DORA in 2026: what 15 months of enforcement have taught us

What DORA is, in one paragraph

DORA is the EU's harmonized framework for digital operational resilience across the financial sector. It applies to almost all regulated financial entities (banks, insurers, asset managers, payment service providers, crypto-asset service providers, and more), together with their ICT service providers, even when those providers are based outside the EU. It entered into force on January 16, 2023 and became fully applicable on January 17, 2025. The regulation is built around five pillars: ICT risk management, ICT-related incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing on cyber threats.

Where we are in April 2026

The 15-month mark is a useful vantage point because several first-cycle milestones have now passed.

First Register of Information submissions are done. Financial entities submitted their first Registers of Information (RoI) to national competent authorities in early 2025, with the consolidated registers reaching the ESAs by April 30, 2025. The Dutch central bank, the German BaFin, FINMA-adjacent Swiss entities with EU exposure, and other NCAs have all now worked through a full cycle. Industry feedback, including from AFME, has been candid: first-cycle submissions were hard, with fragmented timelines between NCAs, inconsistent guidance, and validation-rule surprises. The second cycle, due in spring 2026, is expected to be smoother but is already revealing that data quality, not data collection, is the real challenge.

The first CTPPs have been designated. In November 2025, the ESAs designated the first tranche of Critical ICT Third-Party Providers, a group of roughly 19 providers whose services to the EU financial sector are now under direct EU-level oversight. The designations have practical consequences for both the providers (who face EU oversight engagement, fees, and formal reporting obligations) and for financial entities (whose third-party registers must now reflect CTPP status, and whose contractual arrangements with those providers fall under closer scrutiny).

Subcontracting rules are finalized. The Regulatory Technical Standards on ICT subcontracting were resolved in March 2025 after a protracted negotiation between the ESAs and the European Commission. This matters because sub-outsourcing is where most third-party risk actually lives, and the RTS gives supervisors a clearer basis for asking hard questions about chains of dependency.

TLPT is moving from theoretical to scheduled. Institutions identified as in scope for threat-led penetration testing are now in active scoping conversations. TLPT is not an annual hygiene exercise, it is a serious, multi-month, intelligence-driven program, and the first wave of institutions is finding out exactly how serious.

What the five DORA pillars actually require

With the distance of 15 months, it is possible to describe each pillar with less abstraction.

• ‍ICT risk management. A documented, board-owned framework. The responsibility sits with the management body, not the CISO. In practice, supervisors want to see evidence that the board has read, discussed, and signed off on the framework, and that governance artifacts (committee minutes, approvals, escalation records) back this up.‍
• ICT-related incident reporting. Major ICT-related incidents must be reported to the competent authority on a tight timeline: initial notification within hours, intermediate update within 72 hours, final report within a month. The classification thresholds are the most operationally demanding part. In 2025 and early 2026, supervisors have been particularly interested in whether institutions are over- or under-reporting, and whether the classification is defensible against the RTS.
• ‍Digital operational resilience testing. A program of testing that ranges from vulnerability assessments to full TLPT for designated entities. Penetration tests are not new to banks. TLPT, with its threat-intelligence-led scoping and red-team mechanics, is new to most, and the first engagements are taking significantly longer than institutions had planned.‍
• ICT third-party risk management. This is where most of the 2025 effort went, and where most of the 2026 effort will continue. The Register of Information is the artifact, but the real work is the underlying discipline: understanding where ICT services come from, which support critical or important functions, where sub-outsourcing chains introduce concentration risk, and whether contracts actually contain the clauses DORA requires.‍
• Information sharing on cyber threats. The lightest-touch pillar in practice, but expected to develop further in 2026 as sector-specific information-sharing arrangements mature.

The five things that have actually turned out hard

Looking across the 15 months, certain patterns have repeated across institutions regardless of size.

• ‍Register of Information data quality. First-cycle submissions were completed, but the feedback loops from validation rules and NCA checks revealed significant quality gaps. Free-text fields were used where controlled vocabularies were expected. Entity identifiers were inconsistent. Sub-outsourcing relationships were under-represented. The 2026 cycle is, for many institutions, less about building the register and more about repairing it.‍
• Mapping critical or important functions. The RoI is organized around critical or important functions (CIFs), but the mapping from business processes to CIFs to supporting ICT services is non-trivial, particularly in universal banks with long legacy estates. Getting this mapping right is prerequisite to everything else.‍
• Contractual remediation at scale. DORA requires specific clauses in ICT contracts that cover CIFs, including audit rights, exit strategies, sub-outsourcing transparency, and resilience obligations. Rewriting or addending thousands of contracts within a 12-to-18-month window has been a serious legal and operational load, and the remediation is not finished at most institutions.‍
• Multi-cloud and multi-jurisdiction visibility. Hybrid and multi-cloud estates make it hard to prove where sensitive data is actually processed and stored at any given moment. This was a challenge before DORA. DORA has simply made it an audit question.‍
• Cross-regulation coherence. DORA, NIS-2, GDPR, and (for Swiss institutions) FINMA guidance all address overlapping territory from different angles. Institutions subject to more than one regime have found that harmonizing the controls once is worth more than answering each regulator's questions separately.

What SecureSafe CEO Alexander Sommer has said

"It is no longer enough to secure your own technical infrastructure. Banks and financial service providers must be able to prove at any time how sensitive data is processed, stored, and passed on, both internally and externally." — Alexander Sommer, CEO, SecureSafe, quoted in Springer Professional.

Fifteen months in, the statement reads less as a warning and more as a description of current supervisory reality. Proving it, repeatedly, across the supply chain, is what DORA has made a permanent part of the job.

What helps now

The practical playbook has matured. For institutions still catching up, or for those preparing for the second RoI cycle, three things consistently help.

• ‍A clean gap analysis. Not a checklist, but a real comparison between what the regulation requires and what the institution can actually evidence. The gaps found in 2025 were different from the gaps institutions expected in 2024.‍
• A disciplined third-party management function. Central ownership of the RoI, central contract templates, central criticality classification. The institutions that did this early are now the ones with less pain in the second cycle.‍
• Tooling that produces audit trails as a side effect. Monitoring, reporting, and incident-response tools that generate defensible evidence by default, rather than requiring evidence to be reconstructed after the fact.

How SecureSafe supports DORA-aligned operations

SecureSafe, operated by DSwiss AG, is built on an architecture that maps directly onto several DORA-relevant expectations for handling sensitive data and documents.

• ‍Data location in Switzerland, under Swiss jurisdiction (revDSG / FADP), with Tier III data centers and triple redundancy. For EU financial entities using SecureSafe under cross-border contracts, this translates into a clear ICT third-party profile with defined legal and operational boundaries.‍
• Encryption and zero-knowledge architecture: AES-256 at rest, TLS in transit, envelope encryption, and a zero-knowledge model in which SecureSafe personnel have no access to decrypted customer content during normal operations. Exceptional access is protected by dual control (M-of-N approval), time-bound just-in-time workflows, and immutable logging.‍
• Identity and access management: MFA enforcement, SSO via SAML and OIDC, SCIM-based user lifecycle, RBAC and ABAC access models, and comprehensive audit logs that support evidence-on-demand.‍
• Assurance: ISO/IEC 27001 certification, alignment with revDSG / FADP and GDPR, and support for DORA and NIS-2 requirements for institutions that fall under those regimes.

These properties do not make an institution DORA-compliant on their own. Compliance is a determination made by the financial entity, not by a vendor. What they do is reduce the friction of documenting a specific class of ICT third-party arrangement cleanly in the Register of Information and in audit conversations.