AMF Sets 2026 Priorities: What France's Market Authority Wants From DORA Compliance
AMF Sets 2026 Priorities: What France's Market Authority Wants From DORA Compliance
On January 14, 2026, the Autorite des marches financiers (AMF) — France's market authority responsible for supervising investment firms, asset managers, trading venues, and other financial market participants — published its supervision priorities for 2026. The document places DORA compliance firmly at the center of the AMF's examination programme, alongside sustainable finance disclosures and market conduct.
The AMF supervises a diverse population of financial entities: over 700 asset management companies, approximately 100 investment firms, major trading venues (Euronext Paris), and central counterparties. Many of these entities operate with leaner ICT resources than the banks supervised by the ACPR and ECB, making DORA compliance both more challenging and, arguably, more important.
The AMF's DORA Priorities: A French Approach
The AMF's 2026 priorities for DORA enforcement reflect a distinctly French regulatory philosophy: rigorous, documentation-heavy, and focused on demonstrable outcomes rather than process adherence.
Priority 1: Third-Party Register Quality
The AMF has identified the register of information as its primary examination target for 2026. For asset managers that typically rely heavily on third-party technology platforms (portfolio management systems, order management systems, data feeds, custody technology), the register requirement is particularly demanding.
The AMF specified five quality dimensions it will assess:
| Quality Dimension | AMF Expectation | Common Gap in Asset Management |
|---|---|---|
| Completeness | All ICT service providers, including SaaS, PaaS, data feeds | Cloud-native tools often overlooked |
| Criticality assessment | Each provider rated for business impact | Criticality often based on cost, not BIA |
| Sub-contracting visibility | At least first level of sub-contractors identified | SaaS providers rarely disclose sub-contractors |
| Geographic mapping | Data center locations and data flow geography | "Cloud" treated as location-agnostic |
| Contractual provisions | Art. 30 key provisions verified in contracts | Legacy contracts lack DORA-required clauses |
The AMF has signaled that it will conduct sample-based reviews of registers during its 2026 examination cycle, with particular attention to asset managers that rely on a small number of technology providers for critical functions.
Priority 2: Incident Reporting Readiness
Following the French banking database breach in February 2026, the AMF has elevated incident reporting readiness to a top priority. While the breach affected ACPR-supervised entities, the AMF recognized that market participants face similar risks and must demonstrate readiness under DORA Article 19.
The AMF will assess:
- Whether supervised entities have established incident classification procedures aligned with DORA's criteria
- Whether notification templates are pre-populated and can be submitted within the 4-hour window
- Whether entities have designated persons responsible for incident notification
- Whether simulation exercises have been conducted
Priority 3: ICT Risk Management Framework Governance
The AMF will review the governance structure of ICT risk management frameworks under DORA Article 5. For asset managers, which often operate with smaller governance structures than banks, the AMF has signaled proportionate but firm expectations:
- The management body must have formally approved the ICT risk management framework
- At least one member of the management body must demonstrate understanding of ICT risks
- The framework must be reviewed at least annually
- Risk appetite statements must explicitly address ICT risk
Priority 4: Resilience Testing Evidence
The AMF will request evidence of resilience testing during its examinations. This includes not just the existence of a testing programme but documentation of tests conducted, results obtained, findings identified, and remediation actions taken.
For asset managers subject to proportionality, the AMF has clarified that basic testing (business continuity testing, disaster recovery testing) is the minimum expectation. Scenario-based testing is expected for entities that manage critical funds or operate significant market infrastructure.
Comparison with ECB Supervisory Approach
The AMF's priorities complement but differ from the ECB's 2026-2028 supervisory priorities in several ways:
| Dimension | ECB Approach | AMF Approach |
|---|---|---|
| Scope | Significant banks | Investment firms, asset managers, trading venues |
| Emphasis | Operational capability demonstration | Documentation + evidence quality |
| Third-party focus | Concentration risk (systemic view) | Register quality (entity-level view) |
| Testing expectations | TLPT for SIs; scenario-based for others | Proportionate — basic testing for smaller entities |
| Timeline | Three-year progressive deepening | Annual review with 2026 baseline |
| Examination method | JST + on-site deep dives | Thematic reviews + sample-based checks |
The AMF's focus on documentation and evidence quality reflects the reality that many of its supervised entities are at an earlier stage of DORA maturity than the significant banks supervised by the ECB. The AMF is establishing a baseline in 2026 that it will build upon in subsequent years.
