Home > Compliance 2026: how will the functioning of (Czech) financial institutions change?

Compliance 2026: how DORA, EUCS and AI Act will change the functioning of (Czech) financial institutions

Which milestones will shape IT compliance in Europe in 2026? For the Czech Republic, DORA, EUCS and the AI Act are key. Let's take a closer look at what this means for banks, insurers and investment firms - especially for compliance, ICT risk and outsourcing teams.

Lenka Lipová

Compliance 2026: how DORA, EUCS and AI Act will change the functioning of (Czech) financial institutions | ORBIT Cloud Encyclopedia

Compliance in the financial sector: the reality of 2026 

DORA Regulation (Digital Operational Resilience Act) is already effective for more than a year. But only 2026 will show its real impact in practice. The institutions are gradually moving from the project phase to the day-to-day operations under the supervision of the regulator.

In 2025, financial institutions focused primarily on: 

At the same time, many institutions were counting on full compliance only in 2026-2027. the implementation is complex and affects the whole organisation

DORA in practice (2026) 

The year 2026 brings the first full experience of DORA in operation: 

  • Developing reporting and digital resilience testing, 
  • higher expectations of regulators (including the CNB), 
  • Emphasis on realistic management of ICT risks and dependencies. 

A major new feature is also designation of critical ICT third-party providers (CTPP) by the European Supervisory Authorities (EBA, EIOPA, ESMA). In addition to hyperscalers (Microsoft, AWS, Google Cloud), other major technology and data providers are on the list. 

What are the implications for financial institutions? 

  • Increased regulatory attention to the suppliers used 
  • Pressure for quality exit strategy and concentration risk management 
  • The need for detailed mapping dependencies on ICT services 

So now the problem, which the institutions have underestimated, is fully manifested:  

  •  mapping CIF to specific ICT services.

Without it, monitoring, testing and outage management cannot be set up effectively. 

EUCS and cloud sovereignty 

A big theme for 2026 is also EUCS (European Cybersecurity Certification Scheme for Cloud Services), which is still being finalised at European level. 

EUCS is created in response to the question: 

  • How to ensure control over data in the cloud in a global provider environment? 

It is therefore a response to the EU's growing dependence on non-EU cloud giants (Microsoft, Amazon, Google). Concerns about data sovereignty have increased especially after the Snowden leaks (2013) and the introduction of the CLOUD Act (2018).  

The upcoming scheme envisages three levels: 

  • Basic - basic safety 
  • Substantial - higher level of protection 
  • High - highest level of security and control 

The discussion around EUCS revolves strongly around the topic digital sovereignty, especially for critical services (CIF).

In practice, this means for banks: 

  • monitoring the evolution of EUCS and its impact on cloud strategies, 
  • pressure on transparency and security of cloud providers, 
  • greater emphasis on vendor lock-in management and service portability. 
How is EUCS evolving?

  • 2019: Basic framework 
    The adoption of the Cybersecurity Act (EU) 2019/881 gives ENISA a mandate to create European certification schemes. EUCS is one of them and focuses on cloud services (IaaS, PaaS, SaaS). 

  • 2020: first proposals 
    First version of EUCS include a strong focus on security and also elements of digital sovereignty. For example, they discuss 
    data localisation requirements or restrictions on access from third countries.

  • 2021-2022: intense debate 
    The proposal provokes a strong reaction. Some Member States (notably France and Germany) are pushing for a stricter „sovereign“ approach. Global cloud providers and parts of the market warn of the risk of limiting competition. The result is a period of intense negotiations between regulators and Member States.

  • 2023: modifications to the proposal 
    Subsequent versions of the proposal gradually modify the requirements: 
    • greater differentiation between the different levels of certification 
    • relaxation of some requirements for lower levels (basic, substantial) 
    • continued discussion on the scope of requirements for the highest level (high) 

  • 2024-2026: finalisation at European level 
    The EUCS remains subject to political and professional negotiations. At this stage: 
    • the final form of the scheme is being reconciled, 
    • Its relationship to digital sovereignty and the European cloud strategy is addressed, 
    • its practical application in regulated sectors (including finance) is discussed. 

The scheme so far has not been finally adopted, but its impact is already evident - especially in how financial institutions think about the cloud, vendors and data localization. 

AI Act: second wave of compliance

Another major milestone awaits us in August 2026, when the key AI Actu duties, especially for high-risk AI systems. 

Financial institutions thus address: 

  • governance of AI models, 
  • risk management, including bias and explainability, 
  • registration and possible registration of selected systems, 
  • linking AI with ICT risk management. 

With the increasing use of AI in the cloud, this area naturally connects to DORA and broader digital sovereignty issues. 

Three parallel compliance challenges in 2026 

Compliance today is therefore not a single topic, but a combination of several areas: 

  • DORA → ICT risk management, incidents, third parties 
  • AI Act → governance and regulation of AI systems 
  • Cloud / sovereignty (EUCS) → control over data and suppliers 

Institutions that address these areas separately face limits. Conversely, there is a growing importance of a networked approach across
organizations. 

What turns out to be the key?
  • linking compliance, ICT risk, IT and business
  • the emergence of central governance for AI and cloud 
  • emphasis on real (not paper) resilience 
What is often overlooked?

In addition to DORA, AI Act and EUCS, the broader regulatory context needs to be observed. 

In particular, it comes into play implementation of the NIS Directive2,which extends cybersecurity requirements across sectors and impacts supply chains. At the same time, existing regulatory frameworks remain relevant (e.g. EBA guidelines for ICT risk and outsourcing), which overlap with DORA in practice. 

The result? 


Compliance in IT is not just moving towards new regulations, but towards layering of requirements,which are intertwined. The year 2026 is a turning point. It is no longer about „readiness“ but about demonstrable compliance in practice

And 2027? That is likely to bring a further shift towards Open Finance (PSD3, PSR, FiDA). But that's a chapter for itself. 

NEED HELP IMPLEMENTING DORA, EUCS, AI ACTU OR OTHER REGULATIONS? CONTACT US AND WE WILL HELP YOU.

About the author
Lenka Lipová
Lenka Lipová

TeamLeader of Compliance & Governance team, Senior Consultant | LinkedIn

Lenka has extensive international knowledge of regulatory requirements in the financial and non-financial sectors. In the cloud sector she focuses mainly on Regulatory Cloud Compliance and ICT Third-Party assessment. Lenka strives to ensure regulatory and security requirements with subsequent implementation of corrective actions, performs complex risk analyses, prepares financial institutions for audit, creates BCM and Exit plans and analyzes contractual constructs, and much more.

back to Encyclopedia

Similar articles

  • How to deal with shadow AI | ORBIT

    Shadow IT in the era of artificial intelligence: how to deal with shadow AI?

  • GDPR, NIS 2 and DORA risks from a geography perspective| ORBIT Cloud Encyclopedia

    GDPR, NIS2 and DORA risks from the perspective of geography

  • How NIS2 can help you improve your cyber security

    How NIS2 can help you improve your cyber security