The Digital Operational Resilience Act (DORA) enters its first full enforcement year with the European Supervisory Authorities (ESAs) launching direct oversight of the 19 designated Critical ICT Third-Party Providers (CTPPs) — including Amazon Web Services, Microsoft, Google Cloud, Bloomberg, the London Stock Exchange Group, and Tata Consultancy Services — and the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and European Securities and Markets Authority (ESMA) shifting from compliance guidance to compliance verification across all in-scope financial entities.
DORA, formally Regulation (EU) 2022/2554, became applicable on January 17, 2025; eighteen months later, the regulatory posture is explicitly interventionist. Regulators are now examining firms for compliance evidence — not remediation plans — and the May 2026 oversight cycle is the first opportunity for the ESAs to test their direct-supervision powers over hyperscale cloud and platform providers. The 19-provider list, published jointly by the three ESAs on November 18, 2025, establishes the contours of the European Union’s first-ever financial-sector supervision of non-financial technology vendors (EBA, November 18, 2025). This longform walks through what the rule actually requires, who is in scope, the enforcement architecture, the cross-border friction with United States and United Kingdom regimes, and the specific 2026 milestones every Chief Information Security Officer (CISO) and operational-resilience lead should have on the wall.
Key Facts
- DORA applicability date: January 17, 2025, under Regulation (EU) 2022/2554 — European Insurance and Occupational Pensions Authority (EIOPA), May 2026.
- 19 Critical ICT Third-Party Providers designated on November 18, 2025: AWS, Microsoft Ireland Operations, Google Cloud EMEA, IBM, Bloomberg, LSEG Data and Risk, FIS, SAP, Oracle Nederland, Tata Consultancy Services, Accenture, Capgemini, Colt Technology Services, Deutsche Telekom, Equinix EMEA, InterXion HeadQuarters, Kyndryl, NTT DATA, and Orange — ESA joint press release.
- 4-hour initial notification window for major ICT-related incidents to the National Competent Authority (NCA), with intermediate report at 72 hours and final report at one month — DORA Article 19 and Joint RTS.
- 50% of firms across the EU financial sector self-reported in early 2026 that contractual remediation with ICT vendors under DORA Article 30 remained incomplete — industry compliance surveys.
- Stacked incident-reporting timelines: a single ICT incident at a bank may simultaneously trigger DORA (4h to NCA), NIS2 (24h to Computer Security Incident Response Team (CSIRT)), and General Data Protection Regulation (GDPR) (72h to data protection authority) — three separate authorities and clocks.
- 2026 milestones: first oversight inspections of designated CTPPs by the ESAs; first comprehensive examinations; binding recommendations expected for several providers.
Methodology and sources
This analysis rests on primary regulatory documents published between November 2024 and May 2026: the consolidated DORA regulation (Regulation (EU) 2022/2554); the Joint Technical Standards on major ICT-related incident reporting published by the EBA, EIOPA, and ESMA; the November 18, 2025 ESA joint press release designating the 19 CTPPs; the European Securities and Markets Authority’s May 2025 paper “Preparing for the DORA Oversight Framework: CTPP Designation and Next Steps“; and the EBA chair’s published interview and speech series through 2025–2026. Where law-firm analysis is cited, the publishing firm and dated client alert are linked directly. The jurisdictional scope is the European Union (financial entities and their CTPPs); the United Kingdom’s Senior Manager and Certification Regime (SMCR) operational-resilience overlay and the United States’ equivalent third-party risk-management expectations are referenced for comparison only. National Competent Authorities (NCAs) under DORA’s hub-and-spoke model are 27 in number, one per member state.
What the rule actually says
DORA is built on five pillars: ICT risk management (Articles 5–16), ICT-related incident management and reporting (Articles 17–23), digital operational resilience testing (Articles 24–27), management of ICT third-party risk (Articles 28–44), and information-sharing arrangements (Article 45). The provisions most relevant to the May 2026 enforcement cycle are Articles 17–23 (incident classification and reporting), Article 30 (contractual provisions in ICT third-party agreements), and the entire Chapter V Section II (Articles 31–44) covering the oversight of CTPPs.
Article 19 of DORA requires in-scope financial entities to notify the National Competent Authority of a major ICT-related incident within four hours of classification (or 24 hours from detection, whichever is shorter), with an intermediate report due within 72 hours and a final report within one month. The classification threshold is set by the Joint RTS on incident classification, which uses materiality criteria built around the number of clients affected, financial impact, geographical spread, duration of the disruption, and reputational impact. The same incident may simultaneously trigger DORA (to the NCA), the Network and Information Security Directive 2 (NIS2) (24-hour early warning to the CSIRT), and the General Data Protection Regulation (72-hour breach notification to the data-protection authority) — three separate authorities on three separate clocks.
