The Future of DORA: NIS2 Convergence, Scope Expansion, and 2027 Outlook
A Regulation Designed to Evolve
DORA was designed with evolution in mind. Unlike regulations that are amended only through lengthy legislative procedures, DORA contains built-in review mechanisms that allow the European Commission to assess, refine, and expand the framework based on supervisory experience and market developments.
Article 58 is the key provision. It mandates that the Commission, after consulting the European Supervisory Authorities, carry out a review and submit a report to the European Parliament and the Council. The review must assess, among other things, the appropriateness of the criteria for identifying critical or important functions, the effectiveness of the CTPP oversight framework, and — most controversially — whether statutory auditors and audit firms should be brought within DORA's scope.
The ESAs' 2026 Work Programme provides more immediate signals. The priorities include: operationalizing the CTPP oversight framework (the first full year of the Lead Overseer regime), advancing incident reporting coordination across supervisory authorities, and developing guidance on emerging ICT risks — including AI, cloud, and quantum computing.
This is not a distant future. These are concrete regulatory workstreams with published timelines.
Five Evolutionary Pressures
1. The Auditor Question (Art. 58)
The most politically significant element of the Art. 58 review is whether to extend DORA's scope to statutory auditors and audit firms. The question is not merely academic. The Big Four audit firms (Deloitte, PwC, EY, KPMG) are deeply embedded in the financial system's information infrastructure. They process sensitive financial data, have privileged access to regulated entities' systems, and their own operational failures can disrupt financial reporting across multiple institutions simultaneously.
The argument for inclusion is straightforward: audit firms are ICT-dependent service providers to the financial sector whose operational failures create systemic risk. The argument against is that audit firms are already regulated under the Audit Regulation and Directive, and dual regulation creates compliance burden without proportionate benefit.
The Commission's review will likely result in one of three outcomes:
| Outcome | Probability | Implication |
|---|---|---|
| Full inclusion as financial entities under Art. 2 | Low (20%) | Audit firms subject to all five DORA pillars — significant compliance cost |
| Partial inclusion via CTPP designation of largest firms | Medium (50%) | Big Four designated as CTPPs under Art. 31; oversight without full compliance |
| Deferred to a future review cycle | Medium (30%) | Status quo maintained; question revisited in 2028-2029 |
The CTPP designation path is the most likely middle ground. It would bring audit firms under the Lead Overseer's oversight powers (inspections, information requests, recommendations) without requiring them to implement the full DORA framework as financial entities.
2. NIS2 Convergence
Directive (EU) 2022/2555 (NIS2) applies to essential and important entities across all economic sectors, including energy, transport, health, and digital infrastructure. Financial entities benefit from DORA's lex specialis status — where DORA imposes sector-specific requirements, they take precedence over NIS2's horizontal requirements.
But the practical overlap is significant:
| Requirement Area | DORA | NIS2 | Convergence Direction |
|---|---|---|---|
| Risk management | Art. 6: ICT risk management framework | Art. 21: Cybersecurity risk management measures | Aligned — DORA is more prescriptive |
| Incident reporting | Art. 19: 4h initial / 72h intermediate / 1m final | Art. 23: 24h early warning / 72h notification / 1m final | Converging — DORA's 4h is stricter |
| Supply chain security | Art. 28-44: Comprehensive third-party framework | Art. 21(2)(d): Supply chain security | DORA significantly more detailed |
| Testing | Art. 24-27: Mandatory testing programme + TLPT | Art. 21(2)(f): Testing and auditing | DORA significantly more prescriptive |
| Governance | Art. 5: Management body accountability | Art. 20: Governance, senior management approval | Aligned in principle |
| Information sharing | Art. 45-49: Pillar V | Art. 29: Voluntary sharing arrangements | DORA creates formal framework |
By 2027, the European Commission will likely issue guidance on aligning DORA and NIS2 reporting mechanisms to reduce duplication. The most probable change: a single incident reporting portal that routes notifications to the appropriate authority (financial supervisor for DORA-reportable incidents, CSIRT for NIS2-reportable incidents) based on the incident's characteristics.
