DORA Compliance Statistics 2026: 60+ Facts on Scope, Readiness, and Enforcement
The Digital Operational Resilience Act (DORA) became fully applicable on January 17, 2025, making it one of the most significant regulatory milestones for Europe's financial sector. DORA requires more than 22,000 financial entities and their ICT service providers to meet strict standards for ICT risk management, incident reporting, resilience testing, and third-party risk management.
This page compiles verified statistics on DORA's scope, compliance readiness, penalty framework, ICT third-party provider oversight, cyber threats facing the financial sector, and implementation costs. Every number is sourced from official EU supervisory authorities, regulatory bodies, and verified industry reports.
DORA Scope and Scale
DORA applies to 21 types of financial entities and their ICT third-party service providers. Unlike many financial regulations that focus on banks alone, DORA covers the full breadth of the EU financial sector.
| Statistic | Source |
|---|---|
| More than 22,000 financial entities and ICT service providers fall within DORA's scope across the EU | Palo Alto Networks; PwC |
| 21 types of financial entities are covered under DORA Article 2 | ESMA DORA Overview |
Financial Entities in Scope
DORA applies to credit institutions (banks), payment institutions, electronic money institutions, investment firms, crypto-asset service providers (CASPs), central securities depositories (CSDs), central counterparties (CCPs), trading venues, trade repositories, alternative investment fund managers (AIFMs), UCITS management companies, insurance and reinsurance undertakings, insurance and reinsurance intermediaries, institutions for occupational retirement pensions, credit rating agencies, statutory auditors and audit firms, administrators of critical benchmarks, crowdfunding service providers, securitisation repositories, and data reporting service providers.
Source: LegalNodes DORA Compliance Guide
DORA Compliance Readiness
Surveys from multiple sources paint a clear picture: the financial sector struggled to achieve full DORA compliance by the January 2025 deadline.
McKinsey Survey (March 2024, 18 executives from leading EU financial institutions)
| Statistic | Source |
|---|---|
| Only about one-third of financial institutions expressed confidence they could fulfill all DORA requirements by January 2025 | McKinsey - "Europe's new resilience regime" (June 2024) |
| 70% said DORA compliance would result in permanently higher run costs for technology | McKinsey (June 2024) |
| At about 50% of institutions, the IT organization drives DORA implementation | McKinsey (June 2024) |
CSSF Luxembourg Survey (August/September 2024, ~500 entities)
| Statistic | Source |
|---|---|
| 90% had completed their DORA gap analysis | CSSF - Results of DORA readiness survey (October 2024) |
| More than two-thirds (~67%) considered themselves "partially ready" | CSSF (October 2024) |
| Almost one-quarter (~25%) considered themselves "almost ready" | CSSF (October 2024) |
| Only 1 entity perceived itself as fully ready | CSSF (October 2024) |
IDC Survey (May 2024)
| Statistic | Source |
|---|---|
| 49% of respondents: "We are aware of DORA but have not yet undertaken exploratory work" | IDC - "Final Countdown to DORA" |
| 14% admitted: "We are not aware of DORA" | IDC - "Final Countdown to DORA" |
Deloitte European Survey (Early 2025, across 28 European countries)
| Statistic | Source |
|---|---|
| Only 25% of entities feel compliant on Pillar I (ICT Risk Management) | Deloitte Luxembourg - DORA European Survey 2025 |
| 48% have ICT incident management protocols ready (Pillar II) | Deloitte (2025) |
| Only 8% achieved full compliance on Pillars III and IV (Testing and Third-Party Risk) | Deloitte (2025) |
| 46% identify the register of information as the most challenging task | Deloitte (2025) |
DORA Compliance Costs
The cost of DORA compliance varies significantly based on entity size and complexity. Large financial groups face multi-million euro programs, while the testing requirements alone represent a significant ongoing expense.
| Statistic | Source |
|---|---|
| 83% of financial entities have a compliance cost estimate | Deloitte - DORA European Survey 2025 |
| 64% plan to spend EUR 2-5 million on DORA compliance | Deloitte (2025) |
| Average staffing: 5-8 FTEs per institution dedicated to DORA | Deloitte (2025) |
| One large financial group reported total DORA program spend of nearly EUR 100 million | Deloitte (2025) |
| Threat-led penetration testing (TLPT) costs estimated at 0.1%-0.3% of total ICT budget | Compact.nl, citing ESAs |
DORA Penalties and Enforcement
DORA's penalty framework is defined at EU level but leaves significant discretion to member states, resulting in divergent national implementations.