Practical Impact on AMF-Supervised Entities
Asset Management Companies
France's 700+ asset management companies face the most significant compliance burden. Many operate with lean ICT teams (often 2-5 persons) and rely heavily on outsourced technology. The AMF's priority on third-party register quality directly targets this operating model.
Practical steps for asset managers:
- Map all ICT providers, including SaaS tools used for portfolio analytics, risk management, client reporting, and compliance monitoring. Many asset managers use 20-40 SaaS tools that have never been formally catalogued.
- Request sub-contractor information from providers. Cloud-based platform providers must disclose their infrastructure dependencies. If a provider refuses or cannot provide this information, the asset manager should assess whether the contractual provisions meet DORA Article 30 requirements.
- Conduct a simplified BIA to determine which ICT services are critical to the firm's operations. Not all providers are equally important — focus governance resources on the critical ones.
Trading Venues
Euronext Paris and other AMF-supervised trading venues have more mature ICT risk management frameworks but face heightened expectations around resilience testing and incident reporting. The AMF will expect trading venues to demonstrate capabilities beyond basic compliance — including real-time incident detection, automated failover, and tested recovery within published RTO commitments.
Investment Firms
Mid-tier investment firms face a proportionate but non-trivial compliance challenge. The AMF has indicated that proportionality does not exempt any entity from the core requirements: risk management framework, third-party register, incident reporting procedures, and basic resilience testing.
The AMF's Enforcement Toolkit
The AMF has a range of enforcement tools available for DORA non-compliance:
| Tool | Application | Severity |
|---|---|---|
| Observation letter | Minor gaps identified during examination | Low |
| Formal notice (mise en demeure) | Significant non-compliance requiring remediation | Medium |
| Injunction | Order to cease non-compliant practices | High |
| Financial penalty | Material DORA violation with aggravating factors | High |
| Publication | Public disclosure of sanction | Reputational |
The AMF Commission des sanctions can impose financial penalties of up to EUR 100 million or 10% of annual turnover for legal entities. While DORA penalties are defined by Member State transposition, the AMF's existing penalty framework provides ample enforcement capacity.
For 2026, the AMF has indicated that its primary approach will be supervisory dialogue rather than immediate sanctions. Entities that demonstrate genuine efforts to achieve compliance — even if gaps remain — are likely to receive observation letters with remediation timelines. Entities that have made no discernible effort toward DORA compliance face more immediate enforcement risk.
Recommendations for AMF-Supervised Entities
- Start with the register. The AMF has made register quality its top priority. A comprehensive, accurate register that covers all ICT providers — including SaaS, data feeds, and cloud infrastructure — is the most immediate deliverable.
- Prepare your incident reporting process. Do not wait for an incident. Build the notification templates, designate the responsible persons, establish the classification criteria, and run at least one simulation before the AMF asks.
- Document your framework. The AMF's examination approach is documentation-heavy. If your ICT risk management framework exists in practice but is not documented, it does not exist for regulatory purposes.
- Engage with your board. Even for smaller entities, DORA Article 5 requires management body involvement. A board minute recording the approval of the ICT risk management framework — with evidence that the board understood what it was approving — is essential.
- Use the DORA assessment tools available to identify gaps before the AMF does. Self-identification of gaps with remediation plans demonstrates good faith and reduces enforcement risk.
The AMF's 2026 priorities make clear that DORA is not an abstract European regulation — it is a concrete French supervisory requirement with specific examination activities planned for the coming year. Asset managers, investment firms, and trading venues have 2026 to demonstrate that they take it seriously.
Voir aussi: DORA's Real Test Starts Now: IBM's Assessment | ECB Supervisory Priorities 2026-28 | France's Bank Database Breach
Resume en francais
Le 14 janvier 2026, l'AMF a publie ses priorites de supervision pour 2026, placant la conformite DORA au centre de son programme d'examen. L'approche de l'AMF se distingue par quatre priorites : qualite du registre d'information des tiers (completude, visibilite sur les sous-traitants, cartographie geographique), preparation au signalement des incidents (procedures de classification, modeles de notification, exercices de simulation), gouvernance du cadre de gestion des risques ICT (approbation du conseil, appetit au risque ICT, documentation), et preuves de tests de resilience (plans, resultats, remediation). Pour les societes de gestion d'actifs — souvent dotees d'equipes ICT reduites et fortement dependantes de la technologie externalisee — la priorite sur la qualite du registre cible directement leur modele operationnel. L'AMF favorisera le dialogue supervisoral en 2026 mais dispose d'un arsenal d'execution allant des lettres d'observation aux sanctions financieres pouvant atteindre 100 millions d'euros.