BaFin Readiness with Kopexa

What BaFin Expects in DORA Audits

BaFin, as the national competent authority, is responsible for enforcing DORA in Germany. With the regulation taking effect on 17 January 2025, BaFin has adapted its supervisory approach. DORA-related requirements are now an integral part of regular supervisory examinations, special audits, and ongoing supervision.

BaFin's audit approach follows a risk-based model. This means: not every institution will be fully examined immediately, but institutions with high systemic importance, recent security incidents, or known deficiencies are at the top of the audit list. BaFin examines not only documentation but demands evidence of actual implementation. A risk management framework that exists only on paper is insufficient.

Typical examination areas include: the governance structure for ICT risk management (Is the management body demonstrably involved?), the ICT risk register (Is it complete, current, and actively managed?), the third-party register (Are all ICT service providers captured, including subcontractors?), incident response capability (Are reporting processes tested and functional?), and resilience testing documentation (Were tests conducted and results implemented?).

Common findings in initial audits particularly concern: incomplete ICT asset registers, missing or outdated business impact analyses, undocumented third-party dependencies, gaps in the incident response process (particularly missing escalation paths and untested reporting channels), and insufficient evidence of resilience testing. BaFin expects findings to be remediated within defined deadlines. For severe deficiencies, BaFin can order immediate measures, including restrictions on certain business activities.

Documentation expectations are high. BaFin expects all relevant documents to be current, approved by the management body, and accessible to responsible staff. This includes: ICT risk strategy, ICT policies, risk treatment plans, incident response plans, recovery plans, test reports, and the third-party register. Missing documents are a certain finding.

TLPT: Who Must, Who Should

Threat-Led Penetration Testing (TLPT) under DORA Art. 26-27 is the most demanding form of resilience testing. Unlike ordinary penetration tests, TLPTs simulate real attack scenarios based on current threat intelligence. An external red team conducts the test while an internal blue team handles the defense. The goal: assess the actual resilience of your institution under realistic conditions.

Who must: BaFin determines which institutions are required to conduct TLPTs. Selection is based on systemic importance, risk profile, and criticality of the financial services provided. In practice, this primarily affects large banks (especially G-SIBs and D-SIBs), systemically important insurers, central counterparties (CCPs), central securities depositories (CSDs), and payment system operators. When BaFin requests your institution to conduct a TLPT, it is not a voluntary recommendation.

Who should: Even institutions not formally required to conduct TLPTs should consider threat-based testing. BaFin views proactive testing positively and may indicate during supervisory discussions that TLPT is considered best practice. For mid-sized banks and financial service providers, at least annual penetration tests at TLPT-comparable levels are recommended, even without a formal TLPT obligation. Experience shows that institutions that gain TLPT experience early are significantly better prepared when a formal obligation arises later.

TLPT execution follows the TIBER-EU framework (Threat Intelligence-Based Ethical Red Teaming), implemented in Germany as TIBER-DE. The process encompasses three phases: the preparation phase (scoping, threat intelligence report), the testing phase (red team engagement, typically 12 weeks), and the closure phase (blue team replay, results report, remediation plan). Costs for a complete TLPT typically range from EUR 200,000 to 500,000, depending on scope.

Resilience Testing: Requirements and Evidence

Regardless of the TLPT obligation, DORA requires all financial entities to regularly test their digital operational resilience. Art. 24 defines the baseline requirements that apply to every institution:

• Vulnerability scans: Regular automated scans of your ICT infrastructure for known vulnerabilities. Frequency should be at least quarterly, monthly for critical systems. Results must be documented and remediated in priority order.
• Network and security tests: Testing of network segmentation, firewall configurations, access control mechanisms, and encryption standards. At least annually, ideally semi-annually.
• Scenario-based tests: Simulation of realistic attack and outage scenarios. This includes ransomware scenarios, DDoS attacks, insider threats, and the failure of critical ICT third-party providers. The management body must be informed of test results.
• Recovery tests: Testing of backup and recovery processes under realistic conditions. Can you actually restore your critical systems within the defined RTO? These tests must be conducted regularly and results documented.

BaFin expects a structured report for every test containing at minimum: test scope, test methodology, results (identified vulnerabilities and risks), assessment of results, and an action plan for remediating identified deficiencies. Results must feed back into the ICT risk register and, where appropriate, lead to reassessment of existing risks.

Export Formats for BaFin Reports

DORA and its associated RTS/ITS define specific formats and content requirements for reports to BaFin. Your institution must be able to produce and submit the following reports in the required formats on time:

• ICT incident reports: Initial notification, interim report, and final report in the templates defined by the ESAs. Reporting is via the BaFin reporting portal in structured form (XML/XBRL-based).
• Third-party register: The ICT third-party register must be submittable to BaFin on request in a standardized format. The ESAs have published specific templates for this purpose.
• Test reports: TLPT results and resilience test reports must be available in a structured format that enables BaFin to compare across institutions.

Technical preparation for these reporting obligations is not trivial. Your institution needs systems that can extract, validate, and submit the relevant data in the required formats. Manual creation of these reports is error-prone and time-consuming. Automated export functions are therefore not just nice to have but a practical necessity.

Kopexa for BaFin Readiness

Preparing for BaFin audits under DORA requires a systematic approach. Kopexa supports you at multiple points:

• DORA Framework Templates: Kopexa offers preconfigured templates for the DORA requirements catalog. You do not start from scratch but with a structured foundation that maps all relevant articles. For each requirement, you can track implementation status and attach evidence.
• Policy Templates: Instead of writing every policy from scratch, you use Kopexa's policy templates as a starting point. The templates are aligned with DORA requirements and can be customized to your institution's specific needs. Approval workflows ensure every policy is approved by the management body and accessible to staff.
• ICT Risk Register: Kopexa's integrated risk register is specifically tailored to DORA requirements. Risk owners, mitigation tracking, review cycles, and linkage to DORA articles are built in from the start.
• Evidence Export: For BaFin audits, evidence management is critical. Kopexa enables you to export all relevant evidence bundled and linked to the respective DORA requirements. Instead of painstakingly gathering documents during the audit, you deliver a structured evidence package.

With Kopexa, you reduce the preparation effort for BaFin audits by 40 to 60%. The platform gives you a real-time overview of your current implementation status and clearly shows where action is still needed. Instead of reacting to audits, you are proactively prepared.

Next Steps

Want to dive deeper into related topics? Here you will find further resources:

• DORA for Banks and Financial Services with a complete overview of all 5 pillars, RTS/ITS, and sanctions
• ICT Risk Management under DORA with details on Art. 5-16, ICT risk register, and third-party register
• DORA Catalog with the complete requirements catalog and implementation guides
• Risk Management in Kopexa with ICT risk register, mitigation tracking, and dashboards
• Policy Management for policy creation, approval, and distribution