DORA private banking: the real test arrives with the 2026 resilience tests

Regulation (EU) 2022/2554, the Digital Operational Resilience Act (DORA), has been applicable since 17 January 2025. Its first year was devoted to the foundations: ICT risk-management policy, register of contracts with third-party providers, incident-classification scheme. In 2026, DORA moves to its most demanding obligations, and that is where private banks and mid-sized credit institutions discover the gap between theory and their operational capacity.

Threat-Led Penetration Testing (TLPT)

TLPTs are the heart of DORA's 2026 dispositif. They are penetration tests conducted by certified providers, under conditions reproducing real attacks, with sectoral scenarios (financial crime, ransomware, supply-chain attack). Unlike classic technical audits, TLPTs are conducted without prior notification of internal operational teams — only a small circle (red team coordinator, CISO, executives) is informed.

Authorities (ACPR for France) published the lists of concerned institutions in March 2026: every systemic bank, private banks above €30bn assets, the main asset-management companies, the major payment players. For these entities, the first TLPT must be conducted before end-2027, with a report submitted to the authority within 6 months of conclusion.

The critical-providers register (CROEs)

Every bank under DORA must maintain a register of ICT-service providers, with a classification: critical / non-critical. For critical providers (cloud, datacenters, infrastructure services, certain SaaS vendors), the contract must contain DORA-specific clauses: audit rights, on-site access rights, exit plan, cooperation obligations in case of incident. At minimum.

At European level, ESMA, EBA and EIOPA maintain a common register of CTPPs (Critical Third-Party Providers). The hyperscalers (AWS, Microsoft, Google) are almost certainly classified as CTPPs. For user banks, this means these providers will themselves be audited by European authorities, but it does not exempt the user institution from its own due diligence and its own exit plan.

Three blind spots that trip up mid-sized banks

Incident traceability in subcontracting

When an incident occurs in a service managed by a provider (e.g., outage of the credit-scoring engine hosted at a SaaS vendor), the bank has 4 hours to notify the regulator if the impact is significant. But it depends on the provider for the information. DORA-compliant contracts include provider notification within 30 minutes max — many earlier contracts allow 24h. Renegotiation is heavy.

Testing without internal notification

TLPTs require the red team to act like a real attacker, hence without notifying blue teams (SOC, operational ITSec). This practice puts HR resources under tension: teams may perceive the test as questioning their work. Without HR preparation and clear governance (who authorized the test, how the feedback is organized), the TLPT can be counterproductive.

The inventory of critical functions

DORA requires identification of the bank's "critical functions" (regulator definitions: functions whose interruption threatens financial viability, stability, or continuity of customer services). For many private banks, this inventory remains partial — there is consensus on the obvious (payments, account management), but grey zones on support functions (document management, electronic signature, KYC). Without a complete inventory, TLPTs are poorly calibrated.

The 2027-2028 scenario

Three evolutions will frame what comes next. First, CTPP oversight by the ESAs: hyperscalers will be audited directly, and user banks will see their own requirements evolve based on findings. Second, DORA / NIS2 / IAR (incident reporting) convergence: a common framework is taking shape for incident notification, which will simplify multiple declarations but require an information system capable of producing structured data. Third, likely extension of the TLPT scope to mid-sized institutions — the first 2026-2027 TLPTs will show what works, and thresholds will probably come down.

For a private bank, the real 2026 topic isn't ticking the DORA boxes — it's transforming operational resilience into a discipline that runs through the IT system. TLPTs will reveal which teams really know how to react and which teams learn by reading playbooks during the incident.