DORA Compliance Advisory 2026 — Digital Operational Resilience Act for EU Financial Entities
The Digital Operational Resilience Act (DORA — Regulation (EU) 2022/2554) has been fully enforceable since January 17, 2025. 2026 is the year that EU supervisors have shifted from awareness to active enforcement — with supervisory inspections underway, the first Critical ICT Third-Party Provider (CTPP) designations published in November 2025 (19 providers including AWS, Google Cloud, Microsoft, Oracle, SAP, and Deutsche Telekom), the second annual Register of Information submission cycle completed in March 2026, and the first Threat-Led Penetration Testing (TLPT) notifications scheduled for late 2026 and early 2027. DORA applies to over 22,000 EU financial entities — including all CySEC-licensed CIFs, CBC-licensed PIs, Bank of Lithuania EMIs, MiCA-authorized CASPs, FSCA FSPs, and investment firms regulated under MiFID II — and to their ICT third-party service providers globally, regardless of where those providers are located. Penalties for non-compliance reach 2% of global annual worldwide revenue for financial entities and 1% of daily global revenue for ICT providers. Boards are personally accountable for approving and overseeing the ICT risk framework. DORA is not a technology regulation — it is a governance regulation that makes senior management directly responsible for digital operational resilience. Zitadelle AG provides DORA compliance advisory for all regulated financial entities in our client portfolio — CIF, PI, EMI, CASP, and investment firm licensees across Cyprus, Lithuania, Mauritius, and other jurisdictions.
Who Must Comply with DORA
DORA applies to 20 categories of financial entity. The most commercially relevant for Zitadelle AG clients:
Investment firms (MiFID II / CIF): All CySEC-licensed Cyprus Investment Firms require full DORA compliance. CySEC has integrated DORA readiness assessment into its supervisory inspection framework.
Credit institutions: Banks and banking license holders including Latvia's new specialised credit institutions.
Payment institutions and e-money institutions: All CBC-licensed PIs, Bank of Lithuania EMIs, Latvia Latvijas Banka EMIs, and equivalent EU-licensed payment entities.
Crypto-asset service providers (MiCA CASPs): All MiCA-authorized CASPs must demonstrate DORA-aligned ICT frameworks at application stage (a new requirement confirmed by CySEC and Bank of Lithuania in their 2025 application guidance). CASPs authorized under MiCA are DORA-obligated entities from authorization date.
Insurance and reinsurance undertakings: Solvency II regulated entities.
Management companies (UCITS, AIFM): Fund managers regulated under UCITS and AIFMD.
Crowdfunding service providers: ECSPR-authorized platforms.
ICT third-party service providers: Technology companies that provide ICT services to EU financial entities are subject to contractual DORA requirements (Article 30) and, if designated as Critical ICT Third-Party Providers (CTPPs), to direct EU supervisory oversight. This includes non-EU providers — DORA's third-party requirements apply globally to any provider serving EU financial entities.
The proportionality principle:DORA's requirements apply proportionately. Smaller, less complex entities face lighter-touch obligations in practice — for example, the simplified ICT risk management framework for microenterprises and certain other entities. However, the core five-pillar structure applies to all in-scope entities regardless of size.
The Five DORA Pillars
Pillar 1 — ICT Risk Management Framework (Articles 5–16)
The foundation of DORA compliance. Every in-scope financial entity must implement a comprehensive, board-approved ICT risk management framework covering:
Governance and accountability: The management body bears ultimate accountability. Board members must define ICT risk strategy, actively oversee its implementation, and stay current on the ICT risk landscape. DORA makes ICT risk a board-level responsibility — not just an IT department issue.
Identification and classification: A continuously updated register of all ICT assets (hardware, software, data, services) classified by criticality. All dependencies on ICT third-party providers must be mapped.
Protection and prevention: Network segmentation, identity management, patch cycle documentation, data encryption at rest and in transit, and physical security for ICT infrastructure.
Detection: Continuous monitoring mechanisms to detect anomalous activity, cyberthreats, and ICT vulnerabilities. Automated detection tools with defined escalation procedures.
Response and recovery: Documented incident response plan and ICT disaster recovery plan with defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs), tested and updated within the last 12 months. Verified recovery procedures — not just documented ones.
Backup and isolation: Automated backup procedures with backups isolated from primary production environments to prevent ransomware lateral movement.
Annual review: The ICT risk management framework must be reviewed annually and after significant ICT incidents. Independent ICT audits at a frequency determined by risk profile.
Pillar 2 — ICT Incident Management and Reporting (Articles 17–23)
DORA mandates a structured classification and reporting process for ICT-related incidents:
Classification:Financial entities must maintain documented criteria for classifying ICT incidents as "major" based on: number of clients affected, duration, geographic spread, data losses, criticality of services impacted, and economic impact.
