The DORA Debt: Why Compliance Faces Real Stress Tests
If you thought DORA was a "once-and-done" checklist, think again. Recent high-profile breaches like France's FICOBA incident and Dutch supply chain compromises in early 2026 underscore that regulatory compliance alone doesn't stop determined attackers. As financial institutions navigate 2026, they're hit with a dual burden: meeting DORA's ICT mandates while fending off credential theft and third-party exploits that bypass traditional defenses.
DORA, fully applicable since January 2025, demands robust risk management, incident reporting, and third-party oversight for EU financial entities. Yet real-world events reveal gaps between policy and practice, especially as credential abuse evolves.
Current Casualties
French FICOBA Breach (Late January–Mid-February 2026): Attackers compromised a civil servant's credentials to log into France's national FICOBA registry, the centralized database tracking all bank accounts. This exposed sensitive data on approximately 1.2 million accounts, including IBANs, full names, addresses, and some tax identifiers. The breach unfolded over weeks via the interministerial ANTS platform, with no zero-day exploits or malware required, just valid login access.
Impacts rippled across France: affected individuals faced heightened fraud risks, prompting urgent notifications and IBAN monitoring advisories from authorities.
Dutch Supply Chain Issues: In February 2026, Odido (a major Dutch telco) suffered a data breach exposing user info, while Booking.com confirmed unauthorized customer data access in April 2026. These incidents spotlight unmanaged SaaS tools that financial employees rely on daily, allowing attackers to sidestep core systems.
A March 2026 unauthorized access at the Netherlands Ministry of Finance further highlights regional vulnerabilities in public-private data flows.
Credential Trends: IBM's 2026 X-Force Threat Intelligence Index confirms Europe as the world's most targeted region for financial attacks, with credential harvesting and abuse accounting for 40% of incidents. Attackers have shifted from "breaking in" to simply "logging in," exploiting weak identity controls.
DORA Gaps Exposed
DORA's ICT Risk Management Framework is comprehensive on paper, covering resilience testing, incident response, and Article 21's third-party risk requirements. But implementation lags against fast-moving threats.
Identity Weakness: Firms have invested heavily in perimeter security, yet identities remain the soft underbelly. FICOBA proves a single stolen credential can unlock national-scale exposure, underscoring brittle MFA setups.
Supply Chain (Article 21): DORA mandates contractual safeguards and monitoring for critical ICT providers, but events show attackers pivot through employee-used services. Auditing vendors' security postures is table stakes; true gaps lie in runtime visibility.
Reporting Overload: National authorities like the Netherlands' DNB are swamped with DORA's mandatory Registers of Information: detailed submissions on ICT setups and risks. While DNB launched streamlined portals in March 2026, the sheer volume delays actionable insights, leaving firms reactive during incidents.
Forculus Strategy: Beyond the Floor
At Forculus, we view DORA as a baseline, not the finish line. Resilience in 2026 hinges on operational integrity over paperwork. Here's how to elevate:
Adopt Phishing-Resistant Auth: Ditch SMS and app-based MFA for FIDO2 hardware keys or passkeys across all critical access points, including CUI and financial registries. This thwarts real-time credential stuffing and session theft.
Audit Paths, Not Just Paper: Beyond ISO certs, implement binary attestation to cryptographically verify third-party software integrity at runtime, ensuring no supply chain injections slip through.
Attack Path Focus: Traditional severity scores miss chained vulnerabilities. Model full exploit paths assuming AI-assisted attackers link "low" bugs into critical chains; prioritize based on potential impact.
Bottom Line: DORA provides the floor. Financial survivors in 2026 treat digital sovereignty as a daily operational fight, not a quarterly audit ritual. Partner with experts like Forculus to secure your path forward.
