For most of 2025, EU financial regulators operated in a de facto grace period. They expected good-faith compliance efforts rather than perfection, focused on education over enforcement, and reserved formal action for the most egregious failures. That era is over.

Since Q1 2026, national competent authorities (NCAs) across the EU have moved into an interventionist supervisory posture. The Register of Information deadline has passed. Automated cross-sector analyses are running. The first supervisory letters — and in some jurisdictions, the first formal measures — have arrived. Boards that treated DORA as a 2025 project are now discovering it is a 2026 enforcement reality.

From Tolerance to Intervention: What Changed in 2026

DORA became fully applicable on 17 January 2025. Throughout that year, the Joint Committee of the European Supervisory Authorities (EBA, ESMA, EIOPA) published Q&As, supervisors held industry roundtables, and NCAs accepted imperfect but demonstrably progressing compliance programmes. The phrase heard most often in supervisory corridors was "good faith efforts."

The shift began in Q4 2025. Three simultaneous developments signalled the change:

  1. Register of Information (RoI) submission deadline. The Q1 2026 deadline for submitting the xBRL-CSV RoI to competent authorities became the first hard, measurable compliance test. Supervisors can now run automated queries across submitted data — identifying missing ICT providers, anomalous concentration patterns, and discrepancies with previously reported incident data.
  2. Supervisory capacity built up. NCAs spent 2025 hiring and training dedicated DORA examination teams. BaFin, the ECB Supervisory Board, the FCA (for non-EU parallel frameworks), AMF/ACPR, DNB, Banca d'Italia, and others all materially expanded their operational resilience examination resources.
  3. First formal measures issued. The Netherlands (DNB) issued the first batch of supervisory letters to institutions with material gaps in their ICT risk management frameworks in early 2026. Italy issued guidance on its national penalty thresholds. Germany clarified its enforcement ladder under existing supervisory powers pending full DORA transposition into national administrative law.

Automated Supervision: How NCAs Are Using RoI Data

The Register of Information is not just a reporting exercise. It is a supervisory intelligence tool. For the first time, regulators have machine-readable data covering the entire ICT supply chain of every in-scope financial institution across the EU.

The Joint Committee has coordinated the development of automated analytics that supervisors apply to submitted RoI data. The analyses include:

  • Concentration mapping. Identifying which ICT providers are systemically important across multiple institutions and jurisdictions — the data that fed the CTPP designation process (19 providers designated in November 2025).
  • Completeness scoring. Institutions whose RoI covers fewer ICT arrangements than peer institutions of comparable size and complexity are automatically flagged for follow-up review.
  • Cross-referencing with incident reports. If an institution reported a major ICT incident in 2025 involving a provider that does not appear in their RoI, this contradiction triggers immediate scrutiny.
  • Sub-outsourcing chain depth. Shallow sub-outsourcing mapping — where institutions claim to have no material sub-contractors — is statistically improbable for large institutions and triggers enhanced review.

Institutions should assume their RoI has already been analysed. If you received no follow-up communication, that is a positive signal — not a signal that nobody is looking.

The Penalty Framework: What Regulators Can Now Do

DORA creates a layered penalty architecture. The key distinction is between financial institutions (subject to national supervisory penalty powers) and Critical ICT Third-Party Providers (subject to direct EU-level oversight sanctions).

For Financial Institutions (Article 50)

National competent authorities can impose:

  • Administrative fines up to EUR 10 million or 2% of total annual global turnover (whichever is higher) for serious infringements
  • Periodic penalty payments (compulsion payments) to force remediation — running daily until the breach is corrected
  • Public censure: publication of the institution's name, the nature of the infringement, and the responsible individuals — the reputational dimension that boards fear most
  • Cease and desist orders requiring immediate suspension of specific ICT practices
  • Temporary or permanent prohibition of management body members from exercising management functions

Personal Liability for Executives (Article 52)

This is the provision that has focused board attention more than any other. DORA establishes that, where infringements by a legal entity are attributable to natural persons, NCAs can impose fines on individuals directly. For the management body members of financial institutions, the ceiling is EUR 1 million per individual per infringement.

