The European Banking Authority’s 2026 programme is ‘we wrote it in the past, now we are implementing it’.
With DORA, banks’ and fintechs’ critical third-party contracts (including cloud) are being scrutinised. In MiCA, the infrastructure and supervisory framework is becoming clearer. White label providers in particular must be more careful about transparency. On the derivatives side, ISDA SIMM model validation is starting with EMIR 3, and we see August 2026 as a critical date on the calendar. In payments, PSR/PSD3/FIDA point to a busy period of secondary regulation on the horizon.
The message for financial institutions and the organisations that serve them is very clear: as we enter 2026, banks and fintechs must evaluate their contracts with critical external service providers (CTPPs), such as cloud providers, within the framework of information security.
The services we offer at CFECERT under DORA include:
- DORA Gap Analysis
- DORA Awareness Training – 1 day
- DORA Implementation Training – 2 days
- DORA Lead Manager – 4 days
You can follow us for up-to-date information and free webinars: https://www.linkedin.com/company/cfecertification/
For more information about EBA 2026 Work Programme: https://www.eba.europa.eu/sites/default/files/2024-09/a5bce431-7793-4b75-bd07-d5741c961fbe/EBA%20Work%20programme%202025.pdf
