The Digital Operational Resilience Act (DORA) is reshaping how financial services firms across the EU manage operational and cyber risk. Enforcement officially began on 17 January 2025, and now the focus is shifting to the supervisory review scheduled for January 2026. This imminent oversight will be guided by the European Commission’s Article 58 review and may have significant implications, particularly regarding audit relationships and digital resilience practices.
The Digital Operational Resilience Act – The Article 58 Review: Key Purpose
By 17 January 2026, the European Commission is expected to submit a report following consultations with the European Supervisory Authorities (ESAs) and the Committee of European Auditing Oversight Bodies. The report will assess whether statutory auditors and audit firms should be brought under DORA or be subject to enhanced digital resilience requirements. While the final scope is not yet confirmed, this review signals a potential broadening of DORA’s supervisory reach, highlighting the importance of audit-related controls.
Possible Expansion of Audit Focus
Currently, DORA primarily targets entities managing critical ICT systems and digital operations. The Article 58 review may recommend extending oversight to statutory auditors and audit firms. If adopted, organizations will need to demonstrate the resilience and security measures their auditors maintain. Financial institutions should ensure audit partnerships are mapped, and digital resilience practices within these relationships are evaluated, a priority that can no longer wait until 2026.
What Supervisory Checks Will Likely Cover
Competent authorities, such as BaFin in Germany or the CBI in Ireland, are expected to carry out audits and supervisory reviews in early 2026. While exact protocols are not yet published, scrutiny is expected to focus on:
- ICT Risk Management: Systems and processes resilient against operational failures and cyber threats.
- Incident Reporting and Classification: Accurate, timely logs of operational and security incidents.
- Threat-Led Penetration Testing (TLPT): Evidence of regular, structured testing aligned with DORA’s regulatory technical standards (RTS).
- Third-Party Risk Registers: Complete and up-to-date records of external vendor risks.
- Ongoing Digital Resilience Testing: Demonstration of continuous monitoring and mitigation of vulnerabilities.
Immediate Steps for December 2025
With the review only a few weeks away, organizations should treat this as a final readiness sprint. Key actions include:
- Auditor Resilience Mapping: Document all auditor and audit firm relationships, assessing digital resilience measures and contractual obligations.
- Robust Audit Trails: Ensure penetration tests, incident reports, and remediation activities are logged, structured, and easily retrievable.
- Third-Party Registers: Confirm contracts and vendor risk data are complete and up to date, in line with Article 28 requirements.
- TLPT Readiness: Organize evidence of threat-led penetration tests to demonstrate compliance with timelines and RTS expectations.
- Governance and Oversight: Document board-level oversight, escalation paths, and accountability to show clear governance.
What We Don’t Know Yet — And How to Handle It
Some uncertainties remain:
- Scope of audit oversight: Whether auditors and audit firms will formally fall under DORA and the exact resilience expectations.
- Finalisation of technical standards: Certain RTS requirements for TLPT, third-party risk registers, and ICT resilience are still in consultation.
- Supervisory methodology: Competent authorities have not published exact processes, audit frequency, or preferred documentation formats.
How to prepare:
- Adopt a “no regrets” approach: Treat all areas likely to be reviewed as already in scope.
- Track regulatory updates: Maintain a central log of all draft guidance, RTS updates, and supervisory announcements for rapid adoption.
- Focus on evidence readiness: Ensure all logs, audit trails, and registers are complete and structured.
- Engage board and executive oversight: Document governance processes, responsibilities, and escalation paths.
- Scenario planning: Prepare for possible expansions in scope or new resilience requirements.
Bottom Line
The January 2026 DORA supervisory review is imminent. While some specifics are still uncertain, organizations that have auditor mapping, TLPT readiness, governance, and third-party registers in order by the end of 2025 will be best positioned to navigate scrutiny with confidence.
This is not just a compliance exercise—it’s a chance to demonstrate operational resilience, strengthen oversight, and build a robust evidence base before supervisors come knocking.
Explore our DORA white paper here.
