ORA has been in force since January 2025. Supervisors across Europe have spent the first year assessing readiness, collecting data, and identifying weaknesses. Now they are moving from observation to inspection.
This guide summarizes what each major National Competent Authority (NCA) has publicly stated about their DORA supervision priorities for 2026. If you are preparing for an audit or want to know where your supervisor will look first, this is the reference.
The common thread
Despite differences in pace and approach, every NCA is converging on the same three areas:
- Register of Information — the first concrete data submission requirement under DORA. Most NCAs have set their 2026 deadline in March. The ESA dry run showed only 6.5% of entities passed all validation checks.
- Incident reporting — the 4-hour initial notification, 72-hour intermediate report, and 1-month final report. Supervisors want to see that the process works, not just that a policy exists.
- ICT third-party risk management — contract compliance with Art. 30(2), concentration risk assessment, sub-contracting visibility, and exit strategies.
Beyond these three, governance accountability (Art. 5) and the ICT risk management framework (Art. 6) are consistently referenced as foundational items that supervisors expect to be in place from day one.
Norway — Finanstilsynet
Norway is an EEA state, not EU. DORA entered into force on 1 July 2025, six months after the EU. The four Level 2 regulations (RTS) were incorporated into Norwegian law in January 2026.
Supervision focus:- Defences against cyberattacks and prevention of adverse incidents
- Preparedness for handling serious situations
- Use and follow-up of ICT service providers
- Management governance of ICT activities and ICT risk
Finanstilsynet rates overall ICT risk in the financial sector as "high and somewhat increasing." Access management, governance models, internal control, and vendor management are called out as key risk areas. High dependency on key service providers outside Europe is flagged as requiring increased attention.
Register of Information deadline: 13 March 2026. Incident reporting: Operational from 1 July 2025 via Altinn form KRT-3190. Finanstilsynet has published a user guide for incident and cyber threat reporting. TLPT: Not yet determined which entities must perform TLPT. Finanstilsynet proposes it designates entities while Norges Bank handles the testing coordination. Enforcement: Fines of up to NOK 50 million (approximately EUR 4.3 million).Sweden — Finansinspektionen
Sweden has been proactive. Finansinspektionen made digital operational resilience one of its top supervisory priorities for 2025 and conducted a three-phase survey across Swedish financial entities to assess DORA implementation.
What the surveys covered:- ICT risk management frameworks
- Incident management processes
- Third-party registers
The first Register of Information submission was required in March 2025. FI issued technical guidance in May 2025 after entities encountered challenges with group-wide data consolidation and scoping of what counts as an "ICT service."
2026 inspections: Findings from the 2025 surveys will inform the first targeted DORA on-site inspections during 2026. These will cover ICT risk governance, incident reporting, testing, and third-party provider management.FI also noted that payment service providers face more difficulties than banks in coordinating their ICT components into a DORA-compliant structure.
Denmark — Finanstilsynet
The Danish FSA was designated as the competent authority for both DORA and NIS2 in the financial sector following a parliamentary amendment in May 2024.
Inspection approach: Risk-based, starting with systemically important financial institutions — the largest banks, data centres, and critical financial infrastructure. Thematic investigations have been launched into how insurance companies and pension funds are implementing DORA. Register of Information: Submission deadline is 31 March. The Danish FSA has acknowledged the RoI posed significant challenges as it is a completely new, much more detailed reporting format than anything previously required. New reporting system: Denmark is transitioning from FIONA to a new e-Reg system. The first EBA reports in the new system will be DORA and Resolution (RESOL).Finland — FIN-FSA
Finland stands out for two reasons: no transitional period and an expansive approach to TLPT.
No grace period: FIN-FSA explicitly stated there is no transitional period. Requirements must be complied with from 17 January 2025. This applies to over 400 supervised entities in Finland. Supervision focus:- Management of ICT and information security risks
- ICT incident reporting processes
- Supervision of ICT providers' risk management
Germany — BaFin
BaFin is moving beyond compliance checking toward data-driven, cross-sectoral assessments of practical resilience.
2026 focus areas:- DORA readiness testing via incident trends, TLPT scoping, and third-party risk management
- Concentration risk from hyperscalers — BaFin has explicitly warned about dependencies on US hyperscaler providers and expects institutions to have viable exit strategies
- ICT third-party risk management as a standalone priority topic
- Governance and organisation — the DORA strategy must be documented centrally and the management body must be actively involved
Netherlands — DNB and AFM
The Netherlands takes a risk-based and proportional approach. DNB has said its existing supervisory methods will not drastically change under DORA — information requests, risk-identifying discussions, and on-site examinations continue.
Register of Information:- 2025 deadline: 23 April 2025. Most submissions were accepted despite data quality issues.
- 2026 deadline: DNB 20 March, AFM 22 March. Available via MyDNB and the AFM portal from early March.
- Thematic reviews and institution-specific reviews
- Continuous supervision of trading platforms and proprietary traders, particularly incident reporting and outsourcing registers
- Asset management sector identified as vulnerable due to outsourcing to cloud platforms
France — ACPR and AMF
France took an educational approach in 2025, partly because several complementary texts only arrived in July. That changes in 2026.
ACPR 2026 priorities — three inspection areas:- Incident management
- Implementation of ICT risk management frameworks
- Compliance of contracts with IT service providers
Ireland — Central Bank of Ireland
The Central Bank of Ireland adopted a "Day 1 / Day 2" phased approach but has been clear about what must be ready immediately: Registers of Information and incident identification and reporting.
