DORA 2026: Why 44% of financial companies are not compliant — and what to do now

The Digital Operational Resilience Act (DORA) has been applicable since January 17, 2025. Over a year later, a sobering picture emerges: current surveys show that almost every second financial company in Germany has significant implementation problems. The average level of implementation is around two thirds of the requirements - far from the full compliance that theBaFinexpected. At the same time, the supervisory authority will begin systematic audits and follow-up inspections in 2026.

This article analyzes the five biggest weaknesses in DORA implementation, shows where BaFin will pay particular attention in 2026, and provides a concrete roadmap for financial companies that need to close their compliance gaps now.

What DORA requires of financial companies — an overview

DORA is not an IT regulation. DORA is a management regulation. EU regulation requires financial companies to systematically build, test and prove their digital operational resilience. This affects banks, insurance companies, payment service providers, investment firms, crypto service providers and numerous other players in the financial sector.

DORA's five core pillars include:

1. ICT risk management— a comprehensive framework for managing information and communications technology risks
2. Incident reporting— Reporting serious ICT-related incidents to the supervisory authority
3. Testing digital operational resilience— from basic testing to Threat-Led Penetration Testing (TLPT)
4. ICT third party risk management— Control and monitoring of all ICT service providers
5. Information exchange— Voluntary sharing of threat intelligence between financial firms

What distinguishes DORA from previous regulations such as BAIT, VAIT or KAIT: The regulation applies directly as EU law, has a significantly broader scope of application and sets significantly stricter deadlines - especially for incident reporting. If you want to understand the overall regulatory landscape in 2026 with NIS2, AI Act and CRA, you have to classify DORA as a central component.

The status quo: Where financial companies stand when it comes to DORA implementation

The numbers are clear. A KPMG study shows that many financial companies have not yet fully implemented all the necessary measures, even after the application deadline in January 2025. According to a Metafinanz survey, the average planned implementation status as of the deadline was around two thirds of the requirements - at best 90 percent, in the worst case only 30 percent. BaFin itself has already documented common errors in the submission of information registers in its workshops in 2025 and is preparing new workshops for 2026.

Particularly affected are medium-sized financial companies that neither have the resources of large banks nor the simplified requirements for micro-enterprises under Article 16 DORA. They find themselves in a regulatory sandwich position: full requirements, limited capacities.

The central insight: DORA compliance is not a one-off project with a deadline. It is an ongoing process, with the operational test beginning in 2026.

The five biggest DORA vulnerabilities in 2026

1. Incident Reporting: The 4-hour deadline as a stress test

The reporting requirement for serious ICT-related incidents is probably the most stringent requirement in DORA. The initial report must be made within four hours of being classified as serious — but no later than 24 hours of the incident being discovered. This is significantly more ambitious than the 24-hour period under NIS2.

What this means in practice: A company must identify an incident within a few hours, classify it, assess the impact on other financial institutions and third-party ICT service providers and submit a structured report to BaFin. This is followed by an interim report within 72 hours and a final report within a month.

The reality is different in many houses. Incident response processes are often designed for technical escalation, not regulatory reporting requirements. It is missing:

• Defined classification criteriathat are DORA-compliant and do not just focus on internal severity levels
• Prepared reporting forms and processes, which can be filled in four hours
• Handover processes between IT security, compliance and management, which work at night and on weekends
• Regular exercises, who go through the entire reporting process - not just the technical incident response

Anyone who is not prepared not only risks fines, but also damage to their reputation. BaFin will explicitly ask for documented incident response exercises during audits.

2. The ICT third-party provider register: Shadow IT as a blind spot

DORA requires financial companies to maintain a complete register of information on all contractual agreements with third-party ICT service providers. This register must be submitted to BaFin upon request and will be transmitted annually to the European supervisory authorities (ESAs) from 2026.

BaFin has already identified common errors during initial submission in 2025 and is offering workshops again in 2026 to prepare financial companies for the second round of submissions. The focus: experiences from the past year and avoiding recurring mistakes.

