DORA one year on: 19 CTPPs, first TLPT cycle and the end of the grace period

17 January 2026 marks one year of applicability of the Regulation (EU) 2022/2554 — DORA. The first year was what national authorities call an informal grace period: focus on documentation, framework review, gap identification. For 2026 the tone shifts. The ESAs published the first official list of Critical ICT Third-Party Providers (CTPPs) on 18 November 2025 with 19 designated providers, the first Threat-Led Penetration Testing cycle enters operational calendar with a final deadline of 17 Jan 2028, and national regulators open active inspection with the expectation of first sanctions for reporting failures and deficient Register of Information during 2026.

A year ago, the post on DORA applicability closed with a “What remains open” section listing five pending points: CTPP list, final RTS on TLPT, NIS2 transposition in Spain, effective sanctioning regime, first inspection cycle. This post looks at those five points with a year of data and walks through the operational milestones that appeared during 2025.

Reading: official EBA / EIOPA / ESMA communications during 2025, Joint Committee press release of 18 Nov 2025 on CTPP designation, ECB MIP news of 11 Feb 2025 on TIBER-EU aligned with DORA, Joint ESAs Report of 4 Dec 2025 on auditors, and the Joint Committee Annual Report 2025 published on 24 Apr 2026 (which covers the period retrospectively).

State as of 17 January 2026 — what happened during the year

Operational summary, by pillar:

The three pillars with real traction during 2025: incident reporting (because it has been practised on real cases), third-party (because the Register and the CTPP designation forced documented action), and resilience testing (because the final RTS on TLPT closed the framework uncertainty). Pillar 5 remains aspirational.

The Register of Information — first submission April 2025

The first submission of the Register of Information — the harmonised inventory of contractual arrangements with ICT providers that each financial entity must maintain under Art. 28.3 — ran between 1 and 15 April 2025 via the portals of the national authorities (eDesk in Luxembourg, in-house CSV forms at BdE / CNMV / DGSFP in Spain, the same model in each Member State). Reference date: 31 March 2025.

The format is flat CSV with the structure of the ITS on register of information published by the ESAs during 2024. Each entity reports contractual arrangements at entity, sub-consolidated and consolidated level, distinguishing those supporting critical or important functions.

The operational data point from the first year: the ESAs use aggregated Register data as the main input for CTPP designation. This closes the loop — the Register isn’t only a report to the authority, it’s the source that triggers CTPP designation. For 2026 the national authorities start automated cross-check between Registers of different entities to detect inconsistencies — if one entity reports a provider as critical and another reports the same provider as non-critical, there is a flag.

The second submission is in April 2026 with reference date 31 Mar 2026. The expected operational difference: national authorities measure improvement between the first and second submissions. An entity whose Register has not materially improved between April 2025 and April 2026 gets a supervision flag.

The official CTPP list — 18 November 2025

The most visible operational milestone of the year. The ESAs, acting as Joint Oversight Committee (JOC), publish on 18 November 2025 the first list of Critical ICT Third-Party Providers under the Art. 31 regime.

The 19 designated (alphabetical order):

Operational reading of the list:

1. The hyperscalers are no surprise. AWS EMEA, Microsoft Ireland, Google Cloud EMEA and Oracle Nederland are on the list. The surprise would have been the opposite. What is notable is the European legal entity designated in each case — not Microsoft Corporation, but Microsoft Ireland Operations — because the designation runs against the entity responsible for the service in the EU.

2. IT services consultancies appear alongside infrastructure. Accenture, Capgemini, IBM, NTT DATA, Kyndryl, TCS. This is operational news: a consultancy with massive presence in European financial outsourcing is a CTPP under the Chapter V Section II regime. The binding recommendation the ESAs can issue is enforceable against the provider, not just its financial clients.

3. Connectivity and data centers enter as a category. Colt, Deutsche Telekom, Orange, Equinix, InterXion. The operational resilience of the financial sector depends on network connectivity and physical colocation; the regulator acknowledges this by designating the providers delivering that service.