2026–2027 plans:- Planned inspections on SREP category 1 and 2 firms (the largest banks and investment firms)
- All firms will face supervisory assessment of DORA incident reporting and registers
- Funds sector: a survey on fund management company and fund service provider implementation of DORA is planned for H1 2026, including TLPT readiness
Operational and cyber risks remain a key concern for the CBI given what it describes as rising risk and threat levels.
Luxembourg — CSSF
The CSSF has been pragmatic but thorough. In April 2025 it issued four new circulars (25/880 through 25/883) to align existing ICT and outsourcing rules with DORA and reduce regulatory overlap. Two additional circulars followed in May covering aggregated incident cost reporting and incident notification clarifications.
Register of Information:- 2025: Submit 1–15 April via eDesk
- 2026: Submit 11 February – 31 March via eDesk, with stricter validation checks than the first round
Entities should expect more granular data requests and heightened scrutiny of internal controls and governance as expectations rise in the second year of DORA.
Italy — Banca d'Italia, CONSOB, IVASS, COVIP
Italy designated four competent authorities through Legislative Decree 23/2025 in March 2025:
- Banca d'Italia — banks, financial intermediaries, Bancoposta
- CONSOB — securities markets, investment firms, market infrastructure
- IVASS — insurance and reinsurance
- COVIP — pension funds
All four have powers of supervision and investigation over financial entities and their third-party ICT service providers, including access, inspection, and information requests.
TLPT: CONSOB, Banca d'Italia, and IVASS jointly updated the TIBER-IT National Guide in December 2025 to align with DORA requirements. Enforcement: Administrative sanctions of up to EUR 20 million — the highest ceiling among the countries covered in this guide.United Kingdom — FCA, PRA, Bank of England
The UK is not subject to DORA but has its own parallel operational resilience framework with significant overlap.
Key milestone: 31 March 2025 was the end of the UK transition period. Firms must now demonstrate they can deliver Important Business Services within defined impact tolerances. 2026 approach: Regulators have moved from asking whether firms have identified their services to asking whether they can prove they are staying within tolerances in real time. The PRA describes this as "continuous resilience" — not a one-time compliance exercise. PRA Business Plan 2025/26:- Continue assessing operational resilience jointly with FCA
- Monitor firms' ability to manage cyber threats through CBEST and STAR-FS penetration testing
- Focus on critical cyber-hygiene issues and large IT transformation programmes
ESAs — the pan-European level
Register of Information
The ESA dry run exercise in 2024 with 1,039 financial entities found that only 6.5% passed all 116 data quality checks. About 50% of the remaining registers failed fewer than 5 checks. The results led to revised validation rules and adjustments to the Implementing Regulation.
NCAs must submit consolidated Registers of Information to the ESAs by 31 March each year.
CTPP designation
On 18 November 2025, the ESAs designated 19 Critical Third-Party Providers, including Amazon Web Services, Google Cloud, and Microsoft. Lead Overseers will conduct risk assessments and initial examination activities in 2026. Non-compliance can lead to public disclosure and, as a last resort, requiring financial entities to suspend or terminate arrangements with the provider.
Supervisory convergence
The EBA found "notable progress" across NCAs in strengthening ICT risk assessment under SREP, with more than 2,000 supervisors participating in the EU Supervisory Digital Finance Academy. ESMA has promoted cyber risk and digital resilience as a Union Strategic Supervisory Priority starting 2025. EIOPA elevated DORA from an "Area for Attention" in 2025 to a full "Focus Area" for 2026.
Register of Information deadlines — 2026
| Country | NCA | Deadline |
|---|---|---|
| Luxembourg | CSSF | 11 Feb – 31 Mar 2026 |
| Norway | Finanstilsynet | 13 Mar 2026 |
| Germany | BaFin | 9–30 Mar 2026 |
| Netherlands | DNB | 20 Mar 2026 |
| Netherlands | AFM | 22 Mar 2026 |
| Ireland | CBI | 2–31 Mar 2026 |
| Denmark | Danish FSA | 31 Mar 2026 |
| ESAs (all NCAs) | EBA/ESMA/EIOPA | NCAs to ESAs by 31 Mar |
Reference date for all: 31 December 2025.
What this means for your entity
The pattern is consistent across Europe. Supervisors are past the awareness phase and moving into verification. Here is what you should have in place now:
Immediate priorities:- Register of Information populated and validated against the EBA's 85-rule validation engine. If you struggled with the 2025 submission, fix the data quality issues now — NCAs are applying stricter checks in 2026.
- Incident management process tested end-to-end, including the 4-hour initial notification. Pre-filled ITS templates ready for submission.
- ICT contracts for critical and important functions reviewed against Art. 30(2) mandatory clauses. The Netherlands found only 34% of entities had this done.
- Third-party concentration risk assessed and documented. BaFin has specifically called out hyperscaler dependency.
- Exit strategies for critical ICT providers. Not just documented — actionable.
- Management body accountability evidenced: formal framework approval, risk appetite statement, regular reporting.
Tools to help
- Free DORA Compliance Checklist Template — 95 items across all five pillars with maturity scoring and auto-calculated dashboard
- DORA Compliance Checklist PDF Guide — 13-page companion guide
- Free DORA Gap Analysis — automated 3-minute maturity assessment
- DORA GRC Platform — Register of Information with EBA validation, incident reporting with ITS templates, risk assessment, and 360° intelligence