The fundamental problem lies deeper than faulty forms. Many information registers are simply incomplete. The reasons:

Shadow IT is everywhere.Departments use SaaS services, cloud storage and AI tools that never went through the official procurement process. A marketing team using Canva, an analyst with a ChatGPT subscription, a sales rep with an unapproved CRM addon — these are all third-party ICT relationships under DORA.

Subservice chains are not transparent.Even if a cloud provider is on the register, its subcontractors are often missing. However, DORA explicitly requires transparency across the entire supply chain.

Contract management is fragmented.ICT contracts are distributed among purchasing, IT, specialist departments and external legal advisors. A central, DORA-compliant registry requires a consolidated view.

The solution starts with an honest inventory: which ICT services do we really use? Not just the ones we officially purchased, but all of them — including the shadow IT that isn't in any inventory.

3. Exit strategies: The ignored mandatory component

DORA explicitly requires in Article 28 that financial companies define exit strategies for critical ICT third-party service providers. These exit plans must ensure that a change of service provider is possible without interrupting business activities.

In practice, these strategies are missing in the majority of financial companies. The reasons are understandable, but unacceptable:

Vendor lock-in is systemic.Anyone who runs their core banking systems with a cloud provider cannot migrate in four weeks. Exit strategies for such scenarios require realistic migration concepts, alternative service providers and tested transition processes.

The costs seem prohibitive.A complete exit plan including test migration costs money that does not add any immediate value. That’s why it’s prioritized — right at the bottom.

Contractual clauses are missing.Many existing contracts with ICT service providers do not contain DORA-compliant exit clauses. Renegotiations are time-consuming and encounter resistance from large providers.

During audits, BaFin will specifically ask about exit strategies for critical and important ICT functions. Anyone who can only present a concept paper that has never been tested will be deemed to need improvement.

4. TLPT: Tight market capacities meet increasing demand

Threat-Led Penetration Testing (TLPT) according to the TIBER-EU framework is the supreme discipline of DORA testing requirements. Not all financial companies are required to undertake TLPT — but those that are sufficiently mature from an ICT perspective and of systemic relevance are required to complete such a test every three years.

A TLPT is not an ordinary penetration test. It covers the entire company, is based on real threat scenarios (threat intelligence) and is carried out by specialized red teams that operate under the supervision of BaFin. The process typically takes six to twelve months and requires close coordination between the financial company, the threat intelligence provider, the red team and the regulator.

The problem: Capacity on the German market is limited. There are only a manageable number of providers that can carry out TLPT according to the TIBER-EU/DORA standard and are accepted by BaFin. The requirements for testers are high — they must have proven experience with TIBER testing, be independent and meet strict confidentiality requirements.

For affected financial companies, this means: Anyone who needs to carry out a TLPT in 2026 or 2027 should start planning now. The lead times for procuring suitable providers, coordinating with BaFin and actually carrying out the test do not allow for any delay.

Even companies that are not subject to TLPT should not underestimate the general testing requirements according to Article 25 DORA. Penetration tests, vulnerability scans, network security tests and scenario-based tests must be carried out and documented regularly. BaFin expects a risk-based testing program that covers all critical ICT systems and applications.

5. Governance: DORA as a management issue

DORA makes it unmistakably clear: responsibility for digital operational resilience lies with management. Article 5 requires the governing body to approve, monitor and periodically review the ICT risk management framework. Management must demonstrate sufficient knowledge and skills to understand and assess ICT risks.

In practice, this means: ICT risks should be a fixed agenda item in board meetings. Budget for digital resilience must be decided at management level. And those responsible must be trained regularly - not with a PowerPoint presentation, but with substantial training.

Many financial companies have formally adapted their governance structures, but operational implementation is lagging behind. There are guidelines, but no lived practice. There are responsible parties, but no escalation paths. There are reports, but no decisions.

In its second supervisory communication on DORA, BaFin made it clear that it takes the governance requirements seriously. Exams don't just ask about documents, but about practical experience. Can the board explain which critical third-party ICT providers the company uses? When was the last time a business continuity test was carried out? What were the results of the last penetration test?