Article 30 governs ICT third-party contracts. Every contract with a CTPP must include: termination rights and an exit strategy; access, inspection, and audit rights for the financial entity and its competent authority; subcontracting restrictions and a chain-of-custody for sub-outsourcing; service-level agreements with quantified metrics; cooperation with NCAs; and locations of data processing. Articles 31–44 then layer the direct CTPP-oversight regime on top of the financial entity’s own contractual obligations, with the ESAs acting as Lead Overseer for designated providers — a first in EU financial-sector regulation.
The May 2026 enforcement cycle is the first credibility test of the entire CTPP-oversight architecture. The 19 designated providers, including all three Hyperscale cloud platforms (AWS, Microsoft Azure, Google Cloud), the two largest market-data and post-trade vendors (Bloomberg and LSEG), and the major Indian and European IT-services firms (Tata, Capgemini, Orange, Accenture), now face on-site inspection rights from the EBA, EIOPA, and ESMA acting jointly. The Lead Overseer can require remediation, issue binding recommendations, and impose periodic penalty payments of up to 1% of the daily worldwide turnover of the CTPP for non-compliance under Article 35 — a number that, applied to AWS or Microsoft cloud revenue, scales into the billions of euros across a sustained breach. For prior context on the build-out of the CTPP oversight architecture, see our coverage of the ESAs’ DORA oversight guide.
Cross-jurisdictional comparison
| Jurisdiction / regulator | Effective date | Scope | Key requirement | Penalty / sanction |
|---|---|---|---|---|
| EU — EBA + EIOPA + ESMA (DORA) | Applicable January 17, 2025 | All EU financial entities + 19 designated CTPPs | Articles 17–23 incident reporting; Article 30 third-party contracts; Chapter V oversight | Article 50: up to 2% of total annual worldwide turnover for the financial entity; Article 35: 1% daily turnover periodic penalty for CTPPs |
| UK — FCA + PRA (Operational Resilience policy) | Effective March 31, 2025 for self-assessment; full Important Business Service (IBS) regime March 31, 2025 | FCA / PRA-regulated firms and their material third parties | SS1/21 + PS21/3: identify IBS, set impact tolerances, map dependencies, test scenarios | SMCR personal accountability; FCA Final Notices; PRA Section 166 reviews |
| US — Federal Reserve, OCC, FDIC (Inter-agency Guidance on Third-Party Risk Management) | Effective June 9, 2023 | US-banking-organization third-party relationships | Five-stage life-cycle: planning, due diligence, contract negotiation, ongoing monitoring, termination | Standard supervisory enforcement actions; civil money penalties |
| Singapore — MAS Technology Risk Management (TRM) Guidelines | Updated January 2021; periodic revisions | All MAS-regulated financial institutions | Outsourcing notification; cyber hygiene; system availability targets | MAS supervisory directions; financial penalties |
Sources: Joint RTS under DORA Article 18; FCA Policy Statement PS21/3 and the PRA Supervisory Statement SS1/21; US Inter-agency Guidance on Third-Party Risk Management (June 6, 2023); MAS Technical Risk Management Guidelines (January 2021). Last updated May 21, 2026.
How three regimes compare — and where they diverge
The three regimes converge on the same operational logic — financial entities must identify critical dependencies, contractually constrain them, and test resilience under stress — but they diverge sharply on the locus of supervision. DORA is the most aggressive: it pulls the largest non-financial ICT vendors directly into the EU financial supervisory perimeter for the first time, layering a CTPP-oversight regime on top of the financial entity’s own third-party risk management obligations. The UK and US regimes, by contrast, stop at the financial-entity boundary; the ICT vendor is only ever supervised indirectly via the regulated firm’s contractual and oversight obligations.
The cross-border friction is concentrated on three points. First, location of data and processing — DORA Article 30(2)(a) requires the financial entity to know where critical ICT functions are physically performed and to have audit rights at those locations, which raises immediate complications when an AWS region or Microsoft data centre is geographically outside the EU. Second, subcontracting chains — DORA requires visibility one layer below the direct provider, which has been the single thorniest area of contractual renegotiation through 2025–2026. Third, conflicts with US national-security laws (CLOUD Act, FISA Section 702): if EU regulators issue binding access requests to a US-headquartered CTPP under DORA, those requests can collide with US data-disclosure statutes — the same legal-architecture conflict that drove the EU-US Data Privacy Framework and the Schrems II Court of Justice judgment.
