TL;DR. DORA’s operational pillars demand demonstrable incident discipline, not policy documents. Financial entities classify ICT incidents against thresholds in Delegated Regulation 2024/1772, file an initial notification within 4 hours of major classification (24-hour backstop), an intermediate report within 72 hours, and a final report at one month. Designated entities run threat-led penetration tests every three years under TIBER-EU. The NBB and FSMA audit the evidence chain itself.
Your DORA register of information is built and submitted. The next question your auditor will ask is harder. Can you prove the operational discipline behind it. The Belgian National Bank, the FSMA in Brussels, BaFin in Bonn and DNB in Amsterdam have all shifted in 2026 from cooperative gap-remediation to evidence-driven enforcement. They want timestamps, classification rationales, log trails and board minutes, not policy PDFs. The wealth manager case where Jimber helped cut security costs by 58% is a useful proof point here, the same architecture that simplified the register also produced the audit-ready logs the FSMA now expects.
What DORA operational resilience actually requires in 2026
DORA Article 6 frames operational resilience as the ability to build, assure and review the integrity and reliability of every ICT system that supports a critical or important function. Articles 17 to 27 then carve that requirement into five operational pillars. ICT risk management. Major incident classification and reporting. Digital operational resilience testing. ICT third-party risk. Information sharing. The two pillars that drive most 2026 audit findings are incident management and advanced testing.
ICT risk management under Articles 5 to 16 sets the governance baseline. The management body owns it, signs it, and is personally accountable for shortcomings. Incident management under Articles 17 and 18 demands an active incident register, defined internal thresholds and continuous classification. Reporting under Articles 19 to 23 enforces the 4-hour and 72-hour and one-month chain to the competent authority. Testing under Articles 24 to 27 requires an annual proportionate testing programme covering every system that supports a critical or important function. Third-party risk, covered in the DORA register of information, ties the supply chain into the same control framework.
How DORA classifies ICT incidents
Article 18 obliges every financial entity to classify each ICT-related incident. Commission Delegated Regulation (EU) 2024/1772 sets the criteria. Three categories matter. An ICT-related incident is any anomaly in network and information systems. A significant cyber threat is a voluntarily notifiable risk signal. A major ICT-related incident is the regulated reporting trigger, defined by Article 6 of the Delegated Regulation as an event affecting critical or important functions, disrupting authorised services, or constituting successful unauthorised access.
To reach major status, the basic condition must be met and the incident must trigger either the Article 9(5)(b) data loss threshold or at least two other quantitative thresholds. The thresholds are deliberately granular.
Classification dimension Article in Delegated Regulation 2024/1772 Trigger threshold (illustrative) Reporting consequence Clients, counterparts and transactions Article 9(1) Above 10% of clients affected and more than 100,000 clients, or above 30% of financial counterparts, or above 10% of daily transaction volume or value Reportable to NBB / FSMA / BaFin / DNB Reputational impact Article 9(2) Repeated client complaints on critical business lines or any level of national or international media coverage Reportable Duration and downtime Article 9(3) Absolute incident duration above 24 hours, or service downtime above 2 hours for systems supporting a critical or important function Reportable Geographical spread Article 9(4) Impact extending across two or more EU Member States Reportable Data losses Article 9(5) Any compromise of availability, authenticity, integrity or confidentiality that affects business objectives or regulatory compliance Reportable (single threshold sufficient if successful unauthorised access) Economic impact Article 9(6) Direct and indirect costs and losses above 100,000 EUR Reportable Article 8 of the same regulation forces aggregation. Recurring incidents that share a root cause and occur at least twice within a six-month window must be combined and reclassified as a single major incident if their collective impact crosses the thresholds. This is where BaFin’s late 2025 spot-check audits, extending into 2026, have found the most gaps. Mid-market institutions track tickets in isolation and miss the pattern.
The reporting deadlines that auditors check first
Commission Delegated Regulation (EU) 2025/301 governs the chain. Initial notification within 4 hours of formal major classification, with a 24-hour backstop from initial awareness. Intermediate report within 72 hours of the initial notification, updated without undue delay when regular operations are restored. Final report within one month of the intermediate report. Commission Implementing Regulation (EU) 2025/302 supplies the Annex II templates. For entities not designated as significant or systemic, any deadline that falls on a weekend or public holiday automatically defers to noon on the next working day.
The clock starts on awareness, not on forensic certainty. The Dutch Authority for the Financial Markets warned the market on 7 May 2026 about exactly this misreading. Treating the 4-hour clock as starting after internal investigation completes is a sanctionable violation of Article 19. The same warning called out the gap between the volume of major incident reports the AFM received in 2025 and the visible increase in mainstream-media cyber-incident coverage. Under-reporting is now an enforcement priority.
