Description

Financial entities must review and update their ICT risk management frameworks at least annually. The 2026 mid-year review cycle is a critical checkpoint for demonstrating ongoing compliance. Entities must maintain and update ICT risk policies, business continuity plans, ICT incident management procedures, and digital operational resilience testing programs.

Requirements

Review and update ICT risk management policies
Update business continuity plans for ICT
Review ICT incident management procedures
Update digital operational resilience testing program
Document annual ICT risk framework review

Applicable To

EU BanksInsurance CompaniesInvestment FirmsPayment InstitutionsCrypto-Asset Service Providers

Penalty Information

⚠Fines up to 10% of annual turnover or EUR 10 million.

124

days remaining

June 30, 2026

Share:X in @

Framework

DORA

Digital Operational Resilience Act

Related DORA Deadlines

DORA European Commission Supervisory Review
January 17, 2026
DORA Register of Information Annual Submission
March 31, 2026

DORA ICT Risk Management Framework Review