“DORA makes it a governance obligation — owned by the management body, embedded in risk management, and subject to the same supervisory scrutiny as capital adequacy or conduct of business.”
— José Manuel Campa, Chair, European Banking Authority (EBA), at the EBA Conference (EBA published commentary, 2024–2025)
Enforcement context and the 2026 oversight cycle
The first concrete test of DORA enforcement came not at the CTPP level but at the financial-entity level, with several major NCAs (notably Germany’s BaFin, France’s ACPR, Ireland’s Central Bank, and Italy’s Banca d’Italia) running thematic reviews of banks and insurers’ DORA readiness through the second half of 2025. The reviews flagged recurring weaknesses: incomplete Register of Information (ROI) submissions covering ICT third parties, classification rationale gaps under the Critical and Important Function (CIF) definition, and Article 30 contractual gaps that operators had not finished renegotiating before the January 17, 2025 deadline. Industry compliance surveys early in 2026 found roughly half of firms had not completed contractual remediation with their CTPP vendors despite the deadline being more than a year past.
The CTPP-oversight cycle now layered on top is unprecedented in scope. The Lead Overseer model assigns each designated CTPP to one of the three ESAs based on the dominant sectoral exposure (banking, insurance, or markets); the Lead Overseer coordinates with the other two ESAs through the DORA Oversight Forum. The May 2026 inspection cycle is the first opportunity for the ESAs to test the on-site audit powers granted by Article 38 — including the right to enter business premises, request information, and conduct interviews — against vendors that are not themselves regulated financial firms. The first binding recommendations are expected before year-end 2026, with the Article 35 periodic-penalty mechanism reserved for sustained non-compliance.
What this means for banks, insurers, payment firms, and brokers
For tier-one banks and insurers: the Register of Information (ROI) submission is no longer a planning artefact — it is the document that NCAs use to scope their thematic review. ROI completeness, the rationale for CIF classification, and the audit trail of contractual amendments under Article 30 are the three points where supervisors are pressing hardest. For mid-tier payment institutions and electronic-money issuers, the immediate exposure is concentration risk — most use the same handful of CTPPs (AWS, Microsoft, Google Cloud, FIS, SAP), which means the DORA Article 31 “concentration of supply” assessment is now a board-level concern rather than a procurement-team document.
For brokers and trading venues: DORA overlays MiFID II resilience obligations rather than replacing them, but the incident-reporting clocks now run faster. Where MiFID II RTS 6 incident notification was historically negotiated against the trading-venue’s own incident-response cycle, DORA Article 19 mandates a four-hour initial notification to the NCA — independent of MiFID II. For asset managers and fund administrators: DORA’s CIF criterion captures custody, trade execution, and Net Asset Value (NAV) calculation as critical functions; firms using a single CTPP across multiple of these functions face the highest concentration-risk supervisory scrutiny. For the broader regulatory context shaping financial-sector concentration, see our coverage of the Paymentology issuer-processor regulatory backdrop, and on the parallel crypto regulatory cliff see our MiCA July 1 cliff longform.
“We need to address the root causes of complexity in regulations, which often result from trying to accommodate too many interests or from combining too many activities under horizontal legislation.”
— Petra Hielkema, Chair, European Insurance and Occupational Pensions Authority (EIOPA) (Investment & Pensions Europe, 2026)
What’s next: the forward view
The next 12 months produce four binding milestones. First, the ESAs’ first on-site inspections of the 19 CTPPs in H2 2026 — expected to start with the three Hyperscale cloud providers and the two systemic market-data vendors before extending to IT-services firms. Second, the first Article 35 binding recommendations to a CTPP — expected before year-end 2026, likely focused on subcontracting transparency or audit-rights cooperation. Third, the European Commission’s review of the CTPP designation methodology, scheduled for early 2027, which is widely expected to widen the list beyond the current 19 providers. Fourth, the ongoing alignment work between DORA, NIS2, and GDPR incident-reporting timelines, where industry has pushed for a single-window submission to reduce duplication; the European Commission has so far declined to mandate it but has signalled it as a 2027 priority.
For the broader EU regulatory cliff in 2026, the DORA enforcement cycle and the MiCA transitional cut-off on July 1, 2026 will produce a concurrent compliance peak for the same compliance and operational-resilience teams. See our parallel deep dive on the GENIUS Act and MiCA stablecoin regime split for the cross-cutting story on how EU stablecoin rules interact with the third-party ICT regime.