EU-Level Penalty Framework (DORA Article 50)
| Penalty Type | Maximum |
|---|---|
| Fines for financial entities | Up to 2% of total annual worldwide turnover |
| Fines for individuals at financial entities | Up to EUR 1,000,000 |
| Fines for Critical ICT Third-Party Providers (CTPPs) | Up to EUR 5,000,000 |
| Fines for individuals at CTPPs | Up to EUR 500,000 |
| Daily penalties for CTPPs (continued non-compliance) | Up to 1% of average daily worldwide turnover, for up to 6 months |
Source: QuoIntelligence - DORA Explained
National Divergence in Penalty Implementation
Member states have implemented DORA's penalty provisions with significant variation, as documented by DLA Piper in October 2025:
| Country | Turnover-Based Ceiling | Absolute Ceiling (Entities) | Individual Ceiling |
|---|---|---|---|
| Spain | 5% of turnover | - | - |
| Sweden | 10% of turnover | - | - |
| Czech Republic | - | EUR 2 million | - |
| Italy | - | EUR 20 million | - |
| Germany | - | - | EUR 5 million |
| Finland | - | - | EUR 100,000 |
Source: DLA Piper - "Divergence in administrative penalties under DORA" (October 2025)
Additional Enforcement Powers
Beyond financial penalties, supervisory authorities have the power to issue public disclosures of breaches, binding remedial orders, suspension or limitation of business activities, and revocation of authorization or licenses.
Source: BOC Group - DORA Compliance Penalties
Criminal Liability
DORA Article 52 allows member states to impose criminal penalties. Board members may face personal civil liability and potentially criminal liability for gross negligence in failing to ensure digital operational resilience.
Source: Avenga - Guide to DORA's Penalties
Critical ICT Third-Party Providers (CTPPs)
On November 18, 2025, the European Supervisory Authorities published the first-ever list of Critical ICT Third-Party Providers under DORA. These 19 providers are now subject to direct oversight by the Joint Oversight Forum.
The 19 Designated Critical ICT Third-Party Providers
| # | Provider |
|---|---|
| 1 | Accenture plc |
| 2 | Amazon Web Services EMEA Sarl |
| 3 | Bloomberg L.P. |
| 4 | Capgemini SE |
| 5 | Colt Technology Services |
| 6 | Deutsche Telekom AG |
| 7 | Equinix (EMEA) B.V. |
| 8 | Fidelity National Information Services, Inc. (FIS) |
| 9 | Google Cloud EMEA Limited |
| 10 | International Business Machines Corporation (IBM) |
| 11 | InterXion HeadQuarters B.V. |
| 12 | Kyndryl Inc. |
| 13 | LSEG Data and Risk Limited |
| 14 | Microsoft Ireland Operations Limited |
| 15 | NTT DATA Inc. |
| 16 | Oracle Nederland B.V. |
| 17 | Orange SA |
| 18 | SAP SE |
| 19 | Tata Consultancy Services Limited |
Source: EIOPA press release (November 18, 2025); PwC Legal analysis
Register of Information
All financial entities under DORA must maintain a register of all contractual arrangements with ICT third-party service providers. Reference date: March 31, 2025. National authorities forwarded registers to the ESAs by April 30, 2025 for designation analysis.
Source: EBA - ESAs announce timeline for CTPP designation
DORA ICT Incident Reporting
DORA introduces one of the strictest incident reporting frameworks in financial regulation, with reporting timelines measured in hours rather than days.
Reporting Timelines (Commission Delegated Regulation 2025/302)
| Report | Deadline |
|---|---|
| Detection to classification | 24 hours maximum |
| Initial notification | 4 hours after classification as major incident |
| Intermediate report | 72 hours after initial notification |
| Final report | 1 month after intermediate report |
Source: QuoIntelligence; Securiti - EU Regulation 2025/302
Classification Criteria
An ICT incident is classified as major when critical services are adversely impacted AND either: (a) a successful malicious unauthorized access occurs that may result in data losses, OR (b) two or more materiality thresholds are reached (affected clients, financial counterparties, or transactions).
