In the final Compliance Digest of the year, we’ll be taking a look at some key 2025 Digital Operational Resilience Act (DORA) trends based on analysis of data and information, primarily from BaFin, but also from the DND, FMA, HANFA and MFSA.
On 4 Dec 2025, BaFin released IT supervision in the financial sector: The first year of DORA, consisting of four documents:
- First Findings from DORA Supervisory Inspections.
- Analysis of ICT Third-Party Relationships.
- Observations from ICT Incident Reporting.
- Developments in ICT Third-Party Risk Management (covered in our newsletter conclusion).
First Findings from DORA Supervisory Inspections
BaFin reported a number of audit findings and implementation challenges:
- Governance: Unclear strategies; non-measurable objectives; insufficient involvement of the management body.
- ICT Risk Management: Incomplete identification of critical functions; inventory deficiencies; weak independence of ICT control functions.
- Protection and Prevention: Inadequate vulnerability and patch management; insufficient testing of security measures; weak third party security controls.
- Detection and Response: Incomplete SIEM coverage; weak log protection; insufficient alarm handling.
- Business Continuity: Outdated or untested recovery plans; weak integration of third party providers.
Analysis of ICT Third-Party Relationships
BaFin Analysis of Register of Information Data is summarised below:
Concentration:
- The top 10 CTPPs hold over 85% of contracts with the 19 CTPPs.
- Three-quarters of ICT service contracts with Top 10 CTPPs involve services supporting critical or important functions.
- Approximately 40% of CTPP ICT services involve software (combined software and cloud services represent nearly 50%).
Replaceability Challenges:
- Top challenge: Replaceability of cloud and software solutions (or combinations thereof).
- Average: Less than half of firms have an exit plan.
- "Not replaceable" category: Fewer exit plans present regulatory challenges.
Re-integrability:
- 62% of BaFin financial institutions using CTPP ICT services have indicated that services are difficult or highly complex to reintegrate.
- Of these 62%, half believe that their ICT service is very difficult or impossible to replace completely.
Observations from ICT Incident Reporting
BaFin’s Observations from ICT Incident Reporting can be found below.
Distribution by Supervision Area
- Most incidents affect banking supervision (514 incidents).
- Insurance supervision: 56 incidents.
- Securities supervision: 6 incidents.
- Approximately