The Comprehensive Guide to DORA Compliance & Maintenance in 2026

DORA does not apply to:

• Specific Fund Managers: Alternative investment fund managers as referred to in Article 3(2) of Directive 2011/61/EU.
• Exempted Insurers: Insurance and reinsurance undertakings referred to in Article 4 of Directive 2009/138/EC.
• Small Retirement Schemes: Institutions for occupational retirement provision that operate pension schemes with 15 members or fewer in total.
• Exempted Investment Persons: Natural or legal persons exempted pursuant to Articles 2 and 3 of Directive 2014/65/EU.
• Small Insurance Intermediaries: Insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries that qualify as microenterprises or small or medium-sized enterprises.
• Specialized Institutions: Post office giro institutions as referred to in Article 2(5), point (3), of Directive 2013/36/EU.
• Member State Exclusions: Entities that Member States choose to exclude, such as certain specialized national credit or public sector entities listed in Article 2(5), points (4) to (23), of Directive 2013/36/EU.

DORA is built upon five non-negotiable pillars that govern the entire ICT lifecycle:

To be DORA compliant, entities must meet the requirements across the five primary pillars.

Financial entities must maintain a sound, comprehensive, and well-documented ICT risk management framework as part of their overall risk management system.

• Management Responsibility: The management body bears ultimate responsibility for managing ICT risk, approving the digital operational resilience strategy, and allocating an adequate budget for ICT security and staff training.
• Continuous Governance: In 2026, senior management is expected to stay actively updated on ICT risks through regular training, as they face individual liability and personal fines of up to €1 million for compliance failures.
• Core Functions: The framework must include strategies for identification, protection, detection, response, and recovery. Entities must maintain updated inventories of all ICT assets and business functions, mapping their interdependencies.

Financial entities must implement a process to detect, manage, and notify authorities of ICT-related incidents.

• Standardized Reporting: Major incidents must be reported through a streamlined framework involving an initial notification, intermediate reports, and a final report.
• Classification Criteria: Incidents are classified based on the number of clients affected, the geographical spread (particularly if affecting more than two Member States), the duration of downtime, and the economic impact.
• 2026 Challenges: Industry feedback indicates that the reporting process has faced challenges, such as the burden of weekend reporting and the difficulty of identifying root causes from third-party providers within strict timelines.

To identify vulnerabilities, entities must establish a comprehensive testing program as an integral part of their risk management framework.

• Basic Testing: All financial entities (excluding microenterprises) must conduct appropriate tests, such as vulnerability scans, network security assessments, and gap analyses, on all critical ICT systems at least yearly.
• Advanced Testing (TLPT): Entities identified as “significant,” such as large systemic banks or market infrastructures, must undergo Threat-Led Penetration Testing (TLPT) at least every three years. In 2026, many of these entities are in the midst of their first TIBER-EU testing cycles to meet the initial three-year deadline of January 17, 2028.

DORA treats third-party risk as an integral component of ICT risk, requiring entities to remain fully responsible for compliance even when services are outsourced.

• Register of Information (RoI): Entities must maintain a detailed register of all contractual arrangements with ICT third-party service providers. In 2026, the focus has shifted toward the ongoing maintenance and accuracy of these registers following the first major submission in April 2025.
• Oversight of Critical Providers: Critical ICT third-party service providers (CTPPs) are subject to a Union Oversight Framework led by European Supervisory Authorities (ESAs), which can conduct on-site inspections and issue recommendations.
• Exit Strategies: For services supporting critical or important functions, entities must have robust, tested exit plans to transfer services to alternative providers or reincorporate them in-house without business disruption.

The final pillar encourages financial entities to voluntarily exchange cyber threat information and intelligence amongst themselves.

• Collective Defense: Sharing intelligence on tactics, techniques, procedures, and security alerts aims to enhance the collective defense capabilities of the financial community.
• Trusted Communities: These arrangements must take place within trusted communities and be implemented through platforms that protect business confidentiality and comply with data protection and competition laws. Entities are required to notify their competent authorities of their participation in these sharing groups.

DORA establishes a comprehensive framework for penalties that includes financial sanctions, non-financial measures, and potential criminal penalties for non-compliance. 

Financial Penalties for DORA Non-Compliance

The administrative fines are categorized based on whether they apply to financial entities, critical ICT third-party service providers (CTPPs), or individuals in management roles:

1. Fines for Financial Entities

Financial institutions found to be in breach of DORA may face significant pecuniary penalties administered by National Competent Authorities (NCAs).

• Turnover-Based Fines: For the most serious violations, entities can be fined up to 2% of their total annual worldwide turnover.
• Daily Penalties: Certain breaches may result in fines of up to 1% of the average daily turnover worldwide.
• Fixed Fines: Member States may also impose fixed administrative fines of up to €5 million, depending on the nature of the violation.

2. Fines for Critical ICT Third-Party Providers

Providers designated as “critical” are overseen by a Lead Overseer (one of the European Supervisory Authorities) and face a distinct penalty regime aimed at compelling compliance with oversight requests.

• Periodic Penalty Payments: To compel a CTPP to comply with investigation or inspection requests, the Lead Overseer can impose a periodic penalty payment of up to 1% of the average daily worldwide turnover of the provider in the preceding business year.
• Duration: These daily payments can be imposed for no more than six months following the notification of the decision.
• Compliance Fines: Non-compliance with oversight requirements can also lead to fines of up to €5 million.

3. Personal Liability and Individual Fines

DORA explicitly includes provisions for individual liability to ensure senior management takes active responsibility for digital resilience.

• Management Fines: Senior management and key function holders can face personal fines of up to €1 million for compliance failures.
• Professional Restrictions: Individuals may also be subject to temporary bans from holding management positions.