TL;DR
DORA enters its first full enforcement year in May 2026 with the ESAs (EBA, EIOPA, ESMA) launching direct on-site oversight of the 19 Critical ICT Third-Party Providers designated on November 18, 2025, including AWS, Microsoft, Google Cloud, Bloomberg, LSEG, and Tata Consultancy Services. Incident reporting under Article 19 demands a 4-hour initial notification to NCAs, 72-hour intermediate report, and one-month final report. Article 35 allows periodic penalty payments of up to 1% of CTPP daily worldwide turnover for sustained non-compliance — a number that scales into billions for hyperscale providers. First binding ESA recommendations are expected before year-end 2026.
Frequently asked questions
What does DORA require from a financial entity?
DORA imposes obligations across five pillars: ICT risk management (Articles 5–16), ICT-related incident management and reporting (Articles 17–23, including a four-hour initial notification window), digital operational resilience testing (Articles 24–27, including Threat-Led Penetration Testing for major financial firms), management of ICT third-party risk (Articles 28–44, including the Register of Information), and information-sharing arrangements (Article 45). Penalties under Article 50 reach 2% of total annual worldwide turnover.
Who are the 19 designated Critical ICT Third-Party Providers under DORA?
As of November 18, 2025: Accenture, Amazon Web Services EMEA, Bloomberg, Capgemini, Colt Technology Services, Deutsche Telekom, Equinix (EMEA), Fidelity National Information Services (FIS), Google Cloud EMEA, IBM, InterXion HeadQuarters, Kyndryl, LSEG Data and Risk, Microsoft Ireland Operations, NTT DATA, Oracle Nederland, Orange, SAP, and Tata Consultancy Services. The European Commission is expected to review the methodology and likely widen the list during 2027.
How is the DORA incident-reporting timeline structured?
Article 19 requires the financial entity to notify the National Competent Authority within four hours of classifying an incident as major (or 24 hours from detection, whichever is shorter), an intermediate report at 72 hours, and a final report at one month. The classification thresholds are set by the Joint Regulatory Technical Standards (RTS) on incident classification published by the EBA, EIOPA, and ESMA.
How does DORA interact with NIS2 and GDPR?
A single ICT incident at a bank may simultaneously trigger DORA (4-hour notification to NCA), the Network and Information Security Directive 2 (NIS2) (24-hour early warning to the national Computer Security Incident Response Team), and the General Data Protection Regulation (72-hour breach notification to the data-protection authority). The three clocks run independently to three separate authorities; the European Commission has signalled a single-window approach as a 2027 priority but has not yet mandated it.
What is the Register of Information (ROI) under DORA?
The Register of Information is a mandatory disclosure under Article 28 listing all ICT third-party arrangements of the financial entity, with detailed attributes including service type, criticality classification, location of data processing, subcontracting chain, contract dates, and risk-assessment outcomes. ROI completeness has become the primary lens through which National Competent Authorities are assessing DORA compliance in the May 2026 enforcement cycle.
What penalties does DORA impose on financial entities?
Article 50 of DORA empowers National Competent Authorities to impose administrative penalties of up to 2% of total annual worldwide turnover (or a higher fixed amount, depending on member-state law) for breaches of the regulation. National-law-based penalties additionally provide for personal liability of members of the management body in several member states, including Germany (BaFin) and France (ACPR). For designated Critical ICT Third-Party Providers, Article 35 allows the Lead Overseer to impose periodic penalty payments of up to 1% of daily worldwide turnover for sustained non-compliance.
How does DORA differ from the UK and US operational resilience regimes?
DORA is unique in pulling the largest non-financial ICT vendors directly into the EU financial supervisory perimeter through the CTPP-oversight regime under Chapter V Section II. The UK’s FCA/PRA operational-resilience policy and the US Inter-agency Guidance on Third-Party Risk Management stop at the financial-entity boundary — the ICT vendor is supervised indirectly via the regulated firm’s contractual and oversight obligations. DORA’s CTPP oversight is the first time hyperscale cloud and platform providers face direct financial-sector supervision in any major jurisdiction.
This article is informational analysis only and does not constitute legal, regulatory, tax, or investment advice. Regulatory frameworks change frequently and interpretation depends on facts and circumstances; primary documents and official regulator guidance always supersede summaries. Firms should consult qualified legal counsel and their relevant supervisory authority before taking any action based on the analysis above.
Rick Steves
Rick Steves has seen business and economics through many lenses. He joined the financial services industry in 2009, and has been a financial journalist since 2011. He holds a degree in Business Administration and has experience producing real-time news, from both buy-side and sell-side, as well as for retail traders, brokers and service providers. Steves' work has appeared in a variety of online publications including FX Street, NewsBTC, FinanceFeeds, and The Industry Spread. Rick has great interest in the dynamics of the trading industry. The never-ending clash between technology, economics, regulation, and more importantly, the people.
