DORA 2026: the end of the grace period for digital resilience?

For many financial institutions, 2025 felt like a dress rehearsal for the implementation of the Digital Operational Resilience Act (DORA). National Competent Authorities (NCAs) largely focused on guiding firms through initial setup, emphasising “good faith efforts” and paper-based frameworks. Has that era of tolerance now ended?

As we move into 2026, regulators across Europe (from the Central Bank of Ireland to the AMF in France) have shifted gears. The new mandate is “interventionist supervision”. The question is no longer if you have a DORA framework on paper, but how effectively it handles real-world data, in real-time. This isn’t just a tweak; it’s a recalibration of regulatory expectation.

The rise of the machine: automated supervision is here

Manual audits as the primary regulatory tool are rapidly fading. NCAs are no longer waiting to knock on your door to find discrepancies. They’ve begun leveraging sophisticated, automated tools to cross-reference ICT registers across the EU.

Imagine this: your firm reports its critical third-party cloud provider in your Register of Information (RoI). That same provider is reported by dozens of other firms and by the provider itself. If there are inconsistencies, technical gaps or late updates in your filing, automated systems will be able to flag it pretty quickly. This makes technical gaps or late filings an undeniable trigger for enforcement. The focus has moved from abstract policies to tangible, auditable data. Your DORA compliance is now a live, operational health check of your entire digital ecosystem.

Beyond flat fees: the new math of DORA penalties

The financial consequences of DORA non-compliance are no longer minor administrative costs. Regulators are now utilising the full breadth of DORA’s sanctioning powers to compel action.

• Turnover-linked fines: for serious Tier 1 violations, penalties can reach up to 2% of your total annual worldwide turnover. This isn’t a fixed fee; it’s a systemic penalty designed to hit where it hurts, reflecting the potential systemic impact of your firm’s digital failure.
• Daily compulsion payments: NCAs aren’t just fining you for past errors; they’re fining you for ongoing ones. Regulators can impose recurring daily penalties of up to 1% of average daily turnover to force immediate remediation of identified ICT vulnerabilities. This pushes firms to fix issues in real-time, under continuous financial pressure.
• Divergent national ceilings: while DORA sets the baseline, individual Member States are imposing their own specific caps. Some jurisdictions, like Italy, can levy fines up to €20 million, while Germany (BaFin) has established explicit ceilings of €5 million for certain critical breaches. Understanding these jurisdictional nuances is important.

The 72-hour red flag: when an incident becomes an audit trigger

Incident reporting under DORA is not just an administrative task; it’s a primary indicator of your firm’s operational health and control. Regulators now view a missed or late incident report as evidence of a broader systemic weakness.

Under updated Technical Standards (RTS), an early warning of a major ICT incident is often expected within 24 hours, followed by a detailed report within 72 hours. ESMA and NCAs are actively using automated incident detection tools to identify “clusters” of failures across the market. A late report isn’t a forgotten email; it signals that your firm might be losing control of its digital perimeter, making it an immediate red flag for a full-scope regulatory audit.

The CEO’s problem: personal accountability in the digital age

DORA Article 5 explicitly places “ultimate responsibility” for digital operational resilience directly on the Management Body.

• “Ignorance is no defense”: management is now legally mandated to undergo specific ICT risk training. Regulators are scrutinising board minutes to ensure digital resilience is a standing agenda item, not just an afterthought.
• Personal fines: several jurisdictions (including Spain and Germany) now allow for personal fines of up to €1,000,000 for senior executives who fail to adequately oversee their firm’s ICT risk framework.
• The “DORA responsible officer”: many firms are moving to appoint a specific board member or senior executive as the dedicated lead for digital resilience, ensuring clear ownership and avoiding the “dilution of responsibility” that regulators are actively targeting.

The transition into 2026 means that compliance is now about active, verifiable digital resilience. Firms that treat DORA as a strategic imperative, rather than just another checkbox, will gain a significant competitive advantage.