DORA regulation: Obligations for banks and financial service providers since January 2025
The DORA regulation has been in effect since January 17, 2025. Banks, insurers and securities firms must manage ICT risk, incident reporting, resilience testing and third-party control according to harmonised rules. This post shows the duties in the order in which they are examined.
Regulation (EU) 2022/2554 on digital operational resilience in the financial sector, or DORA for short, has been directly applicable since January 17, 2025. It is aimed at 21 categories of financial companies, from CRR banks to crypto service providers, and their critical ICT third parties. Unlike the BAIT, VAIT and KAIT, which DORA largely replaces, the regulation applies in every Member State without national implementation. BaFin and the Deutsche Bundesbank are the responsible authorities in Germany and have been actively auditing since 2025.
This article organises the obligations according to the five pillars of the regulation: ICT risk management, reporting of serious ICT incidents, resilience testing, management of third-party risks and information exchange. For each pillar you will receive the relevant articles, the deadlines, the documentation requirements and the typical examination focuses. The focus is on the practical implementation in a medium-sized financial institution with a balance sheet total between 1 and 50 billion euros.
Key Takeaways
- DORA has been in effect immediately since January 17, 2025; BaFin and Bundesbank are examining the matter without a transition phase.
- The five pillars are ICT risk management, incident reporting, resilience testing, third parties and information sharing.
- The management level has ultimate responsibility according to Article 5 Para. 2 DORA and must personally approve ICT risk.
Scope and relationship to BAIT, VAIT, KAIT
The scope of application is regulated in Art. 2 DORA. Covered are credit institutions, payment institutions, electronic money institutions, investment firms, central custodians, central counterparties, trading venues, insurance and reinsurance companies, insurance and pension intermediaries, alternative investment fund managers, UCITS management companies, data provision services, crypto service providers, crowdfunding providers, securitization special purpose vehicles and several other categories. Retail investor intermediaries also fall under the regulation, provided they do not fall under the proportionality rule of Article 16.
BaFin clarified in its interpretative letter of January 2025 that DORA predominantly replaces BAIT, VAIT, KAIT and ZAIT. The circulars remain valid for aspects that DORA does not regulate, such as outsourcing requirements outside the ICT area. For management, this means a double obligation in the transition phase: The DORA obligation applies immediately, and remaining items from the circulars must continue to be observed.
For the role of the information security officer, DORA shifts the focus from national supervision to European harmonisation. You can find a classification of the role at Information Security Officer (ISB). CIVAC is a compliance platform and officer-as-a-service. Licence the workspace for your internal representatives, or have our representatives order it.
Pillar 1: ICT risk management according to Articles 5 to 16
Art. 5 Para. 2 DORA stipulates that the management body has ultimate responsibility for ICT risk management. Senior management must approve the ICT strategy, determine the ICT risk appetite, provide sufficient resources and attend ICT risk training at least annually. The training must be documented. Outsourcing responsibility to a service provider is not possible. The personal liability of the management body also arises from Section 93 AktG and Section 43 GmbHG and can be mitigated by D&O insurance, but not eliminated.
The content framework for ICT risk management results from Articles 6 to 16. The regulation requires a written ICT risk management framework, an inventory of all ICT assets, a continuous risk assessment, and a protection and prevention system detection system, a business continuity and recovery system, and a learning and improvement process. The requirements are specified in the Regulatory Technical Standards of the ESAs, in particular in the Delegated Regulation (EU) 2024/1774. The framework includes documented roles, documented escalation paths and reporting to the management body on at least an annual basis.
Proportionality according to Art. 4 DORA allows smaller institutions a simplified framework. The thresholds depend on total assets, business model and risk profile. BaFin checks the self-classification as part of ongoing supervision. Incorrect classification leads to additional demands and a special examination date. The classification must be documented with justification and checked annually. CIVAC Workspace brings together the ICT risk management framework with versioning, approval workflow and link to the 93 controls of ISO/IEC 27001:2022 in one dossier.
Pillar 2: Reporting of serious ICT incidents in accordance with Articles 17 to 23
Art. 19 DORA requires serious ICT incidents to be reported to the responsible authority. The reporting scheme corresponds to the three-tier model known from the NIS-2 guideline. The initial report is made immediately, at the latest within 4 hours of being classified as serious, and in any case within 24 hours of becoming aware of it. The interim report will follow within 72 hours and the final report will follow within one month of the resolution. In addition, there is an obligation to inform affected customers if the incident has a significant impact on their financial interests.
The classification as serious is based on the threshold values of Delegated Regulation (EU) 2024/1772. Relevant factors include the number of affected customers, the duration of the disruption, the geographical scope, the data loss and the economic impact. An incident is also serious if it affects the delivery of critical or important functions. There is also voluntary reporting of significant cyber threats, which in practice contributes to early warning in the sector.
