← All posts

What Financial Supervisors Are Targeting in DORA Audits: Country-by-Country

ORA has been in force since January 2025. Supervisors across Europe have spent the first year assessing readiness, collecting data, and identifying weaknesses. Now they are moving from observation to inspection.

This guide summarizes what each major National Competent Authority (NCA) has publicly stated about their DORA supervision priorities for 2026. If you are preparing for an audit or want to know where your supervisor will look first, this is the reference.

The common thread

Despite differences in pace and approach, every NCA is converging on the same three areas:

  • Register of Information — the first concrete data submission requirement under DORA. Most NCAs have set their 2026 deadline in March. The ESA dry run showed only 6.5% of entities passed all validation checks.
  • Incident reporting — the 4-hour initial notification, 72-hour intermediate report, and 1-month final report. Supervisors want to see that the process works, not just that a policy exists.
  • ICT third-party risk management — contract compliance with Art. 30(2), concentration risk assessment, sub-contracting visibility, and exit strategies.

Beyond these three, governance accountability (Art. 5) and the ICT risk management framework (Art. 6) are consistently referenced as foundational items that supervisors expect to be in place from day one.

Norway — Finanstilsynet

Norway is an EEA state, not EU. DORA entered into force on 1 July 2025, six months after the EU. The four Level 2 regulations (RTS) were incorporated into Norwegian law in January 2026.

Supervision focus:
  • Defences against cyberattacks and prevention of adverse incidents
  • Preparedness for handling serious situations
  • Use and follow-up of ICT service providers
  • Management governance of ICT activities and ICT risk

Finanstilsynet rates overall ICT risk in the financial sector as "high and somewhat increasing." Access management, governance models, internal control, and vendor management are called out as key risk areas. High dependency on key service providers outside Europe is flagged as requiring increased attention.

Register of Information deadline: 13 March 2026. Incident reporting: Operational from 1 July 2025 via Altinn form KRT-3190. Finanstilsynet has published a user guide for incident and cyber threat reporting. TLPT: Not yet determined which entities must perform TLPT. Finanstilsynet proposes it designates entities while Norges Bank handles the testing coordination. Enforcement: Fines of up to NOK 50 million (approximately EUR 4.3 million).

Sweden — Finansinspektionen

Sweden has been proactive. Finansinspektionen made digital operational resilience one of its top supervisory priorities for 2025 and conducted a three-phase survey across Swedish financial entities to assess DORA implementation.

What the surveys covered:
  • ICT risk management frameworks
  • Incident management processes
  • Third-party registers

The first Register of Information submission was required in March 2025. FI issued technical guidance in May 2025 after entities encountered challenges with group-wide data consolidation and scoping of what counts as an "ICT service."

2026 inspections: Findings from the 2025 surveys will inform the first targeted DORA on-site inspections during 2026. These will cover ICT risk governance, incident reporting, testing, and third-party provider management.

FI also noted that payment service providers face more difficulties than banks in coordinating their ICT components into a DORA-compliant structure.

Denmark — Finanstilsynet

The Danish FSA was designated as the competent authority for both DORA and NIS2 in the financial sector following a parliamentary amendment in May 2024.

Inspection approach: Risk-based, starting with systemically important financial institutions — the largest banks, data centres, and critical financial infrastructure. Thematic investigations have been launched into how insurance companies and pension funds are implementing DORA. Register of Information: Submission deadline is 31 March. The Danish FSA has acknowledged the RoI posed significant challenges as it is a completely new, much more detailed reporting format than anything previously required. New reporting system: Denmark is transitioning from FIONA to a new e-Reg system. The first EBA reports in the new system will be DORA and Resolution (RESOL).

Finland — FIN-FSA

Finland stands out for two reasons: no transitional period and an expansive approach to TLPT.

No grace period: FIN-FSA explicitly stated there is no transitional period. Requirements must be complied with from 17 January 2025. This applies to over 400 supervised entities in Finland. Supervision focus:
  • Management of ICT and information security risks
  • ICT incident reporting processes
  • Supervision of ICT providers' risk management
TLPT scope: FIN-FSA has obliged not only the most significant supervised entities (significant banks, the stock exchange, central securities depository) but also smaller banks and insurance-sector participants to perform TLPT. This is broader than most other NCAs. Transparency: FIN-FSA will publish summaries of entity-specific inspection findings on its website starting 2025. Entities should expect their results to be visible.

Germany — BaFin

BaFin is moving beyond compliance checking toward data-driven, cross-sectoral assessments of practical resilience.

