Which ICT third-party providers will be designated as "critical"?

The European Supervisory Authorities designate critical ICT third-party service providers based on systemic importance to the financial sector, the degree of substitutability, and the number and significance of financial entities relying on them. Cloud hyperscalers (AWS, Azure, GCP) and core banking platform vendors are prime candidates.

How does the 4-hour initial notification deadline work in practice?

The 4-hour clock starts when the incident is classified as major -- not when it is first detected. However, classification must happen promptly and the absolute backstop is 24 hours from detection. In practice this means entities have at most 24 hours from detection to both classify and submit the initial notification. Automated triage tooling and on-call classification capability are essential to meet both thresholds.

How does DORA interact with NIS2?

DORA operates as lex specialis for the financial sector. Where DORA requirements apply, they take precedence over the more general NIS2 provisions. However, entities in the financial sector not fully covered by DORA, or their ICT providers not designated as critical, may still fall under NIS2.

Does DORA apply to crypto-asset service providers?

Yes. Crypto-asset service providers authorized under MiCA are explicitly listed in DORA Article 2(1)(f). They must comply with all five pillars: ICT risk management, incident reporting, resilience testing, third-party risk management, and information sharing.

What are the penalties for non-compliance?

DORA itself does not prescribe specific fine amounts for financial entities -- it delegates penalty setting to national competent authorities, meaning fines vary by Member State. Some Member States have implemented penalties up to 2% of annual worldwide turnover for financial entities. For critical ICT third-party providers under direct ESA oversight, the regulation itself allows periodic penalty payments of up to 1% of average daily worldwide turnover for each day of non-compliance, for up to six months.

What does the Register of Information (RoI) require?

Financial entities must maintain a comprehensive register of all contractual arrangements with ICT third-party service providers at entity, sub-consolidated, and consolidated levels. The RoI must include provider details, services delivered, data locations, subcontracting chains, criticality assessments, and exit strategy status.

When must entities perform threat-led penetration testing (TLPT)?

Only entities identified by competent authorities as significant must perform TLPT, at least every 3 years. The TLPT must cover live production systems supporting critical or important functions. External testers are required by default; internal testers may be used for at most 1 in every 3 tests under strict conditions set by the competent authority. Purple teaming (collaborative exercise with the entity's defensive team) is mandatory after every test.

TOPICS·FINANCIAL SERVICES·REGULATION (EU) 2022/2554

Digital Operational Resilience Act

DORA

The EU's unified framework for ICT risk management across the entire financial sector. Applicable since 17 January 2025, DORA ensures that banks, insurers, investment firms, payment providers, crypto-asset service providers, and their critical ICT suppliers can withstand, respond to, and recover from all types of digital disruptions and cyber threats.

EUFULLY APPLICABLE456 regulations trackedUpdated April 2026

THE ESSENTIALS

If your company provides financial services in the EU -- or supplies technology to companies that do -- DORA is the regulation you need to understand. It sets out rules designed to make sure banks, insurers, payment companies, and similar firms can keep running even when their computer systems are attacked or fail. Think of it as a safety standard for the digital side of finance.

Before DORA, each type of financial firm followed different rules about cybersecurity and IT risk. That made things complicated and left gaps. DORA replaces that patchwork with a single set of requirements that applies across the board. It covers everything from how firms manage their IT risks day-to-day, to how quickly they must report a cyber incident, to how they test whether their systems can withstand a real attack.

One of DORA's most notable features is that it does not stop at the financial firms themselves. It also brings the major technology providers -- the cloud platforms, core banking vendors, and data analytics companies that the financial sector depends on -- under direct regulatory oversight for the first time. If a single cloud outage could disrupt dozens of banks, regulators now have the power to inspect and penalise that provider directly.

DORA has been fully applicable since 17 January 2025. Firms that fall within its scope are expected to have compliance frameworks in place now. For those still catching up, the practical priorities are incident reporting workflows, third-party contract remediation, and building out the Register of Information that documents every ICT provider relationship.

Switzerland is not an EU member state, so DORA does not apply directly to Swiss-domiciled financial institutions. However, Swiss banks, insurers, and asset managers with EU branches or subsidiaries will find that those entities are fully subject to DORA. More broadly, Swiss firms providing ICT services to EU-regulated financial entities -- cloud hosting, core banking platforms, payment processing infrastructure -- risk being designated as critical ICT third-party providers and falling under direct ESA oversight.

FINMA's existing operational resilience expectations (particularly FINMA Circular 2023/1 on operational risks and resilience) overlap with several DORA requirements, but do not match DORA's prescriptive incident reporting timelines, Register of Information obligations, or mandatory threat-led penetration testing. Swiss financial institutions serving EU clients should map their current FINMA compliance against DORA's five pillars and close any gaps, especially around the 4-hour incident notification deadline and third-party contract clauses that EU counterparties will increasingly require.

