← All posts

DORA Enforcement in 2026: What the Numbers Actually Show

The enforcement narrative around DORA in 2026 has been loud: the grace period is over, regulators are cracking down, fines are coming. But what do the numbers actually show? We dug into three major industry surveys, the ESAs' own validation data, and the enforcement actions that have and have not materialised so far.

The picture is more nuanced than most headlines suggest.

The compliance gap: three surveys, one message

Three independent surveys conducted in 2025 paint a remarkably consistent picture of DORA readiness across Europe.

Deloitte European DORA Survey (early 2025): Surveyed CISOs, CROs, and DORA programme managers across 28 European countries:
  • Only 25% of respondents felt compliant with ICT risk management (Pillar I)
  • 48% had incident management protocols in place (Pillar II)
  • Just 8% had achieved full compliance with resilience testing (Pillar III)
  • Another 8% were compliant on third-party risk management (Pillar IV)
  • 46% named the Register of Information as the single hardest DORA requirement
  • 64% planned to spend EUR 2-5 million on DORA compliance
  • 17% could not even estimate their total DORA spend

(Deloitte DORA European Survey)

Veeam/Censuswide survey (June 2025): 404 senior IT decision-makers and compliance heads at financial services firms with 500+ employees, across the UK, France, Germany, and the Netherlands:
  • 96% believe their data resilience falls short of DORA requirements
  • 34% cite third-party risk oversight as the hardest area to implement
  • 24% had not established recovery or continuity testing
  • 24% had not implemented incident reporting processes
  • 23% had not conducted any resilience testing
  • 37% reported higher costs from ICT vendors citing DORA as the reason

(Veeam press release)

PwC Luxembourg survey (March 2025): Financial institutions across the EEA, including banks, insurers, asset managers, and payment firms:
  • Only 4% were executing DORA requirements as business as usual
  • 65% were still in the assessment phase determining what needed to be done
  • 58% believed their ICT providers had significant compliance gaps of their own
  • 26% anticipated terminating at least one ICT provider relationship during 2025 due to DORA

(PwC: DORA — Laying the Groundwork)

The pattern across all three: Pillar II (incident management) is where firms are furthest along. Pillars III and IV (resilience testing and third-party risk) are where the biggest gaps sit. And the Register of Information is the operational headache that consumed a disproportionate share of compliance budgets.

The RoI reality check: 6.5% pass rate

Before the first official Register of Information submission deadline in 2025, the ESAs ran a voluntary dry run exercise with approximately 1,000 financial entities across the EU. The results were sobering.

Only 6.5% of submissions passed all 116 data quality checks.

The remaining 93.5% failed on at least one validation rule — though the ESAs noted that 50% of the failing registers failed fewer than 5 of the 116 checks, suggesting many issues were fixable. The ESAs characterised the results as "in line with expectations" for a best effort exercise.

Common failures included:

  • Cross-template reference errors (invisible when working in Excel, caught only by XBRL-CSV validation)
  • Plain CSV submissions instead of the required XBRL-CSV format
  • Free text entries where standardised codes were expected
  • Empty mandatory fields
  • Missing subcontractor details and incorrectly linked provider chains
  • Duplicate contract identifiers

For the March 2026 production submission cycle, NCAs have implemented automated validation with feedback returned within one business day in some jurisdictions (the Netherlands' AFM, for example). The EBA published 116 formal data quality checks that form the basis of this automated screening.

(ESA dry run results)

What's actually happened on enforcement

Here is where the narrative meets reality. Despite the enforcement rhetoric, the picture in April 2026 is more measured than many commentators suggest.

What HAS happened:

The European Commission launched infringement proceedings against 13 member states in March 2025 for failing to fully transpose DORA into national law by the January 17, 2025 deadline. The countries: Belgium, Bulgaria, Denmark, Greece, Spain, France, Latvia, Lithuania, Malta, Poland, Portugal, Romania, and Slovenia.

This is significant for a reason many overlook: firms in those 13 countries could not have faced DORA-specific penalties until their national transposition was complete. The penalty regimes were not yet in place.