For financial institutions that also operate in NIS2-applicable sectors (payment service providers that qualify as digital infrastructure, for example), the convergence will reduce the burden of dual reporting. The efficient strategy is to build to DORA's more prescriptive standards, which will satisfy NIS2 requirements in almost all cases.
3. CTPP Oversight Maturation
The November 2025 designation of 19 CTPPs marked the beginning, not the completion, of the oversight framework. ESMA, as the Lead Overseer for cloud service CTPPs, and EBA and EIOPA for their respective domains, are building the operational infrastructure for ongoing supervision.
The 2026-2027 period will see:
First on-site inspections. The Lead Overseer has the power under Art. 37 to conduct general investigations and on-site inspections of CTPPs. The first inspections — likely targeting the largest cloud providers (AWS, Google Cloud, Microsoft) — will establish precedents for how the oversight framework operates in practice. These inspections will assess operational resilience arrangements, risk management frameworks, and the effectiveness of contractual provisions with financial entity clients.
Recommendations with teeth. Art. 35 empowers the Lead Overseer to issue recommendations to CTPPs. If a CTPP does not comply with a recommendation, Art. 35(6) allows the Lead Overseer to require financial entities to "temporarily suspend, either in part or completely, the use or deployment of a service provided by the critical ICT third-party service provider." This is the nuclear option — and its mere existence changes the negotiation dynamics between financial entities and their technology providers.
Designation expansion. The initial 19 designations will not be the last. As the ESAs gather more data from Registers of Information and supervisory assessments, additional providers will be designated — particularly in payments infrastructure, data analytics, and cybersecurity services. The designation criteria (Art. 31) consider systemic importance, substitutability, and the number of financial entities dependent on the provider.
Non-EU CTPP compliance. Non-EU CTPPs must establish an EU subsidiary within 12 months of designation. By late 2026, the first non-EU technology providers will either have complied or triggered the escalation mechanism. The practical implementation of this extraterritorial requirement will test the boundaries of EU regulatory reach.
4. AI and Emerging Technology Risks
DORA's technology-neutral language — "ICT systems, protocols and tools" — provides a broad enough basis to cover emerging technologies. But the specificities of AI risk, quantum computing threats, and decentralized finance (DeFi) may require more targeted guidance.
AI resilience is the most immediate concern. The EU AI Act, in force since August 2024, creates obligations for high-risk AI systems that overlap with DORA's ICT risk management requirements. By 2027, supervisory guidance will likely clarify how AI model risk maps to DORA's framework — particularly for credit scoring, fraud detection, and algorithmic trading systems that are both high-risk AI systems (AI Act) and critical ICT systems (DORA).
Quantum preparedness is the medium-term concern. When large-scale quantum computers become capable of breaking current cryptographic standards (RSA, ECDSA), the integrity of financial transactions, digital signatures, and encrypted data will be at risk. NIST's post-quantum cryptography standards (CRYSTALS-Kyber, CRYSTALS-Dilithium, SPHINCS+) are being standardized. DORA's Art. 9 (protection and prevention) provides the regulatory hook for supervisors to expect cryptographic agility planning. By 2027, ENISA will likely publish guidance on quantum preparedness for financial entities.
DeFi and blockchain resilience is the longer-term question. As tokenized financial instruments and distributed ledger technology gain traction in regulated finance, the question of how DORA applies to decentralized infrastructure becomes pressing. A tokenized bond on a permissioned blockchain is an ICT system under Art. 7. But the resilience characteristics of distributed systems differ fundamentally from centralized architectures. Supervisory guidance will need to address these distinctions.