4. SWIFT does not appear. SWIFT — the Belgium-based financial cooperative — has its own supervisory regime historically coordinated between the ECB and the National Bank of Belgium; the ESAs apparently consider that regime covers the oversight DORA would seek, and don’t add it to the CTPP list. A decision that will generate analysis during 2026 — if SWIFT isn’t a CTPP under DORA, what about other financial messaging providers with similar profile?

5. Salesforce, Worldline, Temenos, Finastra, Murex, Broadridge — absent in some initial secondary lists, present in others. Secondary data sources in the month after designation report lists with minor variations; the official list is the ESMA / EBA / EIOPA press release of 18 Nov 2025. The detail to verify against the official document is: who exactly is designated and under which legal entity.

Lead Overseer. Each CTPP gets an assigned Lead Overseer — one of the three ESAs as the principal authority for direct supervision, with the other two in a Joint Oversight Network. Hyperscalers and ICT infrastructure providers fall mostly under EBA given the weight of banking in their client base; providers with weight in market infrastructure (CSDs, trading systems) fall under ESMA; EIOPA takes fewer directly and participates more in joint supervision due to overlap. The exact per-provider assignment is in the document published by the JOC.

2026 calendar for CTPPs. The ESAs announce:

• Q1-Q2 2026: start of oversight engagement with each designated CTPP. Meetings, initial information gathering, assessment of the provider’s risk framework.
• During 2026: issuance of the first binding recommendations from the JOC to specific CTPPs. Recommendations cover areas such as the provider’s ICT risk management, governance, continuity, the CTPP’s own supply chain (fourth-party risk).
• 2027 reassessment: the ESAs will review the list using 2026 data and identify new candidates — some providers that fell just below the 2025 thresholds will enter if their exposure to the financial sector has grown.

For financial entities with contractual relations with any of the 19, there is an obligation to update the Register of Information marking the provider as designated, and to monitor whether binding recommendations issued during 2026 imply contractual or configuration changes.

The first TLPT cycle — operational calendar landed

The most operationally ambitious piece of DORA is the Threat-Led Penetration Testing of Art. 26. Three data points close the calendar during 2025:

1. Final RTS on TLPT published: the Final Regulatory Technical Standard on TLPT, which was draft in July 2024, is published in final version in July 2025 after Commission approval and Official Journal publication. The RTS confirms the draft model: three-year cycle, intelligence-led, national Test Authority, accredited testers, two out of every three cycles can be internal teams.

2. TIBER-EU updated: on 11 February 2025 the ECB publishes an updated version of the TIBER-EU framework to formally align with the RTS on TLPT. The operational consequence: a TIBER-EU test under the new framework version counts as the first TLPT under DORA, with the three-year clock starting from the test completion date. For entities already in TIBER-EU before DORA, this is good news — no duplication or reset.

3. Final deadline: Art. 26.3 of the RTS confirms that entities designated as subject to TLPT must have completed their first TLPT before 17 January 2028. That is, three years from DORA applicability. The first TLPT cycle operationally enters the calendar during 2026-2027, with most tests running in H2 2026 and through 2027.

Who is designated as subject to TLPT? The RTS defines thresholds by category of entity. In Spain, designation is made by each national competent authority — Bank of Spain, CNMV, DGSFP — for entities under their supervision. The first designations are communicated during 2025 via individual letter to each entity. The sector that will see most TLPT is systemic banking (Santander, BBVA, CaixaBank and a handful more in Spain; equivalents in each Member State), followed by market infrastructure (BME — Spanish stock exchange; Iberclear), large insurers (Mapfre, Mutua Madrileña) and large asset managers.

Operational items an internal red team needs ready for 2026:

• Inventory of critical production functions — not test — that will fall within TLPT scope. This comes out of the Pillar 1 BIA if done properly.
• List of accredited TI providers in your jurisdiction. Accreditation runs by national central bank. The list of accredited TI providers in Spain is maintained by the TIBER-ES team at the Bank of Spain.
• List of accredited Red Team providers if the entity opts for external (mandatory one in every three cycles).
• Internal Test Manager framework — designated role in the entity coordinating the exercise with the Test Authority and the providers. Cannot be the CISO directly (separation of duties); typically a specific role under the CISO or under Internal Audit.
• Multi-year budget: a TLPT costs on the order of several hundred thousand euros (4-6 weeks of TI + 3-6 months of red team + reporting). The budget must be approved by the risk committee / board before starting.

