One year into DORA application: DORA’s real test starts now

On 18 November 2025, IBM, alongside large technology firms such as Accenture plc, Amazon Web Services EMEA and Microsoft Ireland Operations, was officially designated as a critical third-party provider (CTPP). This designation falls under the EU Digital Operational Resilience Act (DORA).

This milestone marks a historic shift in financial services regulation: for the first time, information and communication technology (ICT) service providers are subject to direct and ongoing supervision by financial regulators. It reflects growing recognition of the systemic importance of technology providers within the financial ecosystem and the need to strengthen resilience against operational and cyber risks increasingly originating outside traditionally regulated entities.

Why does this new designation matter?

• Supervisors acknowledge that financial entities cannot ensure digital operational resilience alone.
• Direct regulatory oversight introduces new compliance obligations, supervisory scrutiny and accountability for technology providers.
• It signals a broader global regulatory trend that other jurisdictions are likely to follow.

As the regulatory perimeter expands, collaboration between financial institutions and technology providers will be key to ensuring operational resilience without stifling innovation.

Why is this moment so significant for both supervisors and supervised entities? What have we seen during the first year of DORA application? Finally, what can we expect going forward? Let’s dive in. 

Seeking to ensure digital operational resilience throughout the entire financial ecosystem, DORA marks the first attempt to establish a level playing field across the whole EU. It applies to institutions of different backgrounds and sizes, some of them being subject to supervision for the first time.

For the supervised institutions, especially less mature ones, implementing the new requirements may serve to discover unsuspected issues requiring remediation in their strategies, governing processes, operations or risk management. 

For supervisors, setting a level playing field is a precondition to observe the implementation of risk management frameworks that are comparable so that homogeneous oversight can be applied. Depending on oversight results, supervisors might initiate further exercises to align risk management practices and appetites.

The DORA supervisory actions being launched in 2026 are mainly aimed at reinforcing cybersecurity and third-party risk management. During the reviews, apart from issuing individual recommendations, the supervisors will collect best and worst practices that will be shared with the supervised entities to foster alignment. 

In turn, the results and findings of the oversight activities will be subject to an annual collective assessment by the Oversight Forum established by the ESAs Joint Committee. This process outcome will ensure a more consistent approach to monitoring ICT third-party risk at Union level. DORA’s real test starts now.

17 January marked the first anniversary of DORA’s application. While DORA was applied on day one, 2025 was essentially a transition year for both financial entities and supervisors. Many firms were still completing implementation tasks, particularly around registers of contractual arrangements with ICT service providers, and the classification and reporting of major ICT incidents all of which featured prominently in supervisors stated priorities.

Moreover, throughout 2025, Level 2 standards were being finalized. The last two Regulatory Technical Standards entered into force in July¹ and the first list of CTPPs’ was published on 18 November. Key supervisory guidance was also released during the year, including on CTPP oversight, outsourcing to cloud services and updated ICT and security risk management guidelines.

Supervisors also used 2025 to take stock through ECB’s Supervisory Review and Evaluation Process (SREP) reviews and direct engagement with firms. The findings were sobering: ICT risk management practices remained a persistent weak spot, as “operational risk and ICT risk continue to receive the worst average scores in the SREP.” ²

With the “training wheels” now off, 2026 marks the first true test of DORA, and both financial institutions and CTPPs will feel the difference. The EBA 2026 Work Programme³ and ECB’s supervisory priorities for 2026–2028⁴ make this explicit, outlining targeted actions for firms and horizontal oversight work.

This is the first year under direct EU supervision. Expect:

•    Direct engagement with European Supervisory Agencies (ESAs) on governance, strategy and ICT services provided to EU financial entities.
•    Horizontal reviews of contracts and service-level agreements.
•    Deep-dive assessments and onsite inspections (OSIs) on high-risk areas, requiring close cooperation with relevant EU and non-EU authorities.

Designation as CTPP significantly increases the visibility of ICT service providers. Well prepared CTPPs have a strategic opportunity to demonstrate to potential clients the added value of partnering with them for operational resilience. By contrast, supervisory criticism can damage reputation and prove highly costly in terms of lost business.

Beyond ongoing technical work to embed resilience in their daily operations, CTPPs should proactively strengthen governance, risk management and internal escalation frameworks. They should also engage openly and transparently with ESAs, starting with the designation of a coordination function to interface with the Lead Overseer. CTPPs should also develop a mindset of collaboration with financial entities and regulators and be prepared to operate as part of an interconnected ecosystem.

Anne Leslie, IBM Cloud Risk & Controls Leader Europe, points to the UK’s Cross Market Operational Resilience Group (CMORG) as a model: joint testing, coordinated incident response and shared threat intelligence. “An EU equivalent can do the same: harmonize expectations, reduce duplication and build trust between financial entities and critical ICT providers,” says Leslie⁵.

Apart from benefiting from a stronger framework, financial institutions that excelled during DORA’s implementation should capitalize on those efforts with supervisors, helping to shape best practices.

ECB plans include:

•    Targeted follow-up on remediation strategies for material shortcomings in ICT security and ICT outsourcing
•    Two OSI campaigns on cybersecurity and third-party risk management in line with DORA requirements, targeting more vulnerable banks as identified by the Joint Supervisory Teams
•    Threat-led penetration testing to identify vulnerabilities and required enhancements to cybersecurity resilience
•    Targeted reviews of ICT change management
•    A deep dive into banks’ cloud service provider dependency, assessing preparedness for potential service disruptions under the ECB’s outsourcing guide⁶

Institutions should also prepare for further reviews stemming from the outcome of the supervisory activities of CTPPs. As the ECB notes: “Oversight of critical third-party providers is meant to complement, not substitute, sound third-party risk management”. ⁷  

Supervisory focus will remain dynamic. Oversight activities might shift based on insights from the ESAs’ analysis of major ICT incident reports. They might also change following assessment of risks posed by specific CTPPs to financial institutions⁸.

ESAs will also conduct horizontal oversight work, including planning for 2027 and reassessing CTPP criticality in light of 2026 data—potentially revising the list.

The road ahead will be challenging. Oversight in 2026 will be demanding for both supervisors and supervised entities. With some authorities exercising new powers and varying levels of maturity in ICT risk oversight across jurisdictions, the question remains: how quickly can truly harmonized, consistent DORA supervision be achieved across the EU?

Promontory, a business unit of IBM Consulting®, operates at the intersection of strategy, risk management, technology and regulation. Our team combines deep industry and regulatory expertise to deliver frank, proactive advice aligned with best practices and supervisory expectations.

Since DORA’s publication in 2022, we’ve supported numerous financial institutions across the EU in adapting to its requirements. Our work has covered everything from gap analysis and compliance roadmaps to board reporting frameworks, resilience testing strategies and backup architecture assessments.

As DORA enters its first full supervisory cycle in 2026, we’re ready to assist financial institutions in designing governance, risk management, and resilience strategies that meet supervisory expectations without compromising client service.

Want to learn more about how we can support your DORA journey?

Read more in the DORA Action Guide—and let’s connect.