When the Digital Operational Resilience Act's implementation deadline passed in January 2025, many European financial services organisations treated it as the end of a compliance project. Supervisory behaviour in 2026 is pushing back against that assumption.
A report from Boston Consulting Group warns that Europe's digital infrastructure faces a serious "resilience gap", in which a large-scale or prolonged outage could trigger cascading crises across payments, financial stability and emergency response systems. DORA's enforcement machinery, now active, is giving that warning teeth.
Mark Appleton, Group Lead Vendor Ecosystem Development at ALSO Group, argues the shift has already changed how regulators engage. "The shift from implementation to enforcement is already visible in supervisory behaviours. Regulators need more than just seeing policy on paper; they are now demanding real-time proof of continuity under stress test audits. It's now just as important to be able to display how your multi-vendor ecosystem behaves when a primary cloud region goes dark or a critical SaaS provider faces a breach," he said.
The regulation's scope extends further down the supply chain than many providers expected. Under DORA, ICT third-party providers, including cloud platforms and managed service providers, face direct accountability, with the European Supervisory Authorities now empowered to designate critical third-party providers for direct oversight. In Appleton's framing, "a vulnerability anywhere in the digital supply chain is now treated as a vulnerability everywhere."
Resilience has evolved in today's market to become more than just a checkbox for the risk department, and instead to be a commercial differentiator and legal obligation in the post-DORA era
For cloud partners, that creates a new commercial calculus. "Resilience has evolved in today's market to become more than just a checkbox for the risk department, and instead to be a commercial differentiator and legal obligation in the post-DORA era," Appleton said. ALSO's view is that a cloud marketplace, by aggregating configuration data, identity controls, activity logs and posture monitoring across multi-vendor environments, can function as a de facto compliance registry, converting resilience into a continuous workflow rather than a periodic audit.
The practical priorities Appleton sets out for 2026 include mapping digital dependency stacks, building multi-vendor resilience architectures, automating incident reporting, and tightening vendor governance with explicit exit strategies. The argument is that customers will move toward partners who can provide real-time evidence of operational continuity, not retrospective post-mortems.
ALSO Holding AG (ALSN.SW) operates across 31 European countries, serving more than 135,000 resellers through a portfolio spanning over 800 vendors across hardware, software and IT services.