WHAT

EU regulation establishing a unified framework for ICT risk management and digital operational resilience in the financial sector. Replaces the fragmented patchwork of sectoral ICT requirements with a single, harmonised rulebook.

WHO

All 21 categories of financial entities (banks, insurers, investment firms, payment institutions, crypto-asset service providers, trading venues, CCPs) and their critical ICT third-party service providers.

WHEN

Fully applicable since 17 January 2025. All covered entities must have operational compliance frameworks in place now. First Register of Information submissions due 30 April 2025.

PENALTY

Penalties for financial entities set by national competent authorities (vary by Member State). Critical ICT providers face direct ESA oversight with periodic penalty payments up to 1% of average daily worldwide turnover for up to 6 months.

THE FIVE PILLARS OF DORA

DORA is structured around five interconnected pillars. Together, they create a comprehensive operational resilience framework.

Financial entities must implement a comprehensive, documented ICT risk management framework approved by the management body. This includes strategies for digital operational resilience, ICT business continuity policies, and response and recovery plans.

KEY REQUIREMENTS

Management body bears ultimate responsibility for ICT risk

Framework must cover identification, protection, detection, response, and recovery

Dedicated ICT security function with sufficient authority and resources

Regular review and audit of the ICT risk management framework

Simplified framework available for microenterprises and small entities

INCIDENT REPORTING TIMELINE

DORA imposes one of the tightest incident reporting regimes in EU regulation. The clock starts ticking at detection.

ICT-related incident detected through monitoring or user reports.

Incident classified as major or significant using ESA multi-criteria methodology (clients affected, data loss, criticality, duration, economic impact, geographic spread). Classification must occur promptly and no later than 24 hours after detection.

Submit initial report to competent authority with basic facts: incident type, affected services, estimated impact, initial mitigation actions taken. The absolute backstop is 24 hours from detection even if classification is delayed.

Detailed update including root cause analysis (if available), full impact scope, ongoing recovery measures, and timeline for resolution. Must be submitted even if the incident is still ongoing.

Complete post-incident analysis: root cause, total financial losses, remedial actions, lessons learned, and any changes to the ICT risk management framework.

WHO IS IN SCOPE?

DORA applies to 21 categories of financial entities -- the broadest scope of any EU financial regulation on ICT risk. Select a category for details.

INDUSTRY READINESS

Despite the January 2025 application date, full compliance remains a work in progress for much of the financial sector.

50%Estimated full compliance by end 2025Deloitte Wave 3 Survey

38%Targeting compliance in 2026Deloitte Wave 3 Survey

46%Find RoI most challengingDeloitte Wave 3 Survey

67%Find 4h notification hardestDeloitte Wave 3 Survey

KEY CHALLENGES

Register of Information: Consolidating ICT provider data across decentralised departments remains the most time-consuming compliance task for 46% of entities.

Incident classification speed: The 4-hour notification window requires automated triage tooling that most entities lack.

Third-party contract remediation: Legacy ICT contracts often lack DORA-mandated clauses (audit rights, data location, exit strategies).

TLPT preparation: Significant entities face a 3-month window from notification to submit TLPT scope documents. Budget estimates range from EUR 200K to 500K+ per cycle.

KEY MILESTONES

Sep 24, 2020

PROPOSALEuropean Commission publishes DORA proposal as part of the Digital Finance Package

Nov 10, 2022

ADOPTEDEuropean Parliament adopts DORA with 556 votes in favour

Nov 28, 2022

PUBLISHEDDORA published in the Official Journal of the EU as Regulation (EU) 2022/2554

Jan 17, 2023

IN FORCEDORA enters into force (20 days after OJ publication), 24-month implementation period begins

Jan 17, 2024

RTS BATCH 1ESAs publish first batch of Regulatory Technical Standards (ICT risk management, incident classification)

Jul 17, 2024

RTS BATCH 2ESAs publish second batch of RTS and guidelines (TLPT, oversight, subcontracting)

Jan 17, 2025

FULL APPLICATIONAll DORA requirements become mandatory for financial entities and critical ICT providers

Apr 30, 2025

ROI DEADLINEFirst submission deadline for Registers of Information to ESAs via national competent authorities

Jul 8, 2025

TLPT RTSDelegated Regulation (EU) 2025/1190 on threat-led penetration testing enters into force

Jan 17, 2026

REVIEWFirst annual review cycle -- entities must demonstrate ongoing compliance and updated risk frameworks

