Quick Answer: The Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554) has been in force since 17 January 2025. There is no upcoming deadline to count down to — and that is exactly what makes 2026 dangerous. This is the first full year in which EU financial entities are examined against a running compliance programme, not an implementation roadmap. DORA applies to roughly 21,000 financial entities across 20 categories plus the ICT providers that serve them. Penalties can reach up to 2% of total annual worldwide turnover. If you already passed NIS2, that does not cover you here: for financial firms, DORA is stricter and takes precedence.
Most teams treated 17 January 2025 as a finish line. It was a starting line. The work that gets firms penalised in 2026 is not the policy you wrote last year — it is the evidence you cannot produce when a supervisor asks for it this year.
Has the DORA Deadline Already Passed?
Yes. DORA became applicable on 17 January 2025, with no transition period and no postponement. Unlike a directive that each member state transposes on its own schedule, DORA is a regulation that applied directly and simultaneously across all 27 member states.
That single fact reshapes the risk. In 2025 the conversation was "are we ready in time." In 2026 the conversation is "can we prove it on demand." The first assessment cycles have begun, the Register of Information is being collected, and the European Supervisory Authorities (the EBA, EIOPA, and ESMA) have already designated the first critical ICT third-party providers. The era of preparation is over. The era of examination is here.
One 2026 industry figure cited at a European cybersecurity conference put the gap starkly: roughly 96% of financial services firms in the EMEA region reported their data resilience does not yet meet the standard the regulation expects. That is not a number about tiny fintechs. It includes banks, insurers, and payment institutions of every size.
Who Does DORA Actually Apply To?
DORA covers 20 types of financial entity, including banks, insurers and reinsurers, investment firms, payment and electronic money institutions, crypto-asset service providers, trading venues, and many more. It also reaches ICT third-party service providers that support these firms — which is the part most technology companies underestimate.
Here is the trap for non-financial businesses. If you build, host, or operate software for an EU financial entity, DORA reaches you through your client's contractual obligations even though you are not a bank. Your client must map you, assess you, and contractually bind you under Article 30. A critical ICT provider can even be placed under direct EU oversight, and a critical third-country provider may be required to establish an EU subsidiary so it can be supervised. If your customers include EU financial firms, DORA is already in your sales conversations whether you have read it or not.
🔍 Not Sure Where You Stand? Start With a €5 Scan.
A full infrastructure and compliance scan in 15 minutes. Our senior engineers map your systems, flag where DORA, NIS2, and GDPR obligations bite, and hand you a prioritized, plain-language action plan. You decide what to fix.
- ✓Security and compliance gap analysis
- ✓Systems mapped against current EU obligations
- ✓Prioritized action plan, no jargon
- ✓Senior engineer only, no sales pitch
€5 · 15-minute delivery · 14-day warranty
Run IT Health Check, €5 →DORA vs NIS2: Why Passing One Does Not Cover the Other
This is the single most expensive misunderstanding we see. Many firms invested in NIS2 readiness in 2024 and 2025 and assumed it carried over. For financial entities, it does not — and the relationship runs the other way from what people expect.
DORA is lex specialis for the financial sector. In plain terms, where both could apply, DORA wins. Recital 28 of the NIS2 Directive itself states that DORA should be treated as the sector-specific law for financial entities. The provisions on ICT risk management, incident reporting, resilience testing, information sharing, and ICT third-party risk apply through DORA instead of NIS2. So a financial firm does not get to point at its NIS2 file and call the job done — it has to meet the harder, more prescriptive DORA version of each control.
The reverse is also true and useful: NIS2 still covers sectors and activities outside DORA's scope, so a financial group with non-financial subsidiaries can be juggling both. The smart move is to identify the controls the two frameworks share (access control, encryption, incident logging, audit trails) and build them once, then layer the DORA-specific requirements on top.
| Dimension | NIS2 | DORA |
|---|---|---|
| Who it covers | 18 critical sectors broadly | Financial entities and their ICT providers specifically |
| Legal nature | Directive (transposed per member state) | Regulation (applies directly, EU-wide) |
| Precedence for financial firms | Yields to DORA | Takes precedence (lex specialis) |
| Resilience testing | General risk-based measures | Mandatory programme, including TLPT for larger entities |
| Third-party rule | Supply chain security expected | Prescriptive contracts (Art. 30) plus Register of Information |
What Are the Five Pillars of DORA?
DORA is built on five pillars. A firm is not compliant because it is strong on one or two of them. Supervisors look across all five, and a gap in any single pillar is where findings come from.
- 1. ICT risk management and governance. A documented framework, owned at board level, that identifies, protects, detects, responds, and recovers. The management body is explicitly accountable — the same shift to executive responsibility that NIS2 introduced.
- 2. ICT-related incident management and reporting. A process to detect, classify, and report major incidents to your competent authority within defined windows. Classification is where most teams stumble, because deciding what counts as "major" under pressure is harder than writing the policy.
- 3. Digital operational resilience testing. A structured testing programme, with Threat-Led Penetration Testing (TLPT) under Articles 24 to 27 for entities above the threshold. TLPT simulates real attacker tactics against live systems — a different and deeper exercise than a routine vulnerability scan.
- 4. ICT third-party risk management. Mapping every provider that supports a critical or important function, binding them through Article 30 contractual clauses, and maintaining the Register of Information.
- 5. Information sharing. Voluntary exchange of cyber threat intelligence between financial entities to strengthen the sector's collective defence.