2026 focus areas:
  • DORA readiness testing via incident trends, TLPT scoping, and third-party risk management
  • Concentration risk from hyperscalers — BaFin has explicitly warned about dependencies on US hyperscaler providers and expects institutions to have viable exit strategies
  • ICT third-party risk management as a standalone priority topic
  • Governance and organisation — the DORA strategy must be documented centrally and the management body must be actively involved
First year data: More than 600 serious ICT incidents were reported to BaFin in the first 12 months of DORA. Register of Information: Deadline 9–30 March 2026. For the initial 2025 cycle, BaFin had postponed the deadline to 28 April 2025. Regulatory transition: BaFin abrogated VAIT, ZAIT, and KAIT on 16 January 2025. BAIT continues to apply until 31 December 2026 for entities previously subject to it. Simplified framework: BaFin has issued guidance showing how approximately 1,100 smaller and non-complex entities can benefit from the simplified ICT risk management requirements under Art. 16. Enforcement: Fines of up to EUR 5 million for certain critical breaches.

Netherlands — DNB and AFM

The Netherlands takes a risk-based and proportional approach. DNB has said its existing supervisory methods will not drastically change under DORA — information requests, risk-identifying discussions, and on-site examinations continue.

Register of Information:
  • 2025 deadline: 23 April 2025. Most submissions were accepted despite data quality issues.
  • 2026 deadline: DNB 20 March, AFM 22 March. Available via MyDNB and the AFM portal from early March.
Implementation survey results: DNB found that 65% of insurance and pension institutions had completed more than 70% of DORA implementation. However, only 34% had aligned all ICT contracts supporting critical or important functions with DORA requirements. Many entities expected to need until at least end of 2025 to finish. AFM activities:
  • Thematic reviews and institution-specific reviews
  • Continuous supervision of trading platforms and proprietary traders, particularly incident reporting and outsourcing registers
  • Asset management sector identified as vulnerable due to outsourcing to cloud platforms
TLPT: Designated entities will be informed separately. AFM test managers will guide preparation and execution. Incident reporting: Major ICT incidents must be reported within 4 hours of classification.

France — ACPR and AMF

France took an educational approach in 2025, partly because several complementary texts only arrived in July. That changes in 2026.

ACPR 2026 priorities — three inspection areas:
  • Incident management
  • Implementation of ICT risk management frameworks
  • Compliance of contracts with IT service providers
AMF activities: The AMF conducted three SPOT inspections in 2025 covering fifteen portfolio management companies, plus conventional inspections. It will continue inspections in 2026 to assess cybersecurity robustness. Stress test: A joint ACPR-AMF-Banque de France system-wide stress test was launched in summer 2025, involving the main players in French banking, insurance, and asset management. Conclusions are expected during 2026. Industry preparation: AMAFI and Simmons & Simmons organised a conference in April 2026 specifically on preparing for ACPR inspections on DORA compliance — a sign the industry expects enforcement to pick up.

Ireland — Central Bank of Ireland

The Central Bank of Ireland adopted a "Day 1 / Day 2" phased approach but has been clear about what must be ready immediately: Registers of Information and incident identification and reporting.

2026–2027 plans:
  • Planned inspections on SREP category 1 and 2 firms (the largest banks and investment firms)
  • All firms will face supervisory assessment of DORA incident reporting and registers
  • Funds sector: a survey on fund management company and fund service provider implementation of DORA is planned for H1 2026, including TLPT readiness

Operational and cyber risks remain a key concern for the CBI given what it describes as rising risk and threat levels.

Luxembourg — CSSF

The CSSF has been pragmatic but thorough. In April 2025 it issued four new circulars (25/880 through 25/883) to align existing ICT and outsourcing rules with DORA and reduce regulatory overlap. Two additional circulars followed in May covering aggregated incident cost reporting and incident notification clarifications.

Register of Information:
  • 2025: Submit 1–15 April via eDesk
  • 2026: Submit 11 February – 31 March via eDesk, with stricter validation checks than the first round
TLPT: The CSSF is the TLPT authority for entities under its supervision, using the TIBER-LU framework adopted jointly with BCL in November 2021.

Entities should expect more granular data requests and heightened scrutiny of internal controls and governance as expectations rise in the second year of DORA.

Italy — Banca d'Italia, CONSOB, IVASS, COVIP

Italy designated four competent authorities through Legislative Decree 23/2025 in March 2025:

  • Banca d'Italia — banks, financial intermediaries, Bancoposta
  • CONSOB — securities markets, investment firms, market infrastructure
  • IVASS — insurance and reinsurance
  • COVIP — pension funds

All four have powers of supervision and investigation over financial entities and their third-party ICT service providers, including access, inspection, and information requests.