In Germany, reporting is done via the BaFin portal MVP. The deadline begins with the internal classification, not with the first incident. The classification decision must be documented so that the deadline remains traceable. Deadline begins as soon as we become aware of it. CIVAC provides the 24/72 reporting path as an audit template and brings together the classification decision, escalation protocols and authority communication in one dossier. The auditor calls, the evidence is ready.
Pillar 3: Tests of digital operational resilience in accordance with Articles 24 to 27
DORA requires a resilience testing program. Art. 24 DORA specifies the principle, Art. 25 the types of testing, and Art. 26 the advanced threat-led penetration testing for large institutions. Every financial company tests the critical ICT systems at least once a year. Testing includes vulnerability scans, open source analysis, network security testing, physical security assessments, scenario-based testing and penetration testing. The testers must be technically and organizationally independent, which requires a dividing line from the line organisation, especially for internal teams.
Threat-led penetration testing according to Art. 26 is only mandatory for certain institutes. The Bundesbank makes the selection together with BaFin based on the TIBER-EU methodology. The test cycle is three years. During a TLPT, the live production systems are attacked by an accredited external tester based on a realistic threat scenario. The results flow into a binding action plan. The accreditation of the testers follows the requirements of the ESAs and the Bundesbank, and strict confidentiality and escalation rules apply between the actors involved.
The test results are documented and reported to management. Any vulnerabilities identified must be remedied in a prioritised manner according to risk, with a documented deadline and responsible body. BaFin examines the test plan, the result reports and the progress of the measures as part of ongoing supervision. CIVAC links test findings with the control catalogue and with the ICT risk inventory so that progress monitoring is automatically included in the quarterly report to management. Audit-proof, documented.
Pillar 4: Management of ICT third-party risks in accordance with Articles 28 to 44
The third party chapters are the part of the regulation with the greatest implementation effort. Art. 28 DORA requires a written strategy for ICT third-party risks, an information register of all contracts and a risk analysis before conclusion of the contract. The financial company reports the information register annually to the competent authority in accordance with the format of Delegated Regulation (EU) 2024/2956. The obligation to update the register applies to every significant change in the existence of critical or important contracts.
Art. 30 DORA lists the minimum clauses that every ICT third-party contract must contain. This includes service description, location of data processing, availability and security requirements, reporting and audit rights, emergency and termination clauses and sufficient transitional provisions. Contracts with critical or important functions are subject to expanded requirements, including full on-site auditability, contractually secured exit plans and documented stress test results of the service provider.
Critical ICT third-party service providers classified as such by the ESAs are subject to their own European supervision under Articles 31 to 44. The ESA published the first list in 2025. For the supervised institution, this means an additional reporting layer because findings from European supervision have to flow back into its own third-party risk management. An overview of the role of the supplier auditor complements the operational side. The obligations for concentration risk analysis from Article 29 also require an explicit assessment of the dependence on individual providers, especially large cloud hyperscalers.
Pillar 5: Information exchange and official cooperation
Art. 45 DORA promotes the voluntary exchange of information between financial firms on cyber threats, indicators of compromise, tactics, techniques and procedures. The exchange takes place within recognised communities of trust, for example via the German FI-ISAC or the European information exchange formats. The exchange relieves the burden of defence against identical attacks in several institutions and shortens the reaction time after a new attack pattern is observed for the first time.
The official cooperation is regulated in Articles 46 to 56. The ESAs coordinate supervision, while national authorities remain responsible for ongoing audits. In Germany, BaFin and the Bundesbank share responsibility according to the well-known model from banking supervisory law. Both authorities can exercise information, submission and on-site inspection rights. There is also a flow of information to the BSI as the national cybersecurity authority, which is handled via existing sectoral cooperation agreements.
Sanctions are regulated in Art. 50 DORA and are supplemented by national law. In Germany, the DORA accompanying law implements national sanctions. Violations of ICT risk management, reporting requirements or third-party rules can be punished with fines, publication of the violations, bans on the activities of responsible persons and licence revocation. The civil liability of the management according to § 93 AktG and § 43 GmbHG also remains, as does the criminal liability for intentional omission.
DORA interface to ISO/IEC 27001:2022 and NIS-2
DORA requires an ICT risk management framework, but does not define a concrete standard. In practice, institutes use the ISO/IEC 27001:2022 control catalogue with its 93 controls as an operational basis. The standard provides the structuring in Annex A, which fits the requirements of Articles 6 to 16 DORA. BaFin accepts an ISMS certified according to 27001:2022 as a strong indication of fulfilment of the DORA obligations, but does not replace the DORA-specific requirements, in particular not the reporting obligations from Article 19 and the third-party rules from Articles 28 to 30.
