Compliance Guide

DORA Compliance for 2026: The Register of Information, TLPT, and What Financial Firms Still Get Wrong

DORA is in supervision mode. Here's what Register of Information submissions revealed, what TLPT actually requires, and the third-party risk gaps regulators are finding.

DORA Compliance for 2026: The Register of Information, TLPT, and What Financial Firms Still Get Wrong

The Digital Operational Resilience Act stopped being a regulatory project on 17 January 2025. It became an operational reality, and the financial sector has now lived with it for more than a year.

In that year, a lot has changed. The European Supervisory Authorities have designated their first batch of critical ICT third-party providers. The second cycle of Register of Information submissions is arriving in spring 2026. The ECB has published its TIBER-EU SSM Implementation Guide in November 2025, which removed most of the remaining ambiguity about how threat-led penetration testing is meant to run for Significant Institutions. And the Article 58 review — the European Commission’s first formal look at whether DORA needs expansion or recalibration — is happening now.

For financial firms, the posture has shifted from “implement DORA” to “demonstrate DORA under supervision.” That is a different job. It requires a different evidence base. And based on what we can see from the first supervisory cycle, many firms are not ready for it.

This is a look at what DORA compliance actually looks like in 2026: what the first Register of Information submission cycle revealed about where firms are weakest, what the ECB’s TIBER-EU guide means for Significant Institutions, how the 4-hour reporting obligation is playing out in practice, and what the supervisory expectations are for the next twelve months.

What DORA is, in one paragraph — and why the “Regulation, not Directive” distinction matters

DORA is Regulation (EU) 2022/2554. It applies directly in every EU member state without national transposition, which is the opposite of how NIS2 works and is the single most important structural fact about it. There is no margin for national interpretation, no staggered rollout across member states, no opportunity for a firm to argue that its jurisdiction implemented a slightly different version. The obligations in the regulation are the obligations, everywhere, on the same terms. Combined with the Regulatory Technical Standards and Implementing Technical Standards published by the ESAs, the result is the most tightly specified financial-services cyber regulation ever enacted in the EU — and the enforcement teeth to match.

The scope is wide: banks, insurers, investment firms, payment institutions, crypto-asset service providers, crowdfunding service providers, and their critical ICT third-party service providers (CTPPs). The five pillars are ICT risk management, ICT incident reporting, digital operational resilience testing, third-party ICT risk, and information-sharing arrangements.

The interaction with NIS2 matters for dual-scope firms. DORA functions as lex specialis relative to NIS2 for financial entities — where DORA provisions are equivalent to or stricter than NIS2, DORA takes precedence. For firms caught by both, this means no duplicate reporting for the same incidents, but it also means that DORA’s tighter specifications win. Our NIS2 compliance checklist addresses the NIS2 side of the dual-scope question.

The Register of Information is where most firms got exposed

DORA’s Register of Information (RoI) under Article 28 is a comprehensive inventory of every contractual arrangement with ICT third-party providers — not just the critical ones. The first submission cycle in early 2025 produced the first system-wide view the ESAs have ever had of ICT dependencies across the European financial sector. What it revealed was uncomfortable.

Firms underestimated both the breadth and the depth of the data they were expected to maintain. The RoI is not a vendor list. It has over 90 distinct data fields spread across multiple templates, covering contract identifiers, service descriptions, data-processing locations, sub-contracting chains, concentration risk, exit strategies, and more. Many firms discovered at the point of submission that their procurement records, their outsourcing registers, and their ICT risk inventories were not reconciled. They were running separate databases, curated by separate teams, with no single source of truth.

The second RoI submission cycle is now under way. The Dutch central bank (DNB) and the AFM have requested submissions by 22 March 2026, with a 31 December 2025 reference date. Other national competent authorities are on similar timing. By the end of March 2026, the ESAs will have their second annual data set — and this time, they will have the first to compare it against.

