Most DORA coverage focuses inward: what your firm needs to do, which templates to fill, which deadlines to hit. The ESAs' Spring 2026 Joint Committee risk assessment takes the opposite view — it looks at the external environment and asks what could go wrong.
The answer, published in March 2026 and presented to the EU Economic and Financial Committee, is that the threats DORA was designed to address are not theoretical. They are active and escalating.
The macro backdrop: geopolitics as operational risk
The Spring 2026 report opens with geopolitical tensions as the dominant risk to European financial stability. The war in the Middle East, tensions around the Strait of Hormuz, airspace closures, the ongoing conflict in Ukraine, developments around Venezuela and Greenland, and EU government instabilities all feature.
The ESAs frame this not as a market risk story, but as an operational one. Geopolitical events create what the report calls "multi-line risk" — not just price volatility, but potential physical disruption to infrastructure, supply chains, and the ICT services that financial institutions depend on.
For DORA compliance teams, the signal is clear: your ICT risk assessment framework needs to account for geopolitical scenarios, not just technical failure modes. If your provider operates data centres in or routes traffic through geopolitically sensitive regions, your risk register should reflect that.
Cyber threats: the ESAs' own language
The ESAs are typically measured in their risk communications. The language in the Spring 2026 report is notably direct:
Geopolitical events and cyber attacks could generate shocks and disruptions to critical infrastructures.
The report specifically flags vulnerabilities from two converging forces: geopolitical tensions making state affiliated and politically motivated cyber attacks more frequent, and the rapid development and deployment of AI creating new attack surfaces.
This framing matters because it moves cyber risk from the "IT department's problem" category into the "board level financial stability concern" category — which is precisely where DORA Article 5 places responsibility.
The practical implication: if your board reporting on ICT risk does not reference the geopolitical threat environment, it is likely incomplete by the ESAs' own standard.
The AI connection no one expected
Perhaps the most striking element of the Spring 2026 report is its discussion of AI-driven disruption, but not in the way most compliance teams would anticipate.
The ESAs highlight recent developments in US private credit markets where AI is replacing traditional software businesses. Several flagship business development company (BDC) funds experienced redemption requests far above their limits. Ares Management capped redemptions in its $10.7 billion fund at 5% after withdrawal requests reached 11.6%. Blue Owl Capital and Cliffwater imposed similar restrictions. Morgan Stanley warned that default rates in private credit direct lending could surge to 8%.
The connection to DORA? The ESAs describe private markets as characterised by "limited data, low transparency, prolonged growth and complex, opaque interconnections with the broader financial system." These interconnections include ICT infrastructure: when a private credit fund's portfolio companies fail, the technology vendors and service providers they used don't disappear cleanly. Contracts, data, and dependencies persist, and the financial entities at the other end of those relationships need to manage the ICT risk.
The ESAs encourage supervisors and market participants to monitor private market developments ahead of the Solvency II 2027 changes, which will affect how insurers allocate to alternative investments.
The first full CTPP oversight cycle
While the Spring risk report provides the "why" for DORA enforcement, the ESAs' 2026 Work Programme (published October 2025) provides the "what's next."
The headline: 2026 is the first complete oversight cycle for the 19 designated Critical ICT Third-Party Providers.
The full list of designated CTPPs:
- Accenture
- Amazon Web Services EMEA
- Bloomberg
- Capgemini
- Colt Technology Services
- Deutsche Telekom
- Equinix EMEA
- Fidelity National Information Services (FIS)
- Google Cloud EMEA
- IBM
- InterXion HeadQuarters
- Kyndryl
- LSEG Data and Risk
- Microsoft Ireland Operations
- NTT DATA
- Oracle Nederland
- Orange
- SAP
- Tata Consultancy Services
Each CTPP has been assigned a Lead Overseer, one of the three ESAs, and each will have an individual annual oversight plan. Joint Examination Teams (JETs), composed of ESA and NCA staff, will conduct risk assessments and inspections.
The ESAs have organised this work through a single joint Directorate, operating as "one team" rather than three separate authorities. They will also produce a strategic multi annual oversight plan and publish individual oversight reports.