What BaFin will check in 2026

BaFin has announced follow-up audits for 2026 and 2027. The main points can be derived from the previous publications and workshops:

Information register:BaFin will check the quality and completeness of the information registers. Based on the experience from the initial submission in 2025, expectations for 2026 have increased significantly. Common mistakes from the previous year will no longer be tolerated.

ICT risk management framework:BaFin expects a documented framework approved by management that covers all requirements from Chapter II DORA. Particular attention is paid to integration into company-wide risk management.

Incident reporting processes:BaFin will check whether the 4-hour reporting period can be operationally implemented. Documented processes, evidence of practice and experiences from real incidents are expected.

Test programs:BaFin expects a risk-based testing program that is updated regularly. For institutes subject to TLPT, the planning and, if necessary, implementation of the tests is checked.

Third party management:In addition to the information register, BaFin will examine the contractual agreements with critical third-party ICT service providers - including exit strategies.

Important: The BAIT (banking supervisory requirements for IT) apply to certain institutions until December 31, 2026. During the transition phase, these institutions must meet both DORA and the BAIT requirements that are still in effect. From 2027, the scope of application will be further expanded by the Financial Market Digitization Act (FinmadiG).

The roadmap: Six measures for DORA compliance in 2026

Measure 1: Gap analysis with prioritization

Start with an honest inventory. Where do you stand on each of the five DORA core pillars? Not based on self-assessments, but on the basis of a systematic gap analysis that reviews documented evidence. Prioritize gaps based on risk and regulatory visibility — the information registry and incident reporting processes will be reviewed first in 2026.

Action 2: Complete information register

Use the BaFin workshops 2026 to learn from the mistakes of the previous year. Conduct a comprehensive shadow IT inventory. Expand the register to include sub-service provider chains. Ensure that the register is not treated as a static document, but as a living directory that is updated whenever the contract changes.

Measure 3: Design incident response processes to be DORA-compliant

Establish a dedicated DORA incident response process that runs parallel to technical incident management. Define clear classification criteria based on the DORA specifications. Create reporting templates. Appoint people responsible for 4-hour reporting - including nights, weekends and holidays. Practice the process at least quarterly.

Measure 4: Develop exit strategies for critical service providers

Identify your critical and important ICT functions. For each critical service provider: Develop a documented exit strategy that includes realistic migration scenarios, alternative providers and transition processes. Negotiate DORA-compliant contractual clauses - especially access, audit and termination rights.

Measure 5: Set up a test program and plan TLPT

Create a risk-based testing program that includes penetration testing, vulnerability scanning, and scenario-based testing. If you are subject to TLPT: Start looking for a provider and coordinating with BaFin now. Market capacity is limited and lead times are typically six to twelve months.

Measure 6: Operationalize governance

DORA compliance is a matter for the boss. Ensure that management not only assumes formal responsibility, but also exercises operational control. Establish regular reporting formats. Provide management with substantial training. And make sure that in the event of a BaFin audit, not only the CISO, but also the board of directors can provide information.

DORA in the context of the 2026 regulatory wave

DORA is not isolated. TheRegulation wave 2026 with NIS2, AI Act and Cyber Resilience Acthits financial companies at the same time. Anyone who runs DORA compliance as an isolated project misses out on synergies and risks duplicating work.

Specifically: ICT risk management according to DORA and risk management according to NIS2 have considerable overlap. Incident reporting processes can be consolidated — with adjustments to accommodate different deadlines. And the third-party management requirements under DORA complement the supply chain requirements under NIS2.

BaFin's positioning on AI and DORA is also relevant: The increasing use of AI systems in financial companies creates new ICT risks that must be taken into account in the DORA framework. AI-supported trading algorithms, automated credit decisions and AI-based fraud detection are ICT systems within the meaning of DORA and are subject to the corresponding testing and risk management requirements.

Sanctions and consequences for non-compliance

DORA does not provide for uniform fines across the EU - the sanctions are the responsibility of the national supervisory authorities. BaFin has a wide range of instruments at its disposal, ranging from administrative measures to public announcements and fines. However, it is not just the financial risk that is important.