That comparison is where supervisory scrutiny is intensifying. If your RoI shows a materially different sub-contracting chain than last year’s for the same provider, the supervisor wants to know why. If your concentration-risk calculation has shifted, they will ask what drove the change. If the provider has been designated a CTPP since your last submission, your records need to reflect the new oversight reality.

The lesson from the first cycle: RoI maintenance is not a once-a-year project. It needs a continuous data-management capability. Firms that treated the 2025 submission as a compliance exercise found themselves rebuilding from scratch for 2026. The ones who built sustainable data pipelines into procurement, contract management, and ICT risk are the ones whose second submission took weeks rather than months.

The other lesson: Article 30(2) contractual requirements are not optional. The RTS on the contents of contracts with ICT third-party providers sets out mandatory clauses — service descriptions, data-processing locations, subcontracting approvals, exit strategies, audit rights. Contracts that predate DORA and have not been renegotiated to include these clauses are now a documented gap that supervisors can see directly in the RoI.

The 4-hour rule is the operational capability most firms lack

DORA’s incident reporting cadence under Article 19 is the sharp operational test of a firm’s incident capability. For major incidents, the timeline is:

  • Initial notification: Within 4 hours of classification as major, with a maximum of 24 hours from detection.
  • Intermediate report: Within 72 hours.
  • Final report: Within one month.

The 4-hour number is the one firms most often get wrong. It is not 4 hours from the moment the incident happens — it is 4 hours from the moment the incident is classified as major under DORA’s RTS criteria, with an outer limit of 24 hours from detection. The classification decision itself is where firms get stuck. The RTS criteria cover impact on clients, economic loss, data compromise, service duration, geographical spread, and criticality of services affected. Working through these criteria under time pressure in the middle of an incident is not a triage exercise you want to be doing for the first time at 3am.

The practical requirement is that classification has to be pre-structured. A working runbook needs to exist that walks an on-call responder through the RTS criteria with enough speed and confidence that the 4-hour clock starts being measured from the earliest reasonable classification point. Automated classification assistance — pre-populated thresholds in the incident-management tooling, triage templates, decision trees — is becoming the standard. Firms that rely on “we’ll convene a call and talk it through” are the ones who miss the window.

The reporting itself is also more demanding than many firms anticipated. Major incidents get reported to the National Competent Authority, which passes the report to the ESAs. The report fields are prescribed: root-cause analysis, client impact quantification, economic-loss estimation, remediation actions. An initial notification that says “we are investigating an incident” is not a DORA-compliant submission.

The operational capability this implies: pre-authorised communication paths to the NCA, pre-populated report templates, pre-defined thresholds for what constitutes “major” under the RTS, tested runbooks, and a named incident-classification owner with authority to start the clock. In the audit feedback visible from the first year, this is one of the most commonly flagged gaps.

TLPT for Significant Institutions: the ECB has spoken

On 26 November 2025, the European Central Bank published the TIBER-EU SSM Implementation Guide. For Significant Institutions under ECB supervision, this is now the operational rulebook for threat-led penetration testing under DORA Articles 26 and 27.

The substantive requirement remains: TLPT at least every three years on live production systems supporting critical or important functions, using intelligence-led red-team methodology aligned with TIBER-EU. The ECB guide did two important things beyond this.

First, it resolved the scope question. Many SIs had been arguing that their TLPT should be narrowly scoped around a single critical function to minimise operational risk. The ECB made clear that pooled testing across multiple critical functions is the expected posture for most SIs, with single-function tests being the exception rather than the rule. Second, it committed the ECB to a specific role: it is the TLPT authority for SIs, with the TLPT Cyber Team and the Joint Examination Teams coordinating testing, reviewing methodology, and signing off on scope and scenarios.

The practical consequences for SI programmes:

Intelligence-led means intelligence-led. Scenarios must be grounded in current cyber threat intelligence about actors that credibly threaten the institution given its business model, geography, and technology stack. Off-the-shelf penetration testing scenarios do not satisfy this. The ECB has been explicit that TLPT is a learning exercise designed to raise cyber maturity — a poorly-scoped test that produces no findings is a supervisory problem, not a clean result.

