One year of DORA: What's next for financial companies

The Digital Operational Resilience Act (DORA) enables uniform ICT risk management across Europe. The regulation also supports the competent supervisory authorities in creating a cyber risk situation report based on incident reports and in better monitoring third-party and concentration risks.

One year of DORA: BaFin's interim assessment

In order to jointly strengthen operational resilience, financial companies must fully integrate the DORA requirements into their risk management since January 17, 2025. On December 4, 2025, the German Federal Financial Supervisory Authority (BaFin) took stock and provided an outlook at the event “IT Supervision in the Financial Sector: The First Year of DORA.”

According to the BaFin’s report, more than 600 serious ICT incidents were reported to the supervisory authority in the past twelve months. The statistics show that cyberattacks are not a theoretical scenario, but reality – even if, according to BaFin, no major system damage has occurred to date.

Initial insights from the regulatory DORA audits

In addition, BaFin and the Bundesbank provided practical guidance for the audit. The supervisory DORA audit procedure is designed on a modular basis according to the topics covered by the Digital Operational Resilience Act.

For financial companies, this results in the following fields of action:

1. Governance and organization:
   Financial companies must document their DORA strategy and written rules centrally and consistently. The objectives and risk tolerance threshold should be defined as quantitatively as possible and monitored on a regular basis. In addition, the management body must be actively involved in monitoring and approval.
2. ICT risk management framework:
   Critical or important functions must be identified on the basis of clear and comprehensive criteria. Complete and up-to-date inventories should be maintained, supplemented by automated data quality controls wherever possible. Clear responsibilities and processes must be defined for the implementation and monitoring of measures. In addition, the ICT control function’s independence and effectiveness must be ensured.
3. ICT third-party risk management:
   Due to the transformation year 2025, this topic has been highlighted for 2026.
4. Protection and prevention:
   Financial companies must establish comprehensive vulnerability management, which includes the performance of automated scans as well as the setting and central tracking of binding processing deadlines. In line with leading practices and standards, comprehensive security measures must be implemented and regularly tested in a risk-based manner. In addition, security requirements for third-party ICT service providers must be contractually regulated as clearly as possible and their compliance must be regularly monitored.
5. Identity management and access controls:
   No specific details were provided on this aspect.
6. Detection:
   At a minimum, all ICT systems that support critical or important functions must be connected to Security Information and Event Management (SIEM) in addition to intact logging. The encryption and protection of log data integrity must be implemented consistently. The underlying use cases must be developed with a focus on threats and tested regularly. In addition, clear, documented procedures for alarm processing and escalation – even outside business hours – must be established.
7. ICT operations:
   No specific details were provided in this regard.
8. ICT projects and application development (including EUC):
   No specific details were provided in this regard.
9. ICT business continuity management:
   Recovery objectives must be implemented in line with the defined risk tolerance threshold through concrete plans and measures. Financial companies must keep their emergency and recovery plans complete and up to date at all times, and conduct regular tests that are as realistic as possible. Employees should be continuously made aware of emergency plans and measures. In addition, the tracking of deficiencies must be ensured and the contractual and organizational integration of third-party ICT service providers must be guaranteed.
10. ICT audit:
    It was particularly emphasized that this is a new focus topic.

In the first year, affected financial companies were audited primarily and individually on three to five of these topics.

What should financial companies expect from the DORA audit?

The regulatory DORA audits will be more tailored to the individual circumstances of financial companies. The challenges are similar to those under xAIT, with a focus on regular testing and strengthening operational resilience. Furthermore, additional follow-up audits are planned for 2026 and 2027.

How Baker Tilly can support you

Baker Tilly supports you in addressing DORA requirements in an efficient and compliant manner.

• We accompany you through all phases of or proactively prepare you for a supervisory DORA audit (also on a modular basis).
• We assume the task of IT auditing (co-sourcing).
• We audit your service-related ICS (third-party assurance in accordance with IDW PS 951, ISAE 3402, or similar).