Liability attaches where a board member:

  • Failed to ensure adequate ICT risk management oversight
  • Did not receive or act on quarterly ICT risk reports
  • Cannot demonstrate training in digital operational resilience (as required by Article 5(4))
  • Approved outsourcing arrangements to ICT providers without the Article 30 mandatory contractual clauses

The evidentiary standard matters. Board minutes documenting ICT risk agenda items, records of management body training, and signed-off risk appetite statements are no longer just governance hygiene — they are potential legal defences.

For Critical ICT Third-Party Providers (Articles 35, 42)

Designated CTPPs face a separate enforcement track under direct oversight by the Lead Overseer (EBA for banking/payments, ESMA for investment/CCPs, EIOPA for insurance). Sanctions include:

  • Periodic penalty payments of up to 1% of average daily global turnover, applied per day for up to six months — creating a potentially existential financial exposure for non-remediation
  • Mandatory remediation notices requiring specific operational changes within defined timescales
  • Requests to financial institutions to terminate contracts with a non-compliant CTPP (the nuclear option)

National Divergences: The Penalty Floor Is Not Uniform

While DORA harmonises the maximum penalty framework, the actual penalties imposed depend heavily on how each Member State has implemented DORA's mandate into national administrative law — and on each NCA's institutional culture and enforcement philosophy.

Jurisdiction Supervisor Enforcement posture 2026 Notable threshold
Italy Banca d'Italia / IVASS Active; first formal notices issued Q1 2026 Up to EUR 20M for wilful or grossly negligent infringements
Germany BaFin Graduated; focus on systemic institutions first Up to EUR 5M for serious infringements; EUR 1M personal liability
Netherlands DNB / AFM First-mover; supervisory letters issued early 2026 Proportionate; public disclosure used proactively
France AMF / ACPR Guidance published; enforcement expected H2 2026 EU maximum thresholds; focus on large institutions
Ireland CBI Proportionate framework; smaller entities given more runway Risk-based; significant institutions prioritised
Luxembourg CSSF Active; fund industry focus given sector concentration EU maximum thresholds; fund managers explicitly in scope

Institutions operating across multiple jurisdictions face the most complex situation: they must comply with the DORA baseline while also managing the practical reality that each NCA will apply its own examination methodology and enforcement timing.

Incident Reporting as a Supervisory Signal

One of the most counterintuitive aspects of 2026 enforcement is how regulators are interpreting incident reporting data. The assumption might be that fewer reported incidents equals fewer problems. NCAs are beginning to reason in the opposite direction.

An institution operating thousands of ICT systems and services, processing millions of transactions daily, that has never reported a single major ICT incident since January 2025, is statistically anomalous. Supervisors interpret this in one of two ways:

  1. The institution has genuinely excellent ICT resilience and a mature detection capability — possible, but rare.
  2. The institution has not implemented a functional incident classification and reporting process, or is applying the classification criteria in a way that keeps events below the reporting threshold — a compliance breach in itself.

The 4-hour initial notification, 72-hour interim report, and 1-month final report deadlines under Article 19 are being treated as process indicators. NCAs are less interested in the specific incidents reported than in the evidence that an institution has the processes to detect, classify, and report within the required timelines.

What NCAs Are Examining in 2026 Audits

Based on supervisory communications and industry intelligence from Q1 2026, the following areas are receiving the highest examination priority:

1. Register of Information Quality

Completeness, accuracy, and consistency with prior reporting are scrutinised first. Examiners are specifically looking for arrangements with cloud providers, payment processors, and data analytics firms that institutions may have incorrectly classified as non-critical.