Control Team separation is mandatory. The institution’s Control Team runs the test from the blue side; it coordinates with the regulator’s TLPT Cyber Team, manages the Red Team, and is responsible for operational safety. Critically, the Control Team must have the authority to keep the test confidential from the rest of the institution’s defenders — including the SOC, the CISO organisation, and senior management not directly involved. If your blue team knows a test is coming, the test is not DORA-compliant.

Three years is the default, not the ceiling. The competent authority can increase frequency based on risk profile, operational circumstances, or lessons learned from previous tests. SIs with a high threat profile or concentration in critical functions should expect their NCA to push toward more frequent testing, not less.

Remediation is reviewed. The ECB’s framing treats TLPT not as an exam but as a milestone in a continuous exposure-management cycle. Findings are expected to be tracked to closure with documented remediation, and the next test will examine whether the issues from the previous test have been addressed. A finding that reappears in consecutive tests is a supervisory flag.

For non-Significant Institutions in scope for TLPT, the national competent authority is the TLPT authority, and member-state variations exist — but the TIBER-EU framework remains the methodological backbone everywhere. The ECB guide, although technically only binding for SIs, has become the de facto reference for how TLPT is expected to run across the sector.

The 19 CTPPs have been designated — and oversight is beginning

The ESAs published the first list of designated critical ICT third-party providers on 15 July 2025, identifying 19 providers across the major categories of cloud infrastructure, software, data services, and communications. Designation triggers direct oversight of the CTPP by the ESAs through Joint Examination Teams.

For financial firms using a designated CTPP, the practical implications are significant:

The CTPP is now directly supervised. The JETs can request information, conduct inspections, and issue recommendations to the CTPP. In some cases, these recommendations will have knock-on effects on the financial firm’s contractual relationship with the CTPP — including requirements to renegotiate specific clauses or to alter the way services are consumed.

Concentration risk became a live number. One of the reasons for designating CTPPs is systemic concentration. Once designation happens, the financial firm’s concentration risk on that provider is visible to supervisors in a way it was not before. Firms with concentrated CTPP exposure can expect supervisory pressure to diversify, or at least to demonstrate that their exit strategies are credible and tested.

Exit strategies get stress-tested. DORA Article 28(8) requires exit strategies for all critical ICT services. For CTPP services, these strategies are increasingly being reviewed during supervisory engagement. A paper exit strategy that has never been tested, never been costed, and never been operationally validated is weak evidence under supervision.

Sub-contracting chains matter. The July 2025 RTS on sub-contracting of critical or important functions, and its subsequent amendments, set out the mandatory content of sub-contracting terms. Firms need to be able to trace their dependencies through the full chain — which is exactly what the RoI template B_05.02 is designed to capture, and which many firms found hardest to populate in the first RoI cycle.

The Article 58 review: what’s coming

DORA Article 58 required the European Commission to conduct a review by 17 January 2026 — alongside a report to Parliament and Council — on whether statutory auditors and audit firms should be brought into DORA’s scope or subject to enhanced digital-resilience requirements. That review is ongoing at the time of writing and will shape the next wave of DORA’s reach.

The likely direction is that audit firms will either be brought into scope directly or be subject to enhanced resilience obligations that match parts of DORA. This matters for financial firms because it means your statutory auditor is about to become a more sophisticated counterparty for DORA-related discussions. Expect audits to probe more deeply into DORA evidence, and expect audit findings on DORA-related matters to carry more weight with your supervisors.

The broader Article 58 review is also examining whether the current DORA framework is fit for purpose based on first-year supervisory experience. Areas under examination include the RoI template’s field set, the 4-hour reporting window’s practical workability, the scope of TLPT, and the CTPP designation criteria. Changes to the technical standards should be expected in 2026–2027, though the core framework is unlikely to shift.