Apr 23, 2026

YOU ARE HERE

KEY QUESTIONS & INTERPRETATIONS

FINANCE REGULATIONS456

EU456

US0

COURT RULINGS0

REGULATORY ACTIVITY OVER TIME

20141

201536

201632

201724

201828

201953

202050

202157

202239

202343

202441

202548

20264

EU US

MOST CONNECTED REGULATIONS

JUR.	TITLE	STATUS	LINKS
EU	Council Regulation (EU) 2018/1542 of 15 October 2018 concerning restrictive measures against the proliferation and use of chemical weapons	Adopted	20
EU	Regulation (EU) 2015/2365 of the European Parliament and of the Council of 25 November 2015 on transparency of securities financing transactions and of reuse and amending Regulation (EU) No 648/2012 (Text with EEA relevance)	Adopted	16
EU	Regulation (EU) 2021/1060 of the European Parliament and of the Council of 24 June 2021 laying down common provisions on the European Regional Development Fund, the European Social Fund Plus, the Cohesion Fund, the Just Transition Fund and the European Maritime, Fisheries and Aquaculture Fund and financial rules for those and for the Asylum, Migration and Integration Fund, the Internal Security Fund and the Instrument for Financial Support for Border Management and Visa Policy	Adopted	12
EU	Commission Delegated Regulation (EU) 2022/127 of 7 December 2021 supplementing Regulation (EU) 2021/2116 of the European Parliament and of the Council with rules on paying agencies and other bodies, financial management, clearance of accounts, securities and use of euro	Adopted	6
EU	Regulation (EU) 2019/1238 of the European Parliament and of the Council of 20 June 2019 on a pan-European Personal Pension Product (PEPP) (Text with EEA relevance)	Adopted	5
EU	Commission Delegated Regulation (EU) 2024/296 of 9 November 2023 amending Delegated Regulation (EU) 2022/1636 as regards the messages concerning excise goods being exported under suspension of excise duty	Adopted	3
EU	Decision (EU) 2020/1895 of the European Parliament of 13 May 2020 on the closure of the accounts of the European Union Agency for Network and Information Security (ENISA) (now ENISA (the European Union Agency for Cybersecurity)) for the financial year 2018	Adopted	3
EU	Regulation (EU) 2019/876 of the European Parliament and of the Council of 20 May 2019 amending Regulation (EU) No 575/2013 as regards the leverage ratio, the net stable funding ratio, requirements for own funds and eligible liabilities, counterparty credit risk, market risk, exposures to central counterparties, exposures to collective investment undertakings, large exposures, reporting and disclosure requirements, and Regulation (EU) No 648/2012 (Text with EEA relevance.)	Adopted	3
EU	Commission Delegated Regulation (EU) 2019/715 of 18 December 2018 on the framework financial regulation for the bodies set up under the TFEU and Euratom Treaty and referred to in Article 70 of Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council	Adopted	3
EU	Commission Delegated Regulation (EU) 2017/583 of 14 July 2016 supplementing Regulation (EU) No 600/2014 of the European Parliament and of the Council on markets in financial instruments with regard to regulatory technical standards on transparency requirements for trading venues and investment firms in respect of bonds, structured finance products, emission allowances and derivatives (Text with EEA relevance. )	Adopted	3

