DORA for Banks and Financial Services

DORA EU 2022/2554: What Has Applied Since January 2025

Since 17 January 2025, Regulation (EU) 2022/2554, better known as DORA (Digital Operational Resilience Act), applies directly in all EU member states. Unlike a directive, DORA does not need to be transposed into national law. The regulation is directly binding from the effective date with no implementation leeway. For banks, insurance companies, fintechs, payment service providers, and crypto-asset service providers, this means: the transition period is over.

DORA's scope is deliberately broad. The regulation covers more than 20 categories of financial entities. Beyond traditional credit institutions and investment firms, payment institutions, e-money institutions, insurance companies, reinsurers, credit rating agencies, trading venues, and crypto-asset service providers all fall within scope. Even crowdfunding platforms and data reporting service providers are affected. If your company is supervised by BaFin (or your national competent authority), there is a high probability that DORA applies to you.

The critical difference from previous regulations like MaRisk and BAIT: DORA is an EU regulation, not a national administrative guideline. This means Europe-wide harmonization of requirements for digital operational resilience. For institutions operating across multiple EU countries, the patchwork of national supervisory requirements is replaced by a single standard. At the same time, the bar is raised: DORA exceeds the previous MaRisk/BAIT requirements in many areas.

BaFin has made it unambiguously clear that it will examine DORA compliance from day one. Institutions that still have gaps in their implementation should close them with the highest priority. The supervisor does not expect perfection on the effective date but does expect a demonstrable implementation plan and documented progress.

The 5 DORA Pillars from a Banking Perspective

DORA structures the requirements for digital operational resilience into five core areas. For banks and financial services providers in Germany, it is essential to view these pillars not as abstract regulation but as concrete action areas for daily operations.

1. ICT Risk Management (Art. 5-16)

The heart of DORA. Every financial entity must establish a comprehensive ICT risk management framework that reports directly to the management body. For a bank, this means concretely: you need a documented ICT risk register covering all information-processing systems, from core banking applications to online banking and internal communication tools. The management body is personally liable for the adequacy of the framework. This is not a delegation to the IT department but a board-level responsibility. Business impact analyses must be conducted regularly, recovery objectives (RTO/RPO) must be defined for critical functions, and the ICT strategy must demonstrably align with the business strategy.

2. ICT-Related Incident Management (Art. 17-23)

DORA formalizes what many institutions have previously implemented only rudimentarily: a structured process for ICT-related incidents. This starts with the classification of incidents under Art. 18 (severity, duration, affected clients, data loss) and extends to reporting obligations to BaFin. Major ICT incidents must be reported within 72 hours, with interim reports and a final report. For a bank processing millions of transactions per day, this is not trivial. Your incident response plan must clearly define who reports what, when, through which channels, and at what level of detail. Root cause analyses are mandatory, and findings must feed back into ICT risk management improvements.

3. Digital Operational Resilience Testing (Art. 24-27)

DORA requires regular testing of digital operational resilience. For all financial entities: at minimum, annual vulnerability scans and scenario-based testing. For systemically important institutions, an additional requirement applies: Threat-Led Penetration Testing (TLPT) under Art. 26-27. These are not ordinary penetration tests but threat-based red team exercises simulating real attack scenarios. BaFin determines which institutions must conduct TLPT. In practice, this affects large banks, systemically important insurers, and financial market infrastructures. TLPT results must be submitted to the supervisor and feed into the assessment of operational resilience.

4. ICT Third-Party Risk (Art. 28-44)

For banks that increasingly outsource their IT to cloud providers, data centers, and software vendors, this pillar is particularly relevant. DORA requires a complete register of all ICT third-party providers, including subcontractors. Every contract must include clauses on security requirements, audit rights, exit strategies, and data location. Concentration risks must be assessed: if your core banking application, online banking, and data warehouse all run on the same cloud provider, you must explicitly address this risk. Particularly critical ICT third-party providers (e.g., large cloud hyperscalers) are also subject to direct oversight by the ESAs (EBA, EIOPA, and ESMA).

5. Information Sharing (Art. 45)

The fifth pillar is comparatively lean but not unimportant. DORA permits and encourages financial entities to exchange cyber-threat intelligence among themselves. For banks in Germany, established structures already exist, such as the BSI threat landscape reports or sector-specific ISACs (Information Sharing and Analysis Centers). DORA formalizes this exchange and creates a legal framework for it. You must ensure that information about threats, vulnerabilities, and indicators of compromise (IoCs) can be shared and received in a timely manner without violating data protection or competition regulations.

RTS/ITS: Which Technical Standards Are Final

The European Supervisory Authorities (ESAs) have concretized DORA through Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS). These standards detail how the abstract DORA requirements should be implemented in practice. By the end of 2024, two batches were adopted. The first batch includes RTS on the ICT risk management framework, incident classification, and reporting templates. The second batch specifies TLPT requirements, the third-party register, and concentration risk analysis. For your institution, this means: the concrete requirements are set. There is no more room for interpretation regarding what information the ICT risk register must contain or how third-party contracts must be structured.

MaRisk/BAIT to DORA: What Stays, What Is New

For institutions in Germany, the combination of MaRisk (Minimum Requirements for Risk Management) and BAIT (Supervisory Requirements for IT in Financial Institutions) has been the authoritative framework for IT risk management. With DORA, this changes fundamentally: DORA does not replace MaRisk entirely, but the IT-specific parts of MaRisk and the entire BAIT are superseded by DORA.

What stays: The general governance requirements from MaRisk (risk management, internal control system, compliance function) continue to apply. However, MaRisk AT 7.2 (technical-organizational equipment) is replaced by the significantly more detailed DORA requirements.

What is new: DORA goes beyond BAIT in several areas. This concerns in particular the ICT third-party register (BAIT had no formalized register), the TLPT obligation for systemically important institutions (BAIT only required generic penetration tests), the reporting obligations for ICT incidents (BAIT had no comparable deadlines), and the personal responsibility of the management body for the ICT risk management framework. If you have aligned your ISMS with BAIT, you will find that approximately 60 to 70 percent of the requirements overlap. The remaining 30 to 40 percent, however, require significant additional work, particularly in third-party management, resilience testing, and incident reporting.

Sanctions: Up to 1% of Global Daily Turnover

DORA grants national competent authorities extensive sanctioning powers. In Germany, BaFin is responsible for enforcement. The regulation provides for fines of up to 1% of average global daily turnover from the preceding financial year. For a large bank, this can quickly reach double-digit millions.

Beyond fines, BaFin can take administrative measures: public reprimands, orders to cease certain business practices, and in extreme cases, withdrawal of the business license. For board members and managing directors, there is a personal dimension: personal liability for deficiencies in ICT risk management is explicitly anchored in DORA. This means not only financial risks but also reputational consequences for the responsible individuals.

Next Steps

Want to dive deeper into specific DORA topics? Here you will find further resources to help prepare your institution for the regulatory requirements:

• DORA Content Hub with the complete DORA requirements catalog and implementation guides
• ICT Risk Management under DORA with details on Art. 5-16, ICT risk register, and third-party register
• BaFin Readiness with Kopexa covering TLPT requirements, resilience testing, and export formats
• Risk Management Feature in Kopexa for ICT risk register and mitigation tracking