Non-Financial Penalties for DORA Non-Compliance

Supervisory authorities have extensive powers to intervene in the operations of both financial entities and critical ICT third-party service providers (CTPPs). Aside from financial penalties, other enforcement measures include:

1. Supervisory and Investigatory Actions

Authorities can use several tools to identify and address non-compliance in real time:

• On-Site Inspections: Regulators may conduct unannounced examinations of an entity’s operations, business premises, and land.
• Information Requests and Interviews: Authorities have the power to mandate the production of documents, examine records, and summon staff or management for interviews to provide oral or written explanations.
• Remediation and Cease-and-Desist Orders: Competent authorities can issue remediation orders requiring mandatory corrective actions or orders requiring a person or entity to cease conduct that breaches the regulation and desist from repeating it.

2. Public Disclosure (“Naming and Shaming”)

To ensure public awareness and market discipline, authorities can utilize public notices:

• Public Statements: Regulators may issue public statements indicating the identity of the natural or legal person responsible for a breach and the nature of the violation.
• Notice of Non-Compliance: If a CTPP fails to follow recommendations, the Lead Overseer may publish a notice describing the type and nature of the non-compliance.

3. Operational and Contractual Restrictions

In more severe cases, authorities can directly restrict business activities:

• Suspension or Termination of Services: As a “measure of last resort,” a competent authority can require a financial entity to temporarily suspend or completely terminate its use of a specific service provided by a critical ICT third-party provider until identified risks are addressed.
• License Suspension: In extreme circumstances, regulators have the power to withdraw or suspend an entity’s professional authorization (license).
• Business Restrictions for Providers: CTPPs can face restrictions that limit their ability to provide services to financial entities if they fail to meet oversight requirements.

4. Individual and Management Liability

DORA places significant personal accountability on senior leaders:

• Temporary Management Bans: Beyond personal fines, senior management and key function holders can be subject to temporary bans from holding management positions.
• Mandatory Training: Management bodies are legally required to maintain sufficient knowledge to assess ICT risks, and failure to engage in regular training can be a point of regulatory scrutiny.

5. Criminal Penalties

For the most severe violations, DORA allows Member States to pursue criminal sanctions. These measures may include:

• Imprisonment for individuals in extreme cases.
• Director disqualification orders.
• Corporate criminal liability.

This table summarizes the key penalties available under the Digital Operational Resilience Act (DORA):

Key Penalties under DORA

DORA fines are imposed for a range of violations related to operational resilience and regulatory oversight. These penalties apply to both financial entities and critical ICT third-party service providers that fail to meet the legal standards set by the framework.

Violations by Financial Entities

Competent authorities have the power to impose administrative penalties and remedial measures for any breach of the regulation’s requirements. Specifically, they may adopt measures of a pecuniary nature (commonly known as fines) to ensure that financial entities continue to comply with their legal obligations. The decision to fine an entity is based on factors such as the materiality and duration of the breach, the degree of responsibility, and the financial strength of the organization.

Violations by Critical ICT Third-Party Service Providers

Critical ICT third-party service providers are subject to a specific set of “periodic penalty payments” designed to compel cooperation with the Lead Overseer. These fines are triggered by the following specific violations:

• Failure to Provide Information: Fines are imposed if a provider fails to supply all relevant business documents, contracts, policies, or ICT security audit reports required by the Lead Overseer.
• Non-Compliance with Investigations: Providers face penalties if they do not submit to general investigations, fail to produce requested records and data, or fail to provide adequate oral or written explanations during interviews.
• Opposition to Inspections: Fines are applied if a provider opposes or fails to submit to mandatory on-site inspections of their Operation Centers, head offices, or other premises.
• Failure to Implement Recommendations: Periodic payments may also be used to compel a provider to implement remedies or actions specified in previous oversight recommendations.

Competent authorities are required to ensure that all administrative penalties and remedial measures are effective, proportionate, and dissuasive. To achieve this balance, they evaluate the specific circumstances of a breach using the following mitigating and aggravating factors.

Aggravating Factors for DORA Non-Compliance

Mitigating Factors for DORA Non-Compliance

DORA was designed to be technology-neutral, meaning its principles apply whether you are using a mainframe from the 1990s or a generative AI model from 2026. However, as the financial sector hits the “AI Inflection Point,” the way you implement DORA must evolve to remain effective.

DORA and AI Act Convergence

By August 2026, the EU AI Act will be fully applicable, creating a dual-regulatory environment for financial institutions. If you use AI for “high-risk” functions, such as credit scoring or risk assessment, your DORA ICT Risk Management framework must include AI-specific controls.

Defending Against AI-Powered Cyber Threats

In 2026, the “threat landscape” is being industrialized by Large Language Models (LLMs) and deepfake technology. Your DORA strategy must account for these emerging vectors:

Zero Trust: The Final Frontier of Future-Proofing

To move beyond “checklist compliance,” forward-thinking firms are adopting a Zero Trust Architecture (ZTA) as their baseline for DORA.

As of 2026, the European Supervisory Authorities (ESAs) have shifted focus from “Implementation” to “Supervision and Evidence.” Use this questionnaire and checklist to ensure your organization is ready for a potential audit by your National Competent Authority (NCA).

Questionnaire: Are You DORA Compliant in 2026?

Pro Tip for 2026: Regulators are looking for “Operational Maturity.” It is no longer enough to have a policy; you must show the logs, audit trails, and board minutes that prove the policy is being lived.

To comply with the Digital Operational Resilience Act (DORA), financial entities must implement a comprehensive framework that integrates information and communication technology (ICT) security into their broader operational strategy. This checklist, derived from the sources, outlines the mandatory actions required for regulatory compliance.