Separately, the ESAs designated 19 Critical ICT Third-Party Providers in November 2025 and launched Joint Examination Team (JET) inspections. This is direct ESA oversight — a first under DORA.

(European Commission — INF/25/761)

What has NOT happened:

As of April 2026, no NCA has publicly disclosed a penalty, compulsion payment, or public censure against a named financial entity for DORA non-compliance. No CTPP has received a compulsion payment under Article 35.

This does not mean enforcement is inactive. NCAs are conducting reviews, RoI submissions are being automatically cross-checked, and the infrastructure for enforcement is in place. But the gap between "active supervision" and "published penalties" remains meaningful.

Penalty roulette: why geography matters

One of DORA's more consequential design choices was to delegate penalty regimes to member states under Article 50, requiring only that penalties be "effective, proportionate and dissuasive." This has produced significant divergence across the EU.

A DLA Piper analysis from October 2025 mapped the resulting landscape:

DimensionRange across EU
Turnover-based ceiling5% (Spain) to 10% (Sweden)
Absolute maximum fineEUR 2 million (Czech Republic) to EUR 20 million (Italy)
Individual officer finesUp to EUR 1 million (varies by member state)

For Critical ICT Third-Party Providers, the penalty framework is harmonised at EU level under Article 35(6): up to 1% of average daily worldwide turnover per day of non-compliance, for a maximum of six months.

Additional NCA powers include cease and desist orders, temporary or permanent suspension of practices, public disclosure of violations, and retrieval of telecommunications traffic records. Article 52 even allows member states to impose criminal penalties.

The practical implication: where your firm is supervised matters as much as what you have or have not done.

(DLA Piper: Divergence in Administrative Penalties Under DORA)

The Article 58 review: auditors stay out

DORA Article 58(3) required the European Commission to review whether statutory auditors and audit firms should be brought within DORA's scope, by January 17, 2026.

The ESAs delivered their joint response in December 2025 (JC-2025-85). Their recommendation: including auditors is not warranted at this stage.

The reasoning:

  • Auditors do not operate transactional systems or process real-time financial flows
  • Auditor IT environments are not critical to the financial system's operational resilience
  • Existing requirements under ISQM 1 and the Audit Directive (2006/43/EC) already address ICT risk management for audit firms
  • Extending DORA to auditors would increase audit fees, limit audit market choice, and require significant reskilling of national audit oversight bodies
  • The ESAs concluded the negative implications outweigh the potential benefits

This is relevant because it signals the ESAs' current stance on DORA scope expansion: they are being selective rather than expansionary. The current focus is on making existing requirements work, not adding new entities to the regulatory perimeter.

(Joint ESAs Report — JC-2025-85)

What this means for your organisation

If you're in the compliance gap: You have company — the surveys show the majority of firms are still working toward full compliance. But the window between "everyone is behind" and "enforcement actions start naming names" is narrowing. The dry run's 6.5% pass rate improved substantially for the March 2026 production cycle, which suggests the most common errors are fixable with the right tooling and processes. If your RoI failed validation: Focus on the cross-template reference integrity checks, XBRL-CSV format compliance, and subcontractor chain completeness. These three categories account for the majority of failures. Treat RoI maintenance as an ongoing BAU process, not an annual filing exercise. If you're concerned about penalties: Geography matters. Check what your NCA has transposed under Article 50 — the divergence from EUR 2M to EUR 20M in absolute ceilings is substantial. For CTPPs, the Article 35(6) framework is EU-wide and more predictable. If you're wondering what's next: The ESAs are currently focused on operationalising the CTPP oversight cycle and the EU-SCICF crisis coordination framework. No new DORA technical standards are planned for 2026 — the regulatory text is settling. Expect the first major ICT-related incident annual report from the ESAs later this year, which will establish baseline data for how seriously supervisors take reporting completeness.
Sources: Deloitte European DORA Survey | Veeam/Censuswide | PwC Luxembourg | ESA dry run | European Commission INF/25/761 | DLA Piper penalties analysis | ESAs Art. 58 Report (JC-2025-85) | DORA Regulation text

Ready to simplify DORA compliance?

Purpose-built platform for EU financial entities. Start your free trial today.

Get Started →