DORA Compliance

DORA applies to virtually the entire regulated financial sector in the EU: credit institutions, insurance undertakings, reinsurers, investment firms, payment service providers, e-money institutions, crypto-asset service providers (MiCAR), central securities depositories, and central counterparties — a total of

21 categories of financial entities. Critical ICT third-party service providers (e.g., cloud providers, data centers) that provide services to these entities also fall under the EU-wide oversight framework. With the Financial Market Digitalization Act (FinmadiG), Germany has further extended the scope at the national level — companies that were previously not subject to KRITIS requirements may now also be affected. Micro-enterprises are subject to a simplified framework (Art. 16) but are not exempt.

DORA has been mandatory since

17 January

2025 — and BaFin is already actively supervising. In December 2025, BaFin informed over 4,

500 participants in a virtual event about its expectations. Initial §

44 special audits with a DORA focus have already taken place, and in Q

3 2025 the first DORA-related fine proceedings were initiated. The Institute of Public Auditors in Germany (IDW) is finalizing the audit standard EPS 528, which defines how statutory auditors must assess DORA compliance. For the

2025 audit year, leniency applies to deficiencies remediated by year-end — from

2026 onwards, this grace period no longer applies.

The information register (Art. 28(3)) is a central DORA requirement: financial entities must maintain a complete register of all contractual arrangements with ICT third-party service providers and make it available to BaFin. The next submission deadline is

30 March 2026. BaFin held its own workshops on the submission process in February

2026 and clarified the technical requirements via the MVP platform. The register must include, among other things, details on the type of service, criticality, subcontractors, data storage locations, and contractual exit options. KPMG recommends low-code-based solutions for ongoing maintenance.

DORA is sector-specific for the financial sector and goes significantly beyond NIS 2 in several areas: stricter requirements for ICT risk management, mandatory Threat-Led Penetration Testing (TLPT), a detailed third-party regulatory regime with an information register, and an EU-wide oversight framework for critical ICT providers. NIS 2 applies across sectors. For financial entities, DORA takes precedence (lex specialis pursuant to Art.

4 of the NIS 2 Directive) — NIS 2 requirements apply only supplementarily to the extent not already covered by DORA. In practice, this means: financial entities must fully implement DORA; for NIS2, a gap analysis of the remaining requirements is sufficient.

DORA and the German FinmadiG provide for a multi-tiered sanctions regime. For ICT third-party providers subject to EU oversight, periodic penalty payments of up to 1% of average daily worldwide turnover may be imposed — on a daily basis until compliance is achieved. FinmadiG defines administrative offense provisions for financial entities with fines of up to EUR

5 million. In Q

3 2025, BaFin initiated its first DORA-related proceedings — due to inadequate ICT third-party risk documentation. In addition, supervisory measures are at risk: orders, public disclosures, and in extreme cases the withdrawal of the operating license.

Costs depend heavily on the maturity of your existing ICT governance. Companies with an established ISMS (e.g., ISO 27001) and functioning BAIT/MaRisk processes have, in our experience, already covered 40–60% of DORA requirements. The additional effort then focuses on the information register, formalized incident reporting under the new RTS reporting deadlines, and enhanced resilience testing. For a reliable effort estimate, we recommend an initial readiness assessment — this produces a concrete, prioritized action plan with realistic budget planning. For companies without a BAIT/MaRisk foundation, the effort is correspondingly higher.

An industry survey by IT-Finanzmagazin shows: ICT third-party management ranks first among DORA challenges by a wide margin. The reason is the extreme heterogeneity of dependencies: 75% of critical outsourcing service providers originate from third countries. Financial entities must be able to justify why they use certain providers for critical functions, assess substitutability, and maintain viable exit scenarios. The European designation of critical ICT third-party providers by the ESAs is anticipated and could trigger additional requirements. The first BaFin fine related specifically to this area.

The European supervisory authorities (EBA, ESMA, EIOPA) have issued

13 regulatory technical standards (RTS) and

2 implementing technical standards (ITS) that specify DORA at Level 2. These standards define in detail, for example, how the ICT risk management framework must be structured, what information the third-party register must contain, how ICT incidents must be classified and reported, and what requirements apply to TLPT. The RTS/ITS are directly applicable and binding — they are not guidelines but enforceable EU law. Companies that read only the DORA regulation itself will overlook significant operational requirements.

Threat-Led Penetration Testing (TLPT) under Art. 26–27 DORA is the most demanding testing requirement: systemically important financial entities must conduct threat-led penetration tests based on the TIBER-EU framework at least every

3 years. TLPT goes far beyond conventional penetration tests — it simulates real attack scenarios based on current threat intelligence and tests people, processes, and technology. The tests must be carried out by qualified external red team providers and approved by BaFin. Transitional arrangements apply for the first TLPT wave from 2025; from 2026, an expansion of the scope of entities required to conduct TLPT is expected.

The Financial Market Digitalization Act (FinmadiG) is the German implementing legislation that accompanies DORA at the national level. It designates BaFin as the competent supervisory authority, defines national administrative offense provisions (fines of up to EUR

5 million), extends the scope beyond the EU regulation, and aligns existing legislation (KWG, VAG, ZAG, WpIG) with DORA requirements. FinmadiG also harmonizes the interaction between DORA and the existing German supervisory frameworks BAIT, KAIT, VAIT, and ZAIT, which are expected to be absorbed into DORA over time.