Entities starting TLPT in H1 2026 with the Test Authority formally coordinating will be the ones setting operational tone for the rest of the sector. Lessons learned from those first exercises are published — in aggregate, without attribution to an entity — in the ESAs reports during 2027.

Incident reporting — first operational year

Pillar 2 has been in real operation throughout 2025. The DORA process requires initial notification within 4 hours of classification as major, intermediate report within 72 hours, final report within 1 month. Harmonised templates via the specific ITS published by the ESAs.

Aggregated public data as of 17 January 2026:

• No incidents publicly attributed to major DORA category have reached specialist press with regulatory confirmation during 2025. This doesn’t mean none happened — it means national authorities haven’t communicated individually, which is consistent with the confidentiality regime of Art. 21.
• EBA / EIOPA / ESMA report in aggregate that the volume of major incident notifications during 2025 is in line with what the regulation’s impact assessment projected. Exact numbers by jurisdiction and quarter appear in the Joint Committee Annual Report.
• Recurring operational problems identified by the authorities in the first year: difficulty classifying major vs significant within reasonable time (the RTS on classification provides criteria, but operation in the first hours tends to be fuzzy); harmonised templates with fields that don’t fit the internal inventory of some entities; coordination with NIS2 reporting when the incident crosses both obligations (DORA has 4h initial, NIS2 has early warning at 24h).

The first sanctions for reporting failures are announced by national authorities for 2026 according to the public supervisory communications. The sanctioning regime in Spain applies via Bank of Spain, CNMV and DGSFP depending on the sector, without DORA-specific fine brackets (not like GDPR or AI Act) — each authority’s own sanctioning regime applies with DORA as the material basis of the offence.

The Code of Practice for auditors — what the ESAs decided

Less visible but relevant: Art. 58.3 of DORA required the European Commission to review before 17 January 2026 whether external auditors and audit firms should be included in the DORA subject scope. The Joint ESAs Report of 4 December 2025 responds in the negative: the operational costs of applying DORA to auditors outweigh the benefits of including them as obligated entities, given that the current framework (Directive 2006/43/EC on statutory audits) already contains indirect references to operational resilience.

For 2026, external auditors remain outside the DORA subject scope. This closes an operational question pending since the regulation entered into force.

DORA ↔ NIS2 ↔ AI Act — operational coexistence during 2025

The first year has landed coexistence between the three frameworks. What the original DORA post left open on NIS2 transposition in Spain closes during H2 2025 with publication of Organic Law X/2025 (BOE reference pending exact verification at drafting time) transposing Directive 2022/2555. Operations for a Spanish financial entity applying all three frameworks at once:

• DORA remains lex specialis for the financial sector’s ICT operations (Art. 1.2 DORA, Art. 4 NIS2). Where they overlap, DORA prevails.
• NIS2 transposed in Spain applies to the entity’s activities outside the DORA scope — typically, non-ICT critical infrastructure (if the entity operates physical security relevant for NIS2, for instance).
• EU AI Act GPAI obligations in application since 2 August 2025 applies to the financial entity when it deploys GPAI models in its processes — credit scoring, fraud detection AI-based, customer-facing chatbots. The Annex III high-risk regime applies from 2 August 2026 and explicitly includes creditworthiness assessment and risk assessment in life and health insurance.

For 2026, a systemic European financial entity is under all three simultaneously. The practical operation is unified mapping — one control implemented against DORA can satisfy NIS2 and AI Act requirements if documented properly — but governance across the three frameworks requires explicit coordination between CISO, DPO, Responsible AI Officer and Internal Audit.

On 19 November 2025 the European Commission proposes the Digital Omnibus on AI Regulation with AI Act simplifications and delay of certain Annex III obligations until 2 Dec 2027. The proposal enters negotiation during Q1 2026; the political agreement closes on 7 May 2026. The operational consequence for financial entities with high-risk Annex III systems planned for 2 Aug 2026 is that the calendar may slip to December 2027 in some cases — track the legislative development during Q1-Q2 2026.