TLPT: CONSOB, Banca d'Italia, and IVASS jointly updated the TIBER-IT National Guide in December 2025 to align with DORA requirements. Enforcement: Administrative sanctions of up to EUR 20 million — the highest ceiling among the countries covered in this guide.

United Kingdom — FCA, PRA, Bank of England

The UK is not subject to DORA but has its own parallel operational resilience framework with significant overlap.

Key milestone: 31 March 2025 was the end of the UK transition period. Firms must now demonstrate they can deliver Important Business Services within defined impact tolerances. 2026 approach: Regulators have moved from asking whether firms have identified their services to asking whether they can prove they are staying within tolerances in real time. The PRA describes this as "continuous resilience" — not a one-time compliance exercise. PRA Business Plan 2025/26:
  • Continue assessing operational resilience jointly with FCA
  • Monitor firms' ability to manage cyber threats through CBEST and STAR-FS penetration testing
  • Focus on critical cyber-hygiene issues and large IT transformation programmes
Critical Third Parties: Final CTP rules were published in 2024. HM Treasury is expected to designate its first Critical Third Parties within 12 months of November 2025. ESA cooperation: In January 2026, the ESAs signed an MoU with the BoE, PRA, and FCA for cooperation on supervision of critical ICT third-party providers — an important bridge between the UK and EU frameworks.

ESAs — the pan-European level

Register of Information

The ESA dry run exercise in 2024 with 1,039 financial entities found that only 6.5% passed all 116 data quality checks. About 50% of the remaining registers failed fewer than 5 checks. The results led to revised validation rules and adjustments to the Implementing Regulation.

NCAs must submit consolidated Registers of Information to the ESAs by 31 March each year.

CTPP designation

On 18 November 2025, the ESAs designated 19 Critical Third-Party Providers, including Amazon Web Services, Google Cloud, and Microsoft. Lead Overseers will conduct risk assessments and initial examination activities in 2026. Non-compliance can lead to public disclosure and, as a last resort, requiring financial entities to suspend or terminate arrangements with the provider.

Supervisory convergence

The EBA found "notable progress" across NCAs in strengthening ICT risk assessment under SREP, with more than 2,000 supervisors participating in the EU Supervisory Digital Finance Academy. ESMA has promoted cyber risk and digital resilience as a Union Strategic Supervisory Priority starting 2025. EIOPA elevated DORA from an "Area for Attention" in 2025 to a full "Focus Area" for 2026.

Register of Information deadlines — 2026

CountryNCADeadline
LuxembourgCSSF11 Feb – 31 Mar 2026
NorwayFinanstilsynet13 Mar 2026
GermanyBaFin9–30 Mar 2026
NetherlandsDNB20 Mar 2026
NetherlandsAFM22 Mar 2026
IrelandCBI2–31 Mar 2026
DenmarkDanish FSA31 Mar 2026
ESAs (all NCAs)EBA/ESMA/EIOPANCAs to ESAs by 31 Mar

Reference date for all: 31 December 2025.

What this means for your entity

The pattern is consistent across Europe. Supervisors are past the awareness phase and moving into verification. Here is what you should have in place now:

Immediate priorities:
  • Register of Information populated and validated against the EBA's 85-rule validation engine. If you struggled with the 2025 submission, fix the data quality issues now — NCAs are applying stricter checks in 2026.
  • Incident management process tested end-to-end, including the 4-hour initial notification. Pre-filled ITS templates ready for submission.
  • ICT contracts for critical and important functions reviewed against Art. 30(2) mandatory clauses. The Netherlands found only 34% of entities had this done.
Near-term priorities:
  • Third-party concentration risk assessed and documented. BaFin has specifically called out hyperscaler dependency.
  • Exit strategies for critical ICT providers. Not just documented — actionable.
  • Management body accountability evidenced: formal framework approval, risk appetite statement, regular reporting.
If you are in Finland, Sweden, or France: Expect inspections in 2026. Finland is publishing inspection summaries. Sweden's first on-site visits are informed by their three-phase survey. France's ACPR has defined three specific inspection topics. If you are in the UK: Your framework is different but directionally similar. The PRA expects continuous resilience, not periodic compliance. CBEST and STAR-FS testing continues. The ESA-BoE MoU means your critical third-party arrangements will be visible to EU supervisors too.

Tools to help

Ready to simplify DORA compliance?

Purpose-built platform for EU financial entities. Start your free trial today.

Get Started →