For financial entities: if your firm relies on any of these 19 providers, expect your NCA to reference the ESA oversight findings in its supervisory dialogue with you. The CTPP oversight will generate intelligence that flows back to entity-level supervision.
EU-SCICF: the crisis coordination framework goes operational
The 2026 Work Programme confirms that the EU Systemic Cyber Incident Coordination Framework (EU-SCICF) will be further operationalised this year.
The EU-SCICF was established by the ESAs in response to an ESRB recommendation that identified a gap in how the European financial sector would coordinate if a significant cross-border cyber incident threatened financial stability. The framework has three components:
- EU-SCICF Secretariat — supports the day to day functioning
- EU-SCICF Forum — works on testing and maturing the framework in non crisis mode
- EU-SCICF Crisis Coordination — activates in crisis mode to coordinate response across authorities
In 2026, the ESAs are focusing on testing procedures, establishing standardised protocols and taxonomies, and enhancing response capabilities. The coordination extends beyond the ESAs themselves to EU-CyCLONe (the EU's cyber crisis liaison organisation network), the G7 Cyber Experts Group, and CERT-EU.
For DORA compliance, this is relevant because your firm's incident reporting doesn't exist in isolation. A major ICT incident at your organisation, or at one of the 19 CTPPs, could trigger the EU-SCICF crisis mode, meaning your incident data flows into a pan European coordination process. Your business continuity plans should account for this scenario.
(ESMA: EU-SCICF establishment)
The first annual ICT incident report
One of the less noticed items in the 2026 Work Programme: the ESAs plan to produce the first annual report on major ICT-related incidents reported by financial entities to competent authorities.
This matters because it will establish the first EU-wide baseline dataset for ICT incidents in the financial sector. Until now, incident data has been fragmented across NCAs. The annual report will aggregate this data and inform both CTPP oversight and entity level supervision.
For firms: the quality, completeness, and timeliness of your incident reports will now be measurable against a sector wide benchmark. This is a different accountability dynamic than reporting into a national authority alone.
What's NOT changing: no new technical standards
A notable absence in the 2026 Work Programme: no new DORA-specific RTS or ITS are planned for 2026.
The regulatory text is settling. The second batch of policy products (incident reporting RTS/ITS, TLPT RTS, subcontracting RTS) have all been published and are in force. The ESGs stress testing guidelines (published January 2026) add a cross-sectoral layer, but they are not DORA-specific.
The 2026 focus is entirely on operationalising existing standards — making the CTPP oversight cycle work, collecting and analysing incident data, and maturing the crisis coordination framework.
This is good news for compliance teams: the goalposts are not moving. What you need to comply with is now fully published. The challenge is implementation, not interpretation of new requirements.
What this means for your organisation
Update your ICT risk framework for geopolitical context. The ESAs explicitly connect geopolitical instability to ICT operational risk. If your risk assessments model only technical failures and vendor insolvency, they may be incomplete by the supervisory standard the ESAs are setting. Watch the CTPP oversight reports. If your firm uses any of the 19 designated providers, the findings from the first oversight cycle will likely inform your NCA's supervisory priorities for your entity. Get ahead of this by documenting your own due diligence on those providers now. Prepare for the EU-SCICF dimension of incident reporting. Your incident management process should account for the possibility that a major incident triggers pan-European coordination. This means your BCP and escalation procedures need a cross-border element. Treat the annual ICT incident report as a benchmark. When the ESAs publish the first aggregated report on major incidents, it will establish what "normal" looks like for incident frequency, severity, and reporting completeness. Position your own reporting quality above that baseline. Stop waiting for new rules. The regulatory text is complete. No new RTS or ITS are coming in 2026. The task now is execution: making the existing requirements work in your organisation's specific context.Sources: EBA — Spring 2026 risk update | ESMA — Spring 2026 risk report | Spring 2026 report PDF | ESMA — 2026 Work Programme | 2026 Work Programme PDF | ESMA — EU-SCICF | EU-SCICF official site