2. ICT Risk Management Framework Documentation

The framework must be formally approved by the management body — not the CTO or CISO, but the board itself. Examiners will ask for the board resolution, the framework document, and evidence that the board receives at least quarterly ICT risk reporting. A CISO-approved framework with no visible board engagement is a finding.

3. Article 30 Contract Compliance

The mandatory contractual clauses — covering service level agreements, access and audit rights, data portability, termination assistance, and sub-outsourcing approval — must appear in all contracts with ICT service providers supporting critical or important functions. Many institutions signed DORA-compliant addenda in 2024-25; examiners are checking whether those addenda actually cover the correct contractual parties and the full scope of services.

4. Incident Classification Methodology

Examiners request the internal decision tree or criteria matrix used to classify whether an event is a major ICT incident requiring regulatory notification. If the methodology has never produced a notification, the methodology is the finding.

5. Resilience Testing Programme

For all in-scope entities: documented annual testing covering vulnerability assessments, network security, and scenario-based tests. For significant entities: the TLPT scheduling plan. The TLPT deadline (every entity designated by its competent authority must have completed at least one TLPT by January 2028) is already being planned in supervisory calendars.

The Practical Enforcement Ladder

For institutions that have not yet achieved full compliance, understanding how NCAs typically escalate is strategically important. Enforcement does not begin with a maximum fine. The typical progression is:

  1. Desk review / data request — low visibility, often triggered by RoI analysis or incident report patterns
  2. Supervisory letter / findings letter — identifies gaps, sets a remediation timeline (typically 3-6 months)
  3. On-site inspection — reserved for significant institutions or where desk review findings are material
  4. Formal remediation order — legally binding requirement to fix specific gaps by a specific date
  5. Compulsion payment notice — daily penalty for continued non-compliance post-deadline
  6. Administrative fine / public censure — final sanction for wilful or repeat non-compliance

Most institutions will never reach step 5 or 6 if they engage constructively from step 2. The worst outcomes — maximum fines, public disclosure, executive liability proceedings — are reserved for entities that ignore supervisory correspondence, actively mislead examiners, or fail to remediate material gaps after receiving a formal order.

Seven Actions to Take Before Your Next Supervisory Review

  1. Audit your RoI submission. Compare the submitted data against your actual ICT landscape. Identify gaps before your supervisor does.
  2. Verify board-level documentation. Ensure the management body has formally approved the ICT risk framework and that approval is minuted. Update the record if 2025 reviews were CTO-signed only.
  3. Run a contract clause review. Check every material ICT contract against the Article 30 mandatory clause list. Prioritise contracts with cloud providers and payment infrastructure operators.
  4. Test your incident classification process. Run a tabletop exercise specifically designed to produce a major ICT incident notification. If the exercise cannot produce a qualifying event, your classification criteria may be too conservative.
  5. Confirm your testing programme is documented. If your annual vulnerability assessments exist but are not formally documented as part of a DORA resilience testing programme, formalise them now.
  6. Assess TLPT applicability. If you have not received guidance from your NCA on TLPT designation, seek clarity proactively. Waiting until 2027 to begin planning a TLPT you need to complete before January 2028 is insufficient lead time.
  7. Prepare management body evidence files. Compile the documentary record that board members exercised due diligence on ICT risk: training certificates, risk committee minutes, signed-off risk appetite statements, and quarterly ICT risk reports.
Assess Your Compliance Gaps

Use our free interactive tools to identify where your institution stands and estimate the cost of any remaining implementation work.

The Bottom Line

The transition from the DORA compliance project to the DORA enforcement reality is now complete. Supervisors are not hostile to institutions that have gaps — virtually every institution has some — but they are measuring the quality of your response to those gaps. Active engagement, documented remediation plans, and demonstrable board-level ownership are the factors that separate institutions that navigate 2026 successfully from those that become enforcement case studies.

The grace period is over. The question is no longer whether your institution will be examined, but whether you will be ready when it is.