The DORA Enforcement Outlook for 2026: From Grace Period to Interventionist Supervision
The Grace Period Ends
For the financial sector, 2025 had a rhythm: compliance teams worked against DORA deadlines while enforcement remained theoretical. No supervisor imposed a public DORA penalty. No institution was named for non-compliance. No CTPP received a formal recommendation. The first year of DORA's application functioned as an implicit grace period — time for the industry to build capabilities and for supervisors to build the infrastructure to oversee them.
That grace period is ending. The convergence of several developments — completed data collection, operational examination frameworks, staffed supervisory teams, and published guidance — signals that 2026 will be qualitatively different from 2025. Supervisors across the EU are transitioning from a posture of "observation and capacity-building" to what multiple regulatory communications describe as "interventionist supervision."
The shift is not punitive for its own sake. Supervisors recognize that DORA's effectiveness depends on credible enforcement. A regulation that exists only on paper does not change institutional behavior. The first enforcement actions — whenever they arrive — will establish the tone, scope, and severity that defines the enforcement regime for years to come.
The Enforcement Infrastructure Is Ready
Data Availability
The Register of Information submissions (April 2025) gave supervisors their first comprehensive view of the financial sector's ICT dependency landscape. This data — covering third-party relationships, criticality classifications, sub-outsourcing chains, and contractual arrangements — provides the raw material for risk-based supervisory prioritization.
Supervisors can now identify: which institutions have the highest concentration risk, which providers support the most critical functions, which contracts lack Art. 30 mandatory provisions, and which institutions submitted incomplete or inconsistent data. The Register is not just a compliance deliverable — it is a supervisory intelligence tool.
Examination Frameworks
The ESAs' July 2025 oversight guide and Delegated Regulation 2025/420 established the practical frameworks for conducting examinations. JET composition rules, information request protocols, on-site inspection procedures, and finding severity classifications are all defined. The infrastructure exists; what remains is to deploy it.
Staffed Teams
NCAs across the EU have recruited and trained DORA-specific supervisory teams during 2025:
| NCA | DORA team readiness | Published guidance | Examination activity (2025) |
|---|---|---|---|
| CBI (Ireland) | Dedicated team established | Sector-specific letters | Thematic reviews initiated |
| AMF (France) | Team operational | Market infrastructure guidance | Bilateral discussions |
| BaFin (Germany) | Full team, detailed mandate | August 2025 comprehensive guidance | Desk-based reviews |
| Consob/BdI (Italy) | Coordinated approach | Incident reporting focus | Thematic inquiries |
| CSSF (Luxembourg) | Team operational | Fund sector proportionality guidance | Bilateral engagement |
| DNB (Netherlands) | Integrated into existing teams | Breach-type differentiation | Initial assessments |
| CNMV (Spain) | Team building | Limited public guidance | Early-stage engagement |
Supervisory Intelligence
Beyond Register data, supervisors have accumulated 11 months of supervisory intelligence: thematic review findings, bilateral discussion insights, incident reporting patterns, and cross-border information from ESA coordination. This intelligence informs prioritization — supervisors know where the gaps are.
The Enforcement Trajectory: A Phased Approach
Figure 1: DORA enforcement trajectory showing escalation from remediation demands to financial penalties. The CTPP enforcement track operates on a separate, slower timeline.
Based on regulatory communications, supervisory publications, and the enforcement patterns established by analogous EU regulations (GDPR, MAR, MiFID II), the DORA enforcement trajectory is likely to follow a phased approach:
Phase 1: Remediation Demands (Q1-Q2 2026)
The first enforcement actions are more likely to be remediation orders than financial penalties. Supervisors will identify specific deficiencies — incomplete registers, missing contractual provisions, inadequate testing programmes — and issue formal requests for remediation within defined timelines.
This approach allows supervisors to establish expectations and give institutions a final opportunity to comply before penalties are imposed. It also builds the evidentiary foundation for penalty proceedings if remediation is not achieved.
Phase 2: Supervisory Measures (Q2-Q3 2026)
If remediation demands are not met, supervisors can escalate to supervisory measures: activity restrictions, additional reporting requirements, mandated third-party reviews, or prohibition of specific contractual arrangements that pose concentration risk.
These measures are operational, not financial — they constrain what the institution can do rather than imposing a monetary penalty. For an institution that has not built an adequate testing programme (Art. 24-27), a supervisor might require engagement of an external testing provider and submission of results by a defined deadline.
Phase 3: Financial Penalties (H2 2026 onward)
Financial penalties are the final enforcement tool. Their use requires established facts, exhausted remediation opportunities, and a penalty calculation that aligns with national transposition provisions. The first DORA financial penalties are most likely to appear in the second half of 2026 or early 2027 — allowing sufficient time for the remediation and supervisory measure phases to play out.
The quantum of first penalties will be carefully calibrated. Too low, and the deterrent effect is minimal. Too high, and the supervisor risks legal challenges and industry backlash. The most likely pattern is moderate penalties in the EUR 100,000-1,000,000 range for clear, documented deficiencies — establishing precedent without overreach.
Likely First Enforcement Targets
Figure 2: Likely first enforcement targets based on supervisory prioritization criteria. Register deficiencies, incident reporting failures, and governance gaps are the most auditable and demonstrable enforcement areas.