Source: FMA Austria - DORA ICT-related incidents
Threat-Led Penetration Testing (TLPT)
DORA mandates advanced security testing for significant financial entities, building on the TIBER-EU framework with legally binding requirements.
| Statistic | Source |
|---|---|
| TLPT is mandatory every 3 years for entities identified as "significant" by their supervisor | DORA Article 26 |
| First TLPT deadline: January 17, 2028 (3 years after DORA application date) | TIBER.info |
| Purple teaming is compulsory under DORA (only recommended under TIBER-EU) | Yogosha |
| Threat intelligence provider must always be external | DORA TLPT RTS |
| Every third test must use an external red team | DORA TLPT RTS |
| TLPT RTS published June 18, 2025, effective July 8, 2025 | TIBER.info |
Cyber Threats in the Financial Sector
The following data from ENISA and other authoritative sources illustrates the threat landscape that DORA is designed to address.
ENISA Threat Landscape: Finance Sector (January 2023 - June 2024)
| Statistic | Source |
|---|---|
| 488 publicly reported incidents affecting the European finance sector | ENISA - Threat Landscape: Finance Sector (February 2025) |
| Banks (credit institutions) were the most affected entity type at 46% of all incidents | ENISA (February 2025) |
| Public financial organizations: 13% of incidents | ENISA (February 2025) |
| DDoS attacks: 58% targeted banks specifically | ENISA (February 2025) |
| Ransomware: 29% affected financial service providers, 17% affected insurance organizations | ENISA (February 2025) |
| 200% year-over-year increase in malware families targeting banking applications | ENISA (February 2025) |
| 29 supply chain-related attacks identified in the finance sector | ENISA (February 2025) |
IMF Global Financial Stability Report (April 2024)
| Statistic | Source |
|---|---|
| Nearly one-fifth of reported cyber incidents in the past two decades affected the global financial sector | IMF GFSR April 2024, Chapter 3 |
| USD 12 billion in direct losses to financial firms over two decades of cyber incidents | IMF (April 2024) |
| USD 2.5 billion in direct losses to financial firms since 2020 alone | IMF (April 2024) |
| Extreme losses from cyberattacks have increased four-fold since 2017 | IMF (April 2024) |
| Only about half of countries surveyed had a national financial sector-focused cybersecurity strategy | IMF (April 2024) |
Global Financial Sector Incidents
| Statistic | Source |
|---|---|
| 3,348 reported cyber incidents in the financial industry worldwide in 2023, up from 1,829 in 2022 (83% increase year-over-year) | Statista |
ECB Cyber Resilience Stress Test (July 2024)
| Statistic | Source |
|---|---|
| 109 directly supervised banks were tested | ECB Banking Supervision (July 26, 2024) |
| 28 banks underwent extensive testing with actual IT recovery tests and on-site visits | ECB (July 2024) |
| Scenario tested: all preventive measures fail, cyberattack severely affects databases of core systems | ECB (July 2024) |
| Finding: banks have response and recovery frameworks but "areas for improvement remain" | ECB (July 2024) |
DORA Information Sharing (Article 45)
DORA encourages (but does not mandate) financial entities to exchange cyber threat intelligence. While information sharing itself is voluntary, entities are required to inform regulators about how they participate in information sharing arrangements.
Shared intelligence includes indicators of compromise, tactics/techniques/procedures, cybersecurity alerts, and configuration tools. Arrangements must protect sensitive information, respect business confidentiality, personal data protection, and competition law.