DATE	JUR.	TITLE	STATUS
Mar 17, 2026	EU	Council Decision (EU) 2026/735 of 17 March 2026 on the position to be adopted, on behalf of the European Union, within the EEA Joint Committee concerning an amendment to Annex IX (Financial services) to the EEA Agreement (ESAs Review) (Text with EEA relevance)	Adopted
Mar 6, 2026	EU	Commission Implementing Regulation (EU) 2026/496 of 6 March 2026 on the temporary suspension of the visa exemption for nationals of Georgia holding diplomatic, service and official passports	Adopted
Feb 17, 2026	EU	Commission Implementing Regulation (EU) 2026/349 of 17 February 2026 laying down technical information for the calculation of technical provisions and basic own funds for reporting with reference dates from 31 December 2025 until 30 March 2026 in accordance with Directive 2009/138/EC of the European Parliament and of the Council on the taking-up and pursuit of the business of Insurance and Reinsurance	Adopted
Feb 13, 2026	EU	Commission Regulation (EU) 2026/338 of 13 February 2026 amending Regulation (EU) 2023/1803 as regards International Financial Reporting Standard 18	Adopted
Dec 19, 2025	EU	Regulation (EU) 2025/2649 of the European Parliament and of the Council of 19 December 2025 amending Regulation (EU) 2021/2115 as regards the conditionality system, types of intervention in the form of direct payment, types of intervention in certain sectors and rural development and annual performance reports and Regulation (EU) 2021/2116 as regards suspensions of payments, annual performance clearance and controls and penalties	Adopted
Dec 19, 2025	EU	Decision (EU) 2026/86 of the European Central Bank of 19 December 2025 amending Decision (EU) 2016/456 (ECB/2016/3) as regards investigations in relation to the prevention of fraud, corruption and any other illegal activities affecting the financial interests of the Union and amending Decision (EU) 2020/1575 (ECB/2020/54) as regards the follow-up to suspected breaches of professional duties where the person concerned is a high-level ECB official (ECB/2025/45)	Adopted
Dec 16, 2025	EU	Council Decision (EU) 2026/231 of 16 December 2025 on the position to be adopted, on behalf of the European Union, within the EEA Joint Committee concerning an amendment to Annex IX (Financial services), Annex XII (Free movement of capital) and Annex XXII (Company law) to the EEA Agreement (Framework for the recovery and resolution of central counterparties) (Text with EEA relevance)	Adopted
Nov 26, 2025	EU	Regulation (EU) 2025/2457 of the European Parliament and of the Council of 26 November 2025 amending Regulations (EC) No 178/2002, (EC) No 401/2009, (EU) 2017/745 and (EU) 2019/1021 as regards the reattribution of scientific and technical tasks and improving cooperation among Union agencies in the area of chemicals (Text with EEA relevance)	Adopted
Nov 26, 2025	EU	Regulation (EU) 2025/2455 of the European Parliament and of the Council of 26 November 2025 establishing a common data platform on chemicals, laying down rules to ensure that the data contained in it are findable, accessible, interoperable and reusable and establishing a monitoring and outlook framework for chemicals (Text with EEA relevance)	Adopted
Nov 26, 2025	EU	Directive (EU) 2025/2456 of the European Parliament and of the Council of 26 November 2025 amending Directive 2011/65/EU as regards the reattribution of scientific and technical tasks to the European Chemicals Agency (Text with EEA relevance)	Adopted
Nov 26, 2025	EU	Regulation (EU) 2025/2441 of the European Parliament and of the Council of 26 November 2025 amending Regulation (EU) 2018/1806 as regards the revision of the suspension mechanism	Adopted
Nov 17, 2025	EU	Commission Implementing Regulation (EU) 2025/2312 of 17 November 2025 laying down technical information for the calculation of technical provisions and basic own funds for reporting with reference dates from 30 September 2025 until 30 December 2025 in accordance with Directive 2009/138/EC of the European Parliament and of the Council on the taking-up and pursuit of the business of Insurance and Reinsurance	Adopted
Nov 14, 2025	EU	Commission Implementing Regulation (EU) 2025/2303 of 14 November 2025 laying down implementing technical standards with regard to procedures, standard forms and templates for the provision of information for the purposes of resolution plans for credit institutions and investment firms pursuant to Directive 2014/59/EU of the European Parliament and of the Council, and repealing Commission Implementing Regulation (EU) 2018/1624	Adopted
Oct 29, 2025	EU	Commission Delegated Regulation (EU) 2026/323 of 29 October 2025 amending Delegated Regulation (EU) 2022/805 as regards fees for the supervision by the European Securities and Markets Authority of benchmark administrators endorsing third-country benchmarks	Adopted
Oct 27, 2025	EU	Commission Implementing Regulation (EU) 2025/2159 of 27 October 2025 amending the implementing technical standards laid down in Implementing Regulation (EU) 2021/2284 as regards supervisory reporting and disclosures of investment firms	Adopted
Oct 27, 2025	EU	Commission Delegated Regulation (EU) 2026/264 of 27 October 2025 amending the regulatory technical standards laid down in Delegated Regulation (EU) 2018/1645 as regards the form and content of an application for recognition with the European Securities and Markets Authority and in Delegated Regulation (EU) 2018/1646 as regards the information to be provided in an application for authorisation and registration	Adopted
Oct 15, 2025	EU	Commission Implementing Regulation (EU) 2025/2067 of 15 October 2025 amending Regulation (EC) No 340/2008 on the fees and charges payable to the European Chemicals Agency pursuant to Regulation (EC) No 1907/2006 of the European Parliament and of the Council on the Registration, Evaluation, Authorisation and Restriction of Chemicals (REACH)	Adopted
Oct 13, 2025	EU	Council Decision (EU) 2025/2131 of 13 October 2025 on the position to be adopted, on behalf of the European Union, within the EEA Joint Committee concerning the amendment to Annex IX (Financial services) to the EEA Agreement (European Green Bonds) (Text with EEA relevance)	Adopted
Oct 8, 2025	EU	Regulation (EU) 2025/2088 of the European Parliament and of the Council of 8 October 2025 amending Regulations (EU) No 1092/2010, (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010, (EU) No 806/2014, (EU) 2021/523 and (EU) 2024/1620 as regards certain reporting requirements in the fields of financial services and investment support (Text with EEA relevance)	Adopted
Sep 24, 2025	EU	Commission Implementing Regulation (EU) 2025/1909 of 24 September 2025 laying down rules for the application of Regulation (EU) No 978/2012 of the European Parliament and of the Council as regards the suspension for the years 2026-2028 of certain tariff preferences granted to certain GSP beneficiary countries	Adopted