The bigger consequences threaten at the operational level: BaFin can order improvement measures that tie up considerable resources. It can prohibit the use of certain ICT service providers. And it can hold management personally responsible for repeated violations.

Added to this is the reputational risk. In an industry based on trust, highly publicized DORA noncompliance can result in customer loss, rating downgrades, and reduced access to capital markets.

Why external support can be useful

DORA implementation is complex, cross-sectional and resource-intensive. It affects IT, compliance, legal, procurement and management equally. Many financial companies - especially medium-sized companies - do not have the internal capacity to process all requirements in parallel.

External support can provide added value in several areas:

• Gap analyzes and readiness assessments, which provide an objective view of the implementation status
• Establishment of the ICT third-party provider register, including shadow IT inventory and subservice mapping
• Development of incident response processes, which operationally represent the 4-hour deadline
• TLPT preparation and support, including provider selection and BaFin coordination
• Governance advice, which ensures that DORA does not remain just an IT project

Advisori supports financial companies in DORA implementation — from gap analysis to audit preparation. Our approach is practical, regulatory-based and tailored to the specific challenges of the German financial market. Updora.advisori.deyou will find an overview of our DORA services.

FAQ: Frequently asked questions about DORA 2026

Which companies fall under DORA?

DORA affects almost all regulated financial companies in the EU: credit institutions, payment service providers, insurance and reinsurance companies, investment firms, trading venues, central counterparties, crypto service providers and many others. Third-party ICT service providers that are classified as critical are also subject to direct supervision by the ESAs. From 2027, the FinmadiG will further expand the scope of application in Germany. Micro-enterprises with fewer than 10 employees or an annual turnover of less than 2 million euros are subject to simplified requirements according to Article 16 DORA.

What happens if a financial company fails to meet the 4-hour reporting deadline?

The 4-hour period begins when an incident is classified as major — no later than 24 hours after discovery. Failure to comply could result in supervisory measures from BaFin, which can range from administrative orders to fines. What is crucial is that the company can prove that it has functioning processes and that the deadline was not missed due to organizational failure. Documented incident response exercises and a clearly defined reporting process are the best protection.

Does every financial company have to do TLPT?

No. TLPT is only mandatory for financial companies that have sufficient maturity from an ICT perspective and are of systemic relevance. BaFin determines which institutions are subject to TLPT based on the RTS criteria. The tests must be carried out at least every three years. However, all other financial companies must implement a risk-based testing program under Article 25 DORA, which includes penetration testing and vulnerability scanning.

What is the difference between DORA and BAIT?

BAIT (Banking Supervisory Requirements for IT) was a national BaFin administrative regulation for banks. DORA is a directly applicable EU regulation with a significantly broader scope of application. DORA goes beyond BAIT in several areas — notably incident reporting (4-hour time limit), ICT third-party management (information register, exit strategies) and TLPT. The BAIT will apply to certain institutions until December 31, 2026, after which they will be completely replaced by DORA.

How long does a DORA implementation typically take?

This depends heavily on the initial state. For a medium-sized financial company that already has basic ICT risk management in place, six to twelve months are realistic for achieving essential compliance. A period of twelve to eighteen months should be planned for full compliance - including tested exit strategies, a complete information register and operationally robust incident response processes. TLPT projects require an additional six to twelve months of lead time.

Conclusion: act instead of waiting

The numbers are clear: a significant proportion of German financial companies are not yetDORA compliant. BaFin will begin systematic audits in 2026. Deadlines are tight, requirements are complex and market capacity for specialized services such as TLPT is limited.

Anyone who does not act now not only risks regulatory consequences, but also operational vulnerability. DORA is not an exercise in bureaucracy — the regulation addresses real cyber threats that are increasingly affecting the financial sector. Every week a company waits to implement is a week it is operating unprotected.

Would you like to know where your company stands in terms of DORA implementation?Talk to our DORA experts— we identify your gaps and develop a concrete compliance roadmap.

📖 Also read:DORA & BaFin audits: How you can now secure your resilience advantage and pass audits

📖 Also read:DORA & BaFin audits: How you can now secure your resilience advantage and pass audits