The initial notification under the RTS 2025/301 Annex II template captures basic facts, services affected, contact details and a preliminary classification rationale. The intermediate report adds threat vectors, preliminary root cause and updated impact. The final report covers full root cause, direct and indirect costs and a lessons-learned commentary that auditors will reread when the next incident hits. The NIS2 incident reporting workflow is structurally similar but reports to a different supervisor, which matters in Belgium because DORA-regulated entities never file to the CCB.
Threat-led penetration testing (TLPT) under DORA
Articles 26 and 27 introduce mandatory threat-led penetration testing for designated entities. Commission Delegated Regulation (EU) 2025/1190 specifies who. G-SIBs and O-SIIs among credit institutions. Central securities depositories, central counterparties and trading venues with the highest national market share or above 5% of EU trading volume. Systemic insurers and reinsurers with gross written premiums above 1.5 billion EUR or technical provisions above 10 billion EUR. Designated entities run a TLPT at least every three years, on live production systems, with an active red-team phase lasting at least 12 weeks.
The methodology rides on the ECB’s TIBER-EU framework, which the ECB updated in November 2025 with an SSM Implementation Guide showing how TIBER-EU maps to DORA Article 26. Intelligence-led scoping covers critical or important functions, an external threat intelligence provider delivers a targeted threat intelligence report mapping real APT actors and TTPs, and a certified red-team provider then runs the engagement. A purple-team replay phase is mandatory after the red-team phase, where the red team walks the blue team through the attack paths so log gaps, detection failures and response weaknesses become visible.
The full cost cycle for one TLPT, threat intelligence plus red-team plus internal white team plus infrastructure plus optional external coordination, sits between 140,000 EUR and 560,000 EUR before remediation. Mid-market entities below the designation thresholds are not exempt from advanced testing, they run a proportionate programme under Article 25 covering vulnerability scans, scenario-based recovery tests and configuration reviews. Article 26 obligations apply only to designated systemic entities. Pooled testing under Article 26(8) lets smaller institutions share testers and infrastructure across a banking group or trade body to keep costs manageable.
What evidence Belgian auditors expect (NBB and FSMA perspective)
The NBB and FSMA divide Belgian supervision under the country’s twin-peaks model. The NBB oversees banks, payment institutions, insurers and central securities depositories. The FSMA oversees investment firms, markets, financial intermediaries and conduct of business. NBB Circular NBB_2026_04 of 2 April 2026 sets the OneGate platform procedure for major incident reporting under DORA, and Circular NBB_2026_05 of the same date governs register of information submissions. The CCB does not receive financial-sector incident reports, the Belgian transposition of NIS2 explicitly excludes banking and financial markets, treating DORA as lex specialis.
Auditors will ask for six evidence categories. First, audit-trail immutability, tamper-resistant centralised logs from Zero Trust Network Access, firewall, SWG and endpoint sources that reconstruct the incident from initial access to containment. Second, system mappings linking critical or important functions to the underlying SaaS applications, network segments and physical infrastructure. Third, testing evidence including vulnerability scans, configuration reviews, scenario-based recovery exercises and remediation tracking that proves weaknesses got resolved and retested. Fourth, governance integration through board minutes that show formal review and approval of the ICT risk framework, with a defined risk-appetite statement. Fifth, playbook mock-runs from quarterly tabletop exercises. Sixth, device posture as evidence under the third-party and asset pillars, signalling that only compliant endpoints reach critical applications.
The DORA-NIS2 overlap in Belgium is governed by the lex specialis principle. DORA wins for the regulated entity, but a managed service provider supporting both a financial firm and a critical-infrastructure operator may carry both obligations. NIS2 audit obligations under the CCB framework and DORA reporting under the NBB OneGate platform produce overlapping evidence streams that a unified logging architecture can satisfy from one audit trail.
Where SASE platforms support operational resilience
A SASE platform does not make a financial entity DORA compliant. The board, the policies, the testing programme and the third-party register do. What the platform can do is collapse the evidence chain that auditors now want to see. Platforms like Jimber centralise logging across ZTNA, SWG, FWaaS and SD-WAN into a single audit trail. That single trail matters because Article 17 requires demonstrable detection capability, Article 18 requires defensible classification rationale and Articles 19 to 23 require reportable timestamps that survive scrutiny. For sector-specific context, our guide on SASE for financial services under DORA covers the broader vertical view.