The relationship to NIS-2 is clarified in Article 1 Para. 2 DORA. For financial companies that also fall under NIS-2, DORA is considered a lex specialis. Double reporting is not necessary as long as the report to the relevant financial supervisory authority meets the requirements of both regimes. The BSI and BaFin have published an understanding that regulates the flow of information between the two authorities and avoids duplication of work.
A shared architecture results for groups with mixed subsidiaries, such as a bank and an IT service provider. The bank works under DORA, the IT service provider under NIS-2, and the joint group CISO coordinates both. The clear separation of reporting channels is critical to success because reporting obligations, deadlines and addressees are different. CIVAC maps the shared architecture in the workspace and assigns each control to both the DORA article and the NIS2UmsuCG section. Audit-proof, documented, § -firm.
Deadlines, fines and personal responsibility of management
The central deadlines at a glance: The regulation has been in force since January 17, 2025. Initial reporting of serious ICT incidents within 4 to 24 hours of classification, interim reporting within 72 hours, final reporting within one month. Annual submission of the information register of ICT third-party contracts to BaFin. Annual resilience tests, three-year TLPT cycle for affected institutions. Deadline begins as soon as we become aware of it. The annual approval of the ICT strategy by the management body and the at least annual training of the management are also included.
The national upper limit for sanctions is based on the DORA accompanying law. Serious violations are punished with fines in the millions, and activity bans against responsible persons apply in accordance with Section 36 KWG and Section 25c KWG. The personal liability of the management follows from Section 93 AktG and Section 43 GmbHG and can be mitigated by D&O insurance, but not excluded. Additional civil liability towards customers is conceivable if the breach of DORA obligations has resulted in specific damage.
The management bears ultimate responsibility in accordance with Art. 5 Para. 2 DORA. The annual training requirement, personal approval of the risk framework and reporting to the supervisory body cannot be delegated. A clean appointment certificate for the ISB, a documented reporting line to the board member IT and an annual written report form the minimum evidence. The appointment certificate, signed, filed, verifiable. CIVAC delivers the purchase order template, reporting line workflow and annual reporting structure as ready-to-use audit templates.
Turn reading into an assignment
DORA has been in effect since January 17, 2025. There is no transition phase. Anyone who presents an incomplete ICT risk framework, an unclear reporting chain or an incomplete third-party register in the first BaFin special audit will extend the audit and impose requirements. The quickest lever is a structured inventory along the five pillars, followed by a gap list with owner, deadline and proof.
CIVAC is a compliance platform and officer-as-a-service. The workspace comes with 490 ready-to-use audit templates, the 93 controls of ISO/IEC 27001:2022, the 24/72 reporting path, the DORA information register and the appointment certificate template. The platform runs under EU data residency and is operated under a certified ISO/IEC 27001:2022 ISMS. Licence the workspace for your internal representatives, or have our representatives order it. Others manage compliance like a filing cabinet. Wir führen sie wie Software.
Aus dem Lesen einen Auftrag machen. Write to info@civac.de or use the contact form. An experienced representative will contact you within two working days with a scoping discussion, a list of gaps and a suggestion for the next BaFin audit.
FAQ
When does DORA apply to my institute?
Regulation (EU) 2022/2554 has been in force since January 17, 2025. National implementation is not necessary and there is no transition period. If your institute falls within the scope of Article 2 DORA, all obligations apply in full from this date.
Does DORA completely replace BAIT, VAIT, KAIT and ZAIT?
Mostly yes. BaFin made it clear in the January 2025 interpretation letter that DORA replaces the essential content. Remaining stocks that DORA does not regulate remain valid. BaFin regularly publishes updated information on delimitations.
Which incidents are considered serious within the meaning of Article 19?
The threshold values are in the Delegated Regulation (EU) 2024/1772. Relevant factors include the number of affected customers, the duration of the disruption, the geographical area of application, the loss of data and the impact on critical functions. A documented classification decision is mandatory.
How frequently must the DORA Information Register be reported?
At least once a year. The format follows the Delegated Regulation (EU) 2024/2956. Significant changes in the existence of critical or important third-party contracts must be updated without a statute of limitations, even outside of the annual cycle.
Is an ISO/IEC 27001:2022 certification sufficient to fulfil the DORA obligations?
The standard provides the structure and the control catalogue, but does not cover all DORA-specific requirements, in particular not the reporting requirements, the third-party chapters and the resilience tests. Certification is considered a strong indication, but does not replace DORA-specific implementation and documentation.
What happens if there is an incorrect or delayed report?
Violations of the reporting obligation under Article 19 are punished with fines according to the DORA Accompanying Act and can lead to supervisory measures and even bans on activities against responsible persons. Clean classification and escalation documentation is therefore the most important element of defence.
Sounds like a lot of work?
Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.
Turn this into a mandate.
Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.