DORA vs NIS2: how the overlap actually works for dual-scope firms

Financial firms that also run in-scope essential or important entity activities — for example, a bank that operates critical data-centre infrastructure, or an insurer that provides essential cloud services — face both DORA and NIS2. The lex specialis principle resolves most duplications, but not all.

Obligation areaDORA (financial sector)NIS2 (other in-scope)Rule for dual-scope
ICT risk management frameworkArticle 5–14 (prescriptive, RTS-specified)Article 21 (outcomes-based, 10 measures)DORA’s prescriptive framework satisfies NIS2 where implemented; record the cross-reference explicitly.
Incident reporting4h/72h/1mo for major incidents, to NCA24h/72h/1mo for significant incidents, to NCA and CSIRTDORA reporting to the financial NCA satisfies DORA; NIS2 reporting on the non-financial activity remains separate if applicable.
Third-party riskArticles 28–44 (prescriptive, RoI, RTS on contracts)Article 21(2)(d), Article 22 (supplier security + coordinated risk assessments)DORA’s RoI and contract requirements exceed NIS2; cover NIS2 coordinated-risk-assessment obligations separately.
TestingArticles 24–27 (testing programme, TLPT every 3yrs for SIs)No direct equivalentDORA-only obligation.
Information sharingArticle 45 (voluntary arrangements)Article 29 (voluntary arrangements)Near-identical.
Management-body accountabilityArticle 5 (management body responsibility)Article 20 (management body responsibility + training)NIS2’s explicit training obligation for management-body members is the binding requirement for dual-scope firms.
Cryptography, MFA, access controlImplicit in RTS on ICT risk managementArticle 21(2)(h), (i), (j)DORA implementation typically covers NIS2 requirements; explicit policies and coverage evidence satisfy both.

The administrative savings from the lex specialis rule are real but limited. Most of the work is the same regardless of which framework drives it. The value of recognising the overlap is in not duplicating evidence, governance structures, or reporting channels where the two regimes converge.

Where firms are weakest right now

Based on the first year of supervisory engagement and the first RoI submission cycle, five patterns emerge consistently.

Exit strategies are paper documents. Article 28(8) exit strategies exist on paper but have not been tested. Costs are not quantified. Timelines are optimistic. The operational viability of actually exiting a major CTPP within the stated timeframe has not been validated. Expect supervisors to probe this harder in 2026.

Incident classification is undertrained. The 4-hour clock starts at classification, which means the classification process is the critical path. Firms that have not trained their on-call responders on the RTS criteria, that do not have decision-support tooling, and that do not have pre-authorised escalation paths, consistently miss the 4-hour window in real incidents.

TLPT scope gets negotiated defensively. SIs often approach the ECB’s TLPT Cyber Team with the narrowest possible scope. This is a weak posture. The ECB has been clear that TLPT is meant to cover multiple critical or important functions. Firms that fight for a minimal scope are signalling that they are not ready to test meaningfully — which is itself a finding.

RoI data pipelines are fragile. The difference between firms that submitted the second RoI cycle cleanly and firms that rebuilt it from scratch is almost entirely about data infrastructure. Procurement, contract management, ICT risk, outsourcing, and concentration-risk data need to live in a common spine. Maintaining five separate spreadsheets and reconciling them annually is not a scalable posture.

Third-party concentration is unmeasured. Article 29’s concentration-risk obligations require firms to calculate and manage concentration. Many firms have not done this rigorously and cannot answer, with evidence, what their concentration position is on any given CTPP. Supervisors can now see concentration directly from the RoI; the gap between firm self-reporting and supervisor visibility is uncomfortable.

The 2026 readiness checklist

If you are responsible for DORA compliance in a financial firm in 2026, the following are the six questions a supervisor is most likely to ask — and the evidence you need in place to answer them.