The Jimber SASE platform handles continuous logging in a way that maps to specific DORA articles. Per-application ZTNA enforcement satisfies Article 9 access-control requirements and produces the per-identity event stream that incident reconstruction needs. FWaaS supplies the network-segmentation evidence Article 9 also expects. SD-WAN telemetry feeds resilient connectivity reporting under Article 24. NIAC hardware closes the agentless device gap, printers, IoT sensors, VoIP phones and industrial controllers that cannot run a software agent and that show up as missing entries in BaFin and FSMA spot-check findings. EU jurisdiction matters here, the CLOUD Act does not reach data processed and stored by a Belgian-headquartered provider, which removes a recurring concentration-risk question under Articles 28 to 44. The platform supports operational resilience evidence, it does not replace governance.
How operational resilience requirements will tighten through 2026 and 2027
Three forces are increasing the ceiling. The European Supervisory Authorities published the first list of 19 designated Critical ICT Third-Party Service Providers on 18 November 2025, including the dominant hyperscalers, with periodic penalty payments of up to 1% of average daily worldwide turnover for non-cooperation with direct oversight. Concentration-risk questions will work their way down into mid-market third-party assessments through 2026. National Competent Authorities are also signalling a maturity expectation. The 2025 SREP cycle showed ICT and operational risk scoring among the worst across the SSM, leading to capital add-ons for banks with thin operational resilience evidence.
Pending Level 2 RTS work is closing the last gaps. The European Banking Authority registered more than 1,200 major ICT incident reports in the first four months of 2025 alone, which is forcing modernisation of the validation pipelines at every NCA and a tighter feedback loop on classification quality. ECB Banking Supervision data for full-year 2025 attributed 38% of major incidents at directly supervised banks to IT change management failures, not external attacks. Auditors are now writing change-management evidence into their 2026 inspection scopes alongside the incident chain.
Veelgestelde vragen
What is the difference between an ICT incident and a major ICT incident under DORA?
An ICT incident is any anomaly affecting network and information systems. A major ICT incident is one that meets the Article 6 basic condition (impact on critical or important functions, service disruption, or successful unauthorised access) and triggers either the Article 9(5)(b) data loss threshold or at least two other quantitative thresholds set by Commission Delegated Regulation (EU) 2024/1772.
How often must financial entities perform threat-led penetration testing under DORA?
Designated entities run a TLPT at least every three years. Designation criteria sit in Commission Delegated Regulation (EU) 2025/1190 and cover G-SIBs, O-SIIs, major trading venues, central securities depositories, central counterparties and systemic insurers. Non-designated entities run proportionate testing under Article 25 instead, on an annual basis covering critical or important functions.
Who is the competent authority for DORA in Belgium?
The National Bank of Belgium supervises credit institutions, payment institutions, insurers and central securities depositories. The FSMA supervises investment firms, markets, financial intermediaries and conduct of business. Both file through the NBB OneGate platform for major incident reporting under Circular NBB_2026_04 of 2 April 2026.
What is the deadline for the initial incident notification under DORA?
Within 4 hours of formal classification of an incident as major, with a maximum backstop of 24 hours from initial awareness. The intermediate report follows within 72 hours of the initial notification. The final report follows within one month of the intermediate report. Commission Delegated Regulation (EU) 2025/301 governs the chain.
Does DORA replace NIS2 for financial entities?
For Belgian financial entities, yes. The Belgian transposition of NIS2 explicitly excludes banking and financial markets, treating DORA as lex specialis. Financial entities file to the NBB OneGate platform, not to the CCB. ICT service providers serving both financial and non-financial regulated entities may carry both obligations.
What evidence do NBB auditors check for DORA operational resilience?
Six categories. Tamper-resistant centralised logs reconstructing the incident timeline. System mappings of critical or important functions to underlying assets. Testing evidence with documented remediation. Board minutes showing approval of the ICT risk framework. Quarterly tabletop exercise records. Device posture and access logs proving control effectiveness across managed and agentless endpoints.
How does a SASE platform support DORA incident reporting requirements?
A SASE platform with a single audit trail compresses the evidence chain. ZTNA logs supply per-identity access events. FWaaS logs supply segmentation evidence. SD-WAN telemetry feeds connectivity resilience reporting. NIAC closes the agentless device gap that appears repeatedly in BaFin spot-check findings. Unified logging shortens classification time and produces the timestamped sequence that NCAs ask for during the intermediate and final reports.
For Belgian financial entities now living under DORA enforcement, the question shifts from “do we have a policy” to “can we show the evidence”. A SASE platform with centralised logging, transparent incident timelines, EU data residency and a single audit trail turns that question into a sentence-level audit answer rather than a fortnight of forensic reconstruction. Book a 30-minute walkthrough to see how Jimber maps to your DORA evidence requirements.