Three-stage reporting for major incidents to the National Competent Authority (NCA):
Voluntary reporting: Minor incidents and significant cyber threats (even if they did not materialize into incidents) can be voluntarily reported — encouraged by ESMA, EBA, and EIOPA as part of the sector-wide threat intelligence sharing framework.
The most common Pillar 2 compliance failure in 2026: Not having pre-built incident response workflows that enable the 4-hour initial notification. Under stress, without a documented classification process and pre-drafted notification template, 4 hours is not enough time to assess, classify, and notify. Zitadelle AG provides ready-to-use incident classification criteria and notification templates as standard components of DORA implementation packages.
Pillar 3 — Digital Operational Resilience Testing (Articles 24–27)
All in-scope financial entities must conduct regular testing of their ICT systems:
Basic annual testing (all entities): Vulnerability assessments and network security tests on all critical ICT systems at least annually. Open-source and third-party package scanning. Penetration testing of critical applications.
Threat-Led Penetration Testing (TLPT) (advanced, for entities meeting scope criteria):A TLPT is a red team attack simulation against live production systems without the blue team's knowledge — modeled on the TIBER-EU framework.
First TLPT notifications were scheduled for late 2026 and early 2027. Once notified by the NCA, an entity has:
TLPT frequency: At least every 3 years for entities that meet the TLPT scope criteria defined by their NCA. TLPTs are conducted by external, NCA-approved testers.
Critical supply chain scanning — the most common audit finding in 2026: DORA requires open-source packages, container images, and software supply chain components to be scanned for known vulnerabilities (CVEs) before reaching production. This is the area where the most supervisory findings are being documented in 2026.
Pillar 4 — ICT Third-Party Risk Management (Articles 28–44)
This is the most operationally challenging DORA pillar for most financial entities. Key obligations:
Register of Information (RoI): A comprehensive register of all ICT third-party arrangements in EBA-compliant format, submitted annually to the NCA via regulatory reporting portals. The first RoI submission cycle was completed in early 2025. The second cycle concluded in March 2026. Annual obligation going forward.
Article 30 mandatory contract provisions: ALL contracts with ICT third-party providers must include:
Most common Article 30 failure: legacy contracts predating DORA that do not include the mandatory provisions. All such contracts must be renegotiated. ICT providers, particularly cloud hyperscalers, may resist the audit rights and exit strategy provisions. Zitadelle AG provides Article 30-compliant contract templates and negotiation support.
Critical ICT Third-Party Providers (CTPPs): In November 2025, the ESAs published the first CTPP designation list: 19 providers including Amazon Web Services (AWS), Google Cloud, Microsoft Azure, Oracle, SAP, and Deutsche Telekom. CTPPs are subject to direct EU supervisory oversight — annual risk assessments, on-site inspections, and mandatory reporting — not just contractual requirements. Financial institutions that depend on CTPPs must demonstrate they have assessed and mitigated the concentration risk from these dependencies.
Fourth-party risk:DORA requires sub-vendor visibility — compliance extends to "material subcontractors" of your ICT providers. If AWS subcontracts a critical function to a smaller provider, that subcontractor's risk must also be assessed.
Pillar 5 — Information Sharing (Article 45)
DORA encourages (but does not mandate) EU financial entities to participate in cyber threat intelligence sharing arrangements — sharing information on cyber threats, attack indicators, tactics, techniques, and procedures with other financial entities.
Participation must be within dedicated, trusted communities and subject to information security controls. Personally identifiable information remains subject to GDPR and cannot be shared in threat intelligence without appropriate anonymization.
DORA and MiCA CASP — Why Application Readiness Matters
A critical 2026 development: both CySEC and the Bank of Lithuania now assess DORA readiness as part of the MiCA CASP authorization process at application stage — not post-authorization.
A CASP application that lacks a credible DORA-aligned ICT risk management framework, incident response procedures, and outsourcing documentation will face extended review timelines and NCA queries.
Specifically required at CASP application stage:
Zitadelle AG integrates DORA framework preparation into every CASP authorization engagement — so the same documentation serves both the CASP application and the ongoing DORA compliance obligation.
DORA Penalties and Enforcement
Financial entities: Penalties up to 2% of total annual worldwide revenue or 1% of average daily worldwide revenue — whichever is applicable per NCA determination. Personal liability for executives including industry bans in cases of gross negligence or wilful misconduct.
ICT third-party providers: Up to 1% of average daily global revenue for non-compliance with CTPP oversight requirements. Periodic penalty payments of 1% of average daily worldwide revenue for each day of continued non-compliance, for up to 6 months.
