According to Deloitte research, only 50% of institutions expected to reach full compliance by end of 2025. A further 38% pushed their target into 2026. This means nearly half of all regulated entities are entering the enforcement phase with known gaps.

Penalties Are Real

Non-compliant organisations face fines of up to 2% of global annual turnover or EUR 10 million, whichever is higher. Individual fines can reach EUR 1 million. Critical ICT third-party providers face fines of up to EUR 5 million, plus 1% of average daily global turnover for each day of continued non-compliance, for up to six months.

Beyond financial penalties, supervisory authorities can suspend services, mandate remedial measures, conduct on-site inspections, and publicly disclose breaches — leading to severe reputational damage.

What to Do Now

  1. Conduct an honest gap assessment — identify where your institution falls short
  2. Automate your reporting — manual processes will not satisfy regulator expectations
  3. Test your resilience — run tabletop exercises and scenario simulations
  4. Prepare for the Register of Information submission — due March 2026
  5. Brief your board — regulatory risk is now a board-level concern