  1. Can you produce a complete and reconciled Register of Information from a single source of truth, not a spreadsheet? If no, start the data-infrastructure work now. It is an 8–12 month build.
  2. Has your incident classification runbook been tested against the RTS criteria under time pressure? If no, schedule a tabletop specifically for classification speed — not full incident response, just classification.
  3. When was your last TLPT, and how have its findings been remediated and evidenced? If you are a SI and the answer is “we’re still scoping,” the ECB guide published in November 2025 is the scope definition.
  4. Have your Article 30(2) contract clauses been incorporated into every in-scope ICT third-party contract? If you have pre-DORA contracts that have not been renegotiated, list them and prioritise renewal.
  5. Have you tested your exit strategy for at least one CTPP? A tabletop walk-through is the minimum; a live migration test is the defensible standard.
  6. Does your management body receive DORA-specific training, and is there a documented record? If no, this is a quick-win gap. The training content does not have to be elaborate; the documentation has to be defensible.

Firms that can answer yes with evidence to all six are in strong shape. Firms that have three or fewer yeses are likely to face supervisory challenge in 2026.

Frequently asked questions

Is DORA still in a grace period? No. DORA became fully applicable on 17 January 2025. The first RoI submission cycle completed in spring 2025. The 2026 focus is supervision and enforcement, not implementation. Any grace period narrative ended a year ago.

What’s the difference between a CTPP and a regular ICT third-party provider? A CTPP (critical ICT third-party provider) has been designated by the ESAs as systemically important to the financial sector, triggering direct oversight by the ESAs through Joint Examination Teams. Regular ICT third-party providers are managed through each financial firm’s own third-party risk programme but are not directly supervised. As of mid-2025, 19 providers have been designated CTPPs; the list will grow.

How much does TLPT cost? The cost is variable and depends on scope, threat intelligence depth, and red-team engagement duration. A TIBER-EU-compliant TLPT for a Significant Institution typically runs 6–9 months end-to-end, with red-team engagement of roughly 12 weeks. External cost for a single exercise is typically a six-figure spend before internal effort is counted. Pooled testing, where multiple financial entities test a shared service provider together, reduces per-entity cost.

Do the 4-hour and 24-hour reporting windows start from the same moment? No, and this is a common confusion. The 4-hour window starts from the moment the incident is classified as “major” under the RTS criteria. The 24-hour outer limit is from the moment the incident is detected. If classification is decided quickly, the 4-hour window is the binding constraint; if classification takes longer, the 24-hour detection window becomes the binding constraint.

Is my cyber insurance affected by DORA? Indirectly, yes. The control expectations in DORA — MFA, EDR, tested backups, documented incident response, supply chain oversight — largely overlap with what cyber insurance carriers are now requiring for coverage and pricing. Firms with mature DORA programmes typically have stronger insurance positions. Our guide to cyber insurance requirements in 2026 covers the overlap in detail.

Does DORA apply to non-EU firms? DORA applies to financial firms authorised in the EU, which includes EU subsidiaries of non-EU groups. It also applies to any ICT third-party service provider designated as a CTPP, regardless of where they are headquartered — the July 2025 designations include several US-based providers. Non-EU firms serving EU financial firms are not directly subject to DORA, but they are subject to the contractual and oversight requirements that their EU clients must flow down to them.

The bottom line

DORA in 2026 is not a compliance project — it is a supervised operating model. The ESAs, the ECB, and the national competent authorities now have more visibility into the European financial sector’s ICT risk than any regulator has ever had over any sector. The Register of Information made that visibility possible. The 4-hour reporting cadence creates continuous operational signal. TLPT produces structured evidence of resilience. CTPP designation extends supervisory reach directly into the vendors that underpin the sector.

For firms that built mature DORA programmes in 2023–2024, 2026 is about proving the programme works under scrutiny. For firms that treated DORA as a project and checked the box, 2026 is where the exposure becomes visible. The Article 58 review will reshape the edges of the framework over the next 12–18 months, but the core obligations are settled. The work now is operational discipline, evidential rigour, and the capability to demonstrate — not assert — that your firm is digitally resilient.