5. Enforcement Maturation
The 2025-2026 period was characterized by supervisory observation and data collection. By 2027, enforcement will mature:
First formal enforcement actions. While no public enforcement actions have been widely documented in the first year, the supervisory pipeline is building. Institutions with incomplete Registers of Information, absent testing programmes, or governance gaps identified during examination will be the first targets. The precedent-setting nature of early enforcement actions means they will be carefully selected for impact and clarity.
Cross-border enforcement coordination. DORA's cross-border provisions and the Lead Overseer regime create mechanisms for coordinated enforcement. An enforcement action against a CTPP that serves financial entities across multiple Member States will require coordination between the Lead Overseer and national competent authorities. The first such coordinated action — inevitable by 2027 — will test the practical limits of EU supervisory cooperation.
Penalty calibration. The wide range of penalty provisions across Member States (from fixed ceilings to turnover-based percentages) will produce divergent enforcement outcomes. By 2027, the ESAs will likely publish guidance on penalty harmonization to reduce arbitrage — institutions cannot shop for the most lenient jurisdiction if penalties for the same violation vary by a factor of 10.
The 2027 Regulatory Landscape
By 2027, the operational resilience regulatory landscape for European financial services will look substantially different from today:
| Dimension | 2025 (Application) | 2027 (Maturation) |
|---|---|---|
| Scope | 22,000 financial entities | Potentially expanded (auditors, pension funds) |
| CTPP oversight | 19 designations, framework operationalization | First inspections completed, recommendations issued, additional designations |
| Incident reporting | National competent authorities | Coordinated EU-wide reporting, DORA-NIS2 alignment |
| Testing | Annual programmes established | TLPT results informing supervisory assessments |
| AI governance | Implicit under ICT risk management | Explicit guidance on AI-DORA intersection |
| Enforcement | Observation, data collection | Formal actions, penalty precedents, cross-border coordination |
| Global convergence | EU leads, UK parallel | GCC, APAC frameworks maturing, mutual recognition discussions |
Strategic Implications for Financial Entities
The forward-looking institutions are making three strategic investments:
1. Platform architecture that accommodates regulatory evolution. Building compliance on static documentation (spreadsheets, PDFs, shared drives) creates technical debt that compounds with every regulatory change. Institutions investing in structured, modular compliance platforms can adapt to scope expansion, new reporting requirements, and emerging risk categories without rebuilding from scratch.
2. Unified governance frameworks. The convergence of DORA, NIS2, AI Act, and GDPR rewards institutions that build one governance framework rather than four parallel programmes. A unified asset inventory, integrated risk assessment, and coordinated incident reporting process reduces cost and improves coverage.
3. Regulatory intelligence capability. The pace of regulatory evolution — ESA guidelines, delegated regulations, supervisory guidance, enforcement precedents — requires a dedicated function that monitors, interprets, and translates regulatory developments into operational requirements. Institutions that discover regulatory changes during examination are structurally disadvantaged.
Key Takeaways
- Art. 58 mandates Commission review of DORA's scope and effectiveness. The auditor inclusion question and CTPP framework assessment are the most consequential items.
- NIS2 convergence will reduce regulatory fragmentation through aligned incident reporting and harmonized risk management expectations. Build to DORA's standards; NIS2 compliance follows.
- CTPP oversight will intensify through 2027: first inspections, enforceable recommendations, designation expansion, and extraterritorial compliance requirements.
- AI, quantum, and DeFi will generate new supervisory guidance within DORA's existing framework. Art. 7-9 provide the regulatory basis; specific guidance will clarify expectations.
- First enforcement actions by 2027 will set precedents. Institutions with basic compliance gaps (incomplete registers, absent testing programmes) are the most exposed.
- Strategic investment in adaptive platforms, unified governance, and regulatory intelligence positions institutions for the evolution. Static compliance built for 2025 requirements will not survive the 2027 landscape.
- Monitor the DORA RTS/ITS tracker and regulatory timeline for updates as the framework evolves.