What DORA means for your business in 2026
The Digital Operational Resilience Act, better known as DORA, has been fully applicable across the European Union since January 17, 2025. But if you run an ICT company that serves banks, insurers, or any financial institution, the real pressure is building now, in 2026.
Many small and medium businesses across Italy and Europe assumed DORA was a problem only for large financial institutions. That assumption is proving costly. Even if your company is never mentioned by name in the regulation, your clients in the financial sector are now contractually obligated to pass DORA requirements down to you.
Who falls under DORA and why SMBs should pay attention
DORA (Regulation EU 2022/2554) directly targets financial entities: banks, insurance companies, investment firms, payment institutions, and crypto-asset service providers. But here is the part that catches most SMBs off guard, it also creates a framework of obligations for their ICT third-party service providers.
If your company provides cloud hosting, managed IT services, cybersecurity solutions, software development, or data processing to any financial entity operating in the EU, you are indirectly in scope. Your clients must now include specific DORA-aligned clauses in every ICT service contract, and refusing those terms effectively means losing the client.
According to estimates from the European Commission’s impact assessment, initial compliance investments for smaller ICT firms range between EUR 25,000 and EUR 100,000 or more, depending on the gaps to fill in security, audit capability, and reporting infrastructure.
The Italian landscape
Italy’s economy relies heavily on SMBs, and the ICT services sector is no exception. Industry associations like Assintel and Confindustria Digitale have raised concerns about the readiness of smaller providers. Reports from CLUSIT, the Italian Association for Information Security, confirmed that awareness of DORA’s indirect obligations remained low among Italian ICT SMBs through 2024 and into early 2025.
The situation is compounded by the fact that Italy has a dense network of small technology firms serving local banks, cooperative credit institutions, and insurance brokers, all of which now fall under DORA’s requirements.
Key 2026 deadlines and obligations you cannot ignore
While January 2025 marked the official application date, 2026 is when enforcement gains real teeth. Here are the milestones that matter most for ICT providers.
Register of information
By January 17, 2026, financial entities must have completed their first full cycle of registers documenting all ICT third-party arrangements. These registers are then submitted to national competent authorities, who forward them to the European Supervisory Authorities (ESAs). The ESAs use this data to identify Critical ICT Third-Party Providers, known as CTPPs.
For you as an ICT provider, this means your financial clients will request detailed documentation about every service you deliver, including data processing locations, subcontracting chains, and business continuity measures. If you cannot provide this information, your client risks non-compliance, and the simplest solution for them is to replace you.
Critical third-party provider designation
The ESAs, the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA), are expected to publish designations of CTPPs. Providers designated as critical face direct oversight, including on-site inspections and the power to impose penalty payments of up to 1% of average daily worldwide turnover per day, for up to six months.
While most SMBs will not be designated as CTPPs (the label targets major cloud providers and core banking platforms), the designation process relies on the registers your clients submit, making accurate reporting essential across the entire supply chain.
Threat-led penetration testing
DORA mandates threat-led penetration testing (TLPT) at least every three years for financial entities identified by their supervisors. The first wave of mandatory testing cycles is rolling through 2025 and 2026. If your systems are part of a client’s critical infrastructure, you may be required to participate in or facilitate these tests.
Practical steps to get your SMB compliant
Compliance does not have to be overwhelming, but it does require action. Here is a concrete roadmap for ICT providers serving the financial sector.
Review and renegotiate contracts
Expect your financial clients to present updated contracts with DORA-aligned clauses covering audit rights and access for regulators, incident notification obligations (often within hours of detection), exit strategies with defined transition periods, and subcontracting transparency requirements. Understand these clauses before you sign. They are not negotiable in substance, your client is legally required to include them.
Build an incident reporting capability
DORA requires financial entities to report major ICT incidents to their competent authorities using standardized templates defined in the Regulatory Technical Standards. Your clients will expect you to notify them without undue delay when something goes wrong on your end. Establish clear internal procedures: who detects, who escalates, how fast, and through which channel.
Document everything
Prepare comprehensive documentation of your services, including where data is stored and processed, which subcontractors you use, your business continuity and disaster recovery plans, and your security controls and testing procedures. This documentation feeds directly into your clients’ registers of information. Having it ready and current saves time and builds trust.
Invest in security governance
If you have not already, implement a formal ICT risk management framework proportionate to your size. Industry surveys from 2024 indicated that only 20 to 30 percent of EU financial entities themselves were fully prepared by the January 2025 deadline. The providers further down the chain were even less ready. Closing this gap is both a compliance necessity and a competitive advantage.
What happens if you do not comply
DORA leaves penalty setting to individual EU member states, but the consequences are clear. Financial entities face administrative fines, public statements identifying violations, and potential bans on management body members. For ICT providers, the enforcement is indirect but equally powerful: if you cannot meet DORA requirements, your financial clients may be forced to terminate your contract.
In Italy, supervisory bodies including Banca d’Italia, IVASS, and CONSOB are aligning their frameworks with DORA. The regulatory direction is unmistakable, operational resilience in the financial supply chain is no longer optional.
Looking ahead
DORA represents a fundamental shift in how the EU regulates technology risk in finance. For the first time, non-financial entities, technology companies, fall under the direct or indirect scrutiny of financial regulators. For Italian and European SMBs in the ICT sector, 2026 is not the deadline. It is the year enforcement becomes real, oversight activities scale up, and clients start making hard decisions about which providers can keep up.
The companies that act now, documenting their services, strengthening their security posture, and preparing for the contractual demands ahead, will not just survive DORA. They will turn compliance into a market differentiator that sets them apart from competitors still hoping the regulation does not apply to them.