CTPPs (Critical ICT Third-Party Providers): The Lead Overseer (EBA, EIOPA, or ESMA) can impose penalty payments and ultimately recommend that the CTPP be delisted from the EU's recognized provider list — effectively blocking it from serving EU financial entities.
2026 enforcement posture:PwC Legal notes that "boards should be prepared for a new cadence of supervisory engagement focused on operational resilience rather than traditional prudential metrics." Some legal experts characterize 2026 as DORA's "maturity phase" — initial implementation has occurred; enforcement is now the focus.
The DORA Gap Assessment
The most effective starting point for any financial entity not yet fully DORA-compliant: a gap assessment comparing current ICT controls, documentation, and vendor contracts against the specific Article-level requirements of DORA and the published RTS/ITS technical standards.
Zitadelle AG conducts DORA gap assessments covering:
Pillar 1 gaps: Is there a documented ICT risk framework? Has it been board-approved? Is there an up-to-date ICT asset register? Are recovery time objectives documented and tested?
Pillar 2 gaps: Are incident classification criteria defined? Is there a pre-built notification template for major incident reporting? Can the entity notify the NCA within 4 hours of a major incident?
Pillar 3 gaps: Are annual vulnerability assessments scheduled? Is supply chain scanning in place? Is the entity in scope for TLPT and if so is it prepared?
Pillar 4 gaps: Is a Register of Information maintained? Has it been submitted to the NCA? Do all ICT vendor contracts include Article 30 mandatory provisions? Have CTPP dependencies been assessed for concentration risk?
Output: A prioritized remediation roadmap with specific Article references, gaps identified, remediation actions, responsible parties, and timelines. Ready for presentation to the board.
DORA and the AI Act Integration
Article 9(10) of the EU AI Act explicitly permits the integration of AI risk management systems into DORA ICT risk management procedures, enabling financial entities to build a unified governance framework rather than maintaining parallel compliance structures. For financial entities subject to both DORA and the AI Act (those using AI in credit decisions, trading, fraud detection, or customer-facing advisory), this integration reduces compliance burden and audit fatigue. Zitadelle AG advises on integrated DORA + AI Act governance frameworks for fintech clients deploying AI in regulated financial activities.
Zitadelle AG — DORA Compliance Service
DORA gap assessment: Article-level gap analysis against current controls and documentation. Prioritized remediation roadmap. Board-ready report.
ICT risk management framework (Pillar 1): Board-approved ICT risk policy, ICT asset register template, threat and vulnerability assessment procedures, business continuity plan (BCP), disaster recovery plan (DRP) with RTOs/RPOs, annual review schedule.
Incident management procedures (Pillar 2): Incident classification criteria, 4-hour notification workflow, pre-drafted NCA notification templates (initial, intermediate, final reports), internal escalation procedures, lessons-learned process.
Testing plan (Pillar 3): Annual vulnerability assessment and network security testing schedule, supply chain scanning procedures, TLPT readiness assessment for in-scope entities.
Register of Information and Article 30 contracts (Pillar 4): RoI template in EBA-compliant format, ICT vendor inventory, Article 30 mandatory provision checklist, contract renegotiation support, CTPP concentration risk assessment.
CASP application DORA package: Integrated DORA framework documentation for MiCA CASP authorization applications — acceptable to CySEC and Bank of Lithuania at application stage.
Ongoing DORA compliance: Annual RoI update and submission, annual ICT risk framework review, annual testing coordination, NCA regulatory correspondence management.
Frequently Asked Questions
Ready to assess and implement your DORA compliance?
Zitadelle AG provides DORA gap assessments and full five-pillar implementation for EU financial entities — CIF, PI, EMI, CASP, and investment firm licensees — from our Limassol, Cyprus headquarters. Board-ready documentation, 4-hour incident workflows, Register of Information, and Article 30 contracts.
Related Services & Resources
Related Services
MiCA CASP License (DORA required at application)
EU Crypto-Asset Service Provider authorization — CySEC and Bank of Lithuania assess DORA readiness at the CASP application stage.
Cyprus CIF License (CySEC)
Cyprus Investment Firm under MiFID II — full DORA compliance required, integrated into CySEC supervisory inspections.
Cyprus Payment Institution (CBC)
CBC-licensed Payment Institution — an in-scope DORA financial entity subject to the full five-pillar framework.
Lithuania EMI License
Bank of Lithuania EMI — a DORA-obligated entity. ICT risk framework and Register of Information apply from authorization.
This page is provided for informational purposes only and does not constitute legal, tax, or regulatory advice. DORA (Regulation (EU) 2022/2554), its Regulatory Technical Standards (RTS), and Implementing Technical Standards (ITS) continue to be supplemented and enforced. Always consult a qualified advisor before relying on any DORA compliance approach. Last updated: June 2026.