Enforcement resources are limited. Supervisors will prioritize cases that are:
- Clear-cut: The deficiency is unambiguous and well-documented
- Impactful: The deficiency poses genuine risk to operational resilience
- Demonstrative: The enforcement action sends a clear signal to the wider market
- Defensible: The supervisor's case is legally robust
Based on these criteria, the most likely first enforcement areas are:
1. Register of Information Deficiencies
The Register is the most data-rich enforcement target. Supervisors have the submitted data and can identify: missing entries for known third-party relationships (cross-referenced against CTPP designation lists), inconsistent criticality classifications (a service classified as "non-critical" by one entity but "critical" by its peer), incomplete sub-outsourcing information, and late or non-submission.
Why it's likely first: The evidence exists, the requirement is unambiguous, and the deficiency is quantifiable.
2. Incident Reporting Timeline Failures
Art. 19's reporting timelines — 4-hour initial notification, 72-hour intermediate, one-month final report — are precise and verifiable. An institution that experiences a major ICT incident and fails to notify within the prescribed timeline has created a documented enforcement case.
Given the frequency of cloud outages and cyber incidents, these cases will arise naturally. Supervisors need not proactively investigate — they need only monitor the incident reports they receive (or fail to receive).
Why it's likely first: Timeline breaches are self-evidencing. The gap between when the incident occurred and when the notification was received is a matter of record.
3. Art. 5 Governance Deficiencies
Art. 5 requires board approval of the ICT risk management framework, management body ICT risk training, and regular reporting. These requirements produce verifiable documentation: board minutes, training records, and reporting schedules. An institution that cannot produce these documents has a demonstrable governance gap.
Why it's likely first: Documentation-based verification is low-effort for supervisors and high-signal for the market. A governance enforcement action sends the message that DORA's obligations start at the top.
The CTPP Enforcement Track
The CTPP oversight regime operates on a separate enforcement track. The Lead Overseer's powers under Art. 35-36 — information requests, on-site inspections, recommendations, and the 1% daily turnover penalty — apply directly to designated CTPPs.
The CTPP enforcement track is likely to proceed more slowly than entity-level enforcement. The Lead Overseer must first complete initial assessments, conduct examinations, and build the evidence base for any recommendations. The 12-month timeline for non-EU CTPPs to establish EU subsidiaries (which began with November 2025 designations) provides a natural enforcement milestone: by November 2026, all designated CTPPs must have an EU legal entity for the Lead Overseer to engage with.
The first CTPP recommendations are most likely in late 2026 or early 2027, focusing on: governance arrangements for financial sector service provision, transparency of sub-outsourcing chains, incident communication to dependent financial entities, and resilience testing of services supporting critical financial functions.
The Preparation Checklist
For institutions anticipating their first DORA examination, the following preparation framework addresses the most likely enforcement areas:
| Preparation area | Action | Evidence to produce | Priority |
|---|---|---|---|
| Register of Information | Verify completeness and accuracy against current state | Updated Register, change log, reconciliation report | Critical |
| Incident reporting | Validate 4h/72h/1m notification procedures | Documented procedure, test results, contact lists | Critical |
| Art. 5 governance | Confirm board approval, training, reporting | Board minutes, training certificates, reporting schedule | Critical |
| Art. 30 contracts | Inventory contract compliance gaps | Contract analysis matrix, renegotiation timeline | High |
| Testing programme | Document formal testing policy and results | Testing policy, test plans, results, remediation tracker | High |
| Exit strategies | Verify credibility for critical providers | Exit strategy documents, alternative provider assessments | High |
| Art. 29 concentration | Complete concentration risk assessment | HHI calculation, single-point-of-failure analysis | Medium |
| Art. 45 information sharing | Establish or formalize sharing arrangements | Arrangement documentation, participation evidence | Medium |
What Enforcement Means for the Market
The transition to enforcement will produce market-wide effects beyond the institutions directly subject to enforcement actions:
Compliance acceleration. The first enforcement action — regardless of the penalty amount — will accelerate compliance investment across the market. Institutions that have deferred DORA compliance will fast-track their programmes. Budget requests that were previously rejected will be approved.
Vendor renegotiation leverage. Financial entities negotiating Art. 30 contractual provisions with recalcitrant technology providers will gain leverage: the enforcement precedent demonstrates that non-compliant contracts create real regulatory risk.
Board attention intensification. Management bodies that have treated DORA as a technology department concern will recognize the governance implications. Personal liability provisions in some member states add urgency.
Market differentiation. Institutions with mature DORA compliance will begin to differentiate themselves — to counterparties, clients, and regulators — from those that treated the grace period as an extension.
The institutions that enter 2026 prepared — with complete registers, tested procedures, documented governance, and credible exit strategies — will navigate the enforcement shift as a manageable supervisory engagement. Those that enter unprepared will discover that the grace period's end is not gradual. It is a line, and they are on the wrong side of it.
This analysis reflects DORA Regulation (EU) 2022/2554 enforcement provisions, supervisory publications through Q4 2025, and enforcement trajectory analysis based on analogous EU regulatory regimes.