Source: DORA Article 45; FS-ISAC DORA Information Sharing Requirements
DORA Technical Standards
The European Supervisory Authorities (EBA, ESMA, EIOPA) developed a total of 11 regulatory products to operationalize DORA:
First Batch (January 2024, published in Official Journal June 2024): 3 RTS + 1 ITS
- RTS on ICT risk management frameworks
- RTS on criteria for classifying ICT-related incidents
- RTS on policies regarding ICT services by third parties supporting critical functions
- ITS for establishing outsourcing register templates
Second Batch (July 2024): 4 RTS + 1 ITS + 2 Guidelines
Source: EBA - ESAs published second batch of policy products under DORA
DORA Timeline
| Date | Event |
|---|---|
| September 24, 2020 | European Commission published DORA proposal |
| December 27, 2022 | Published in Official Journal of the European Union |
| January 16, 2023 | DORA entered into force |
| January 17, 2024 | First batch of RTS/ITS finalized by ESAs |
| June 25, 2024 | First batch RTS published in Official Journal |
| July 17, 2024 | Second batch of RTS/ITS/Guidelines finalized by ESAs |
| January 17, 2025 | DORA became fully applicable (no phase-in period) |
| March 31, 2025 | Reference date for register of information |
| April 11, 2025 | BaFin (Germany) deadline for register of information submission |
| April 15, 2025 | ACPR (France) deadline for register of information submission |
| April 30, 2025 | ESAs deadline to collect registers from national authorities |
| July 8, 2025 | TLPT RTS became effective |
| November 18, 2025 | First list of 19 Critical ICT Third-Party Providers published |
| January 17, 2028 | Deadline for first round of mandatory TLPT for significant entities |
DORA's Five Pillars
DORA is structured around five pillars, each with specific requirements:
Pillar I: ICT Risk Management
Entities must establish comprehensive ICT risk management frameworks covering identification, protection, detection, response, and recovery. Only 25% of entities reported feeling compliant on this pillar (Deloitte 2025).
Pillar II: ICT-Related Incident Management and Reporting
Major ICT incidents must be classified within 24 hours and reported to supervisory authorities within 4 hours of classification. 48% of entities have protocols ready (Deloitte 2025).
Pillar III: Digital Operational Resilience Testing
Regular testing of ICT systems is required, with TLPT mandatory every 3 years for significant entities. Only 8% achieved full compliance (Deloitte 2025).
Pillar IV: ICT Third-Party Risk Management
Entities must maintain a register of all ICT third-party arrangements and assess concentration risk. Only 8% achieved full compliance (Deloitte 2025). 46% identify this as the most challenging requirement.
Pillar V: Information Sharing
Voluntary exchange of cyber threat intelligence between financial entities, with mandatory disclosure to regulators about participation in sharing arrangements.
Frequently Asked Questions
Q: How many financial entities are affected by DORA?
A: More than 22,000 financial entities and ICT service providers fall within DORA's scope across the EU. This includes 21 types of financial entities, from banks and insurers to crypto-asset service providers and crowdfunding platforms, plus their ICT third-party service providers.
Q: What are the maximum DORA fines?
A: Financial entities face fines of up to 2% of total annual worldwide turnover. Individuals at financial entities face fines of up to EUR 1,000,000. Critical ICT Third-Party Providers face fines of up to EUR 5,000,000, with daily penalties of up to 1% of average daily turnover for continued non-compliance. Some member states have implemented higher ceilings, with Sweden allowing up to 10% of turnover.
Q: What percentage of financial institutions were DORA-compliant by January 2025?
A: Very few. A McKinsey survey found only one-third expressed confidence they could meet the deadline. A Luxembourg CSSF survey of ~500 entities found only 1 entity considered itself fully ready. A Deloitte survey across 28 countries found only 8% fully compliant on the testing and third-party risk pillars.
Q: How much does DORA compliance cost?
A: According to a Deloitte survey, 64% of financial entities plan to spend EUR 2-5 million on DORA compliance, with average staffing of 5-8 dedicated FTEs. One large financial group reported program spend approaching EUR 100 million. TLPT costs are estimated at 0.1%-0.3% of total ICT budget. McKinsey found that 70% of executives expect DORA to result in permanently higher technology costs.
Q: What are the DORA incident reporting deadlines?
A: DORA requires detection-to-classification within 24 hours, initial notification within 4 hours of classification, an intermediate report within 72 hours, and a final report within 1 month.
Q: Which ICT providers have been designated as Critical under DORA?
A: On November 18, 2025, the ESAs published the first list of 19 Critical ICT Third-Party Providers. The list includes AWS, Google Cloud, Microsoft, IBM, SAP, Oracle, Accenture, Bloomberg, and others. These providers are subject to direct oversight by the Joint Oversight Forum.
All statistics on this page are sourced from official EU supervisory authorities, regulatory bodies, and verified industry reports. Primary sources include the European Supervisory Authorities (EBA, ESMA, EIOPA), ENISA, ECB Banking Supervision, the IMF Global Financial Stability Report, McKinsey, Deloitte, CSSF Luxembourg, IDC, DLA Piper, and the DORA Directive text. This page is updated regularly as new enforcement data becomes available.
Last updated: March 2026