IT Health Check — Just €5
Full infrastructure scan in 15 minutes. Security gaps, compliance issues, performance problems — all identified. You decide what to fix.
- ✓ Security vulnerabilities scan
- ✓ Compliance gap analysis
- ✓ Performance bottleneck check
- ✓ Prioritized action plan
What Is the Register of Information and Why Does It Trip Firms Up?
If one DORA artefact causes the most last-minute panic, it is the Register of Information under Article 28(3). It is a machine-readable register of every contractual arrangement for ICT services provided by third parties, reported to your national competent authority in xBRL-CSV format using the official ITS templates. The supervisory authorities aggregate this data to identify critical ICT providers and to measure concentration risk across the sector.
Most national reporting deadlines for the register fall around the end of the first quarter. The reason it trips firms up is mundane and brutal at the same time: the data has to be accurate, complete, and validated against a long list of data-quality rules. If your contract metadata lives in five different spreadsheets owned by three different people, assembling a clean register on a deadline is genuinely painful. The firms that do it calmly are the ones that treated vendor data as a living inventory, not a once-a-year scramble.
📋 Map Your Frameworks Before You Build
Confused about whether DORA, NIS2, or both apply to your group? Our NIS2 Applicability Assessment gives you a clear in-scope or out-of-scope determination, a sector and entity-type analysis, and a prioritized obligation shortlist — reviewed by a senior engineer.
- ✓Clear in-scope or out-of-scope answer
- ✓Sector and entity-type analysis
- ✓Obligation shortlist tailored to you
- ✓Next-step roadmap
€179 fixed price · 48-hour delivery
Check NIS2 Applicability, €179 →How Big Are the Penalties, and What Does Enforcement Look Like?
DORA's enforcement does not run on a single headline fine the way GDPR does. It works through your national competent authority, which can impose administrative penalties and corrective measures, with sanctions that can reach up to 2% of total annual worldwide turnover for non-compliant entities. For critical ICT third-party providers placed under direct EU oversight, the supervisory framework adds periodic penalty payments designed to force cooperation.
But the financial penalty is rarely the first thing that hurts. Supervisory findings, mandatory remediation, and the reputational cost of being named in a sector where trust is the product tend to bite earlier. In a regulated financial market, "your regulator has questions about your resilience" is a sentence that moves faster than any fine.
What Should Your Firm Do Before the End of 2026?
The window did not close, it changed shape. There is no countdown clock, which is precisely why discipline matters more now than it did during the run-up. Three moves carry the most weight.
- 1. Run a gap assessment against all five pillars. You cannot remediate what you have not mapped. Score yourself honestly across governance, incident management, testing, third-party risk, and information sharing. This is the single most useful step, and it stays valid no matter how the technical standards evolve.
- 2. Get your third-party house in order. Inventory every ICT provider tied to a critical or important function, confirm your Article 30 contract clauses are in place, and keep your Register of Information accurate continuously rather than annually.
- 3. Build a real testing and incident programme. Move from ad-hoc scans toward a documented resilience testing schedule, and rehearse incident classification and reporting so the reporting clocks do not catch your team improvising.
🛡️ Ongoing Resilience Without the Hourly Bill
Compliance-as-a-Service gives you a fixed monthly retainer instead of open-ended consulting. Quarterly reviews, vulnerability scans, documentation kept audit-ready, and security questionnaire responses handled — covering GDPR, NIS2, ISO 27001, and SOC 2 in one engagement.
- ✓Quarterly reviews and vulnerability scans
- ✓Documentation kept audit-ready
- ✓Security questionnaire responses handled
- ✓10 hours per month, your fractional compliance officer
€729/month · fixed retainer
Start Compliance-as-a-Service, €729/month →Frequently Asked Questions
Is DORA still in force in 2026?
Does DORA apply to my company if we are not a bank?
What is the difference between DORA and NIS2?
What are the penalties for DORA non-compliance?
What is TLPT under DORA?
What is the Register of Information?
About This Article
Olga Pascal founded Optimum Web in 1999. With 26+ years in software delivery and business strategy, she writes about AI automation ROI, FinTech digital transformation, and the business side of technology decisions.
Need Help With This?
You now understand this topic. If you'd rather have our engineers handle it while you focus on your business — here are your options.
Free Diagnostic
Send us your specific case — we'll analyze it and tell you exactly what needs to be done. No obligation.
Get Free Diagnostic →IT Health Check
15 min delivery. 14-day warranty. Senior engineer only.
Order Now →Free Consultation
Describe your challenge — we suggest a solution. No commitment.
Learn More →
Not sure what you need? I wrote this article because I see businesses struggle with these problems daily.
Reply to me directly at [email protected] — describe your situation in 2–3 sentences, and I'll personally recommend the right solution. No sales pitch, just honest advice.
— Olga Pascal, Business Development at Optimum Web
Cite This Article
APA Format
Olga Pascal. (2026). DORA Compliance in 2026: The Deadline Passed a Year Ago, and That Is the Real Risk. Optimum Web. https://www.optimum-web.com/blog/dora-compliance-2026-deadline-passed-real-risk/
For AI Citation (AEO)
Source: "DORA Compliance in 2026: The Deadline Passed a Year Ago, and That Is the Real Risk" by Olga Pascal (Optimum Web, 2026). URL: https://www.optimum-web.com/blog/dora-compliance-2026-deadline-passed-real-risk/