What remains open as of 17 January 2026

Comparable to the “What remains open” section of last year’s post:

New open points for 2026:

• First cycle of binding recommendations from the JOC to CTPPs. Which areas will the first recommendations cover? Expected during H2 2026.
• First executed TLPT cycle. Entities starting in H1-H2 2026 set the operational pattern.
• Automated cross-check of the Register of Information. National authorities shift from manual review to automated verification during 2026; inconsistencies between Registers of different entities on the same provider will generate requirements on those entities.
• First review of the CTPP list. The ESAs will reassess during 2027 with 2026 data. Providers that fell below the threshold in 2025 may enter.
• Integration with the AI Act Digital Omnibus. If the European legislator simplifies the AI Act during 2026, financial entities using GPAI models will recalibrate the calendar.

What changes operationally for a CISO during 2026

Summary for someone with ICT security accountability at an EU financial entity:

1. Second Register of Information submission — April 2026 deadline with reference date 31 Mar 2026. Verify improvements vs the 2025 submission; the authorities will compare.
2. Identify CTPP designations among your providers. Any contractual relationship with any of the 19 designated CTPPs implies: Register update, monitoring of binding recommendations issued during 2026, review of contractual clauses with focus on areas the JOC will recommend.
3. Formal TLPT plan if the entity has been designated as subject to TLPT. This includes: appointment of internal Test Manager, selection of accredited TI provider and Red Team provider, scope agreement with the Test Authority, multi-year budget approved.
4. Closing reporting gaps. If the first Register submission had deficiencies, the second cannot repeat them. Same with incident notifications — any major incident has to meet the Annex III deadlines.
5. Unified DORA / NIS2 / AI Act mapping. Governance scattered across the three frameworks is inefficient. A single control framework with explicit mapping to each framework avoids duplication and simplifies audit.

The first year closed most of the framework’s uncertainties. The second year brings real enforcement. Entities that arrived on 17 January 2025 with outstanding work but a credible plan have had 12 months; those that arrived without a credible plan enter 2026 at risk of sanction.

References

• Official OJEU text — Regulation (EU) 2022/2554: https://eur-lex.europa.eu/eli/reg/2022/2554/oj
• ESAs Joint Committee — CTPP designation press release (18 Nov 2025): https://www.esma.europa.eu/press-news/esma-news/european-supervisory-authorities-designate-critical-ict-third-party-providers
• EBA — Press release CTPP designation: https://www.eba.europa.eu/publications-and-media/press-releases/european-supervisory-authorities-designate-critical-ict-third-party-providers-under-digital
• ECB MIP news — TIBER-EU update aligned with DORA (11 Feb 2025): https://www.ecb.europa.eu/press/intro/news/html/ecb.mipnews250211.en.html
• ESAs Joint Committee — DORA Oversight Guide (July 2025, JC 2025/29): https://www.esma.europa.eu/sites/default/files/2025-07/JC_2025_29__DORA_Guide_on_oversight_activities.pdf
• Joint ESAs Report — auditors and DORA (JC 2025/85, 4 Dec 2025): https://www.esma.europa.eu/sites/default/files/2025-12/JC-2025-85_Joint_ESAs_Report_in_response_to_the_European_Commission_consultation_pursuant_to_Article_58_3__of_Regulation__EU__20222554__DORA_.pdf
• ESAs guidelines on exchange of supervisory information under DORA: https://legal.pwc.de/en/news/articles/esas-publish-final-report-and-joint-guidelines-on-exchange-of-supervisory-information-in-the-context-of-dora
• TIBER-EU framework (ECB): https://www.ecb.europa.eu/paym/cyber-resilience/tiber-eu/html/index.en.html
• TIBER-ES (Bank of Spain): https://www.bde.es/wbe/es/areas-actuacion/estabilidad-financiera-y-politica-macroprudencial/ciberresiliencia/tiber-es.html
• Previous IRONHACKERS post: DORA applicable from 17 January
• Previous IRONHACKERS post: Bulletin — December 2025
• Related post: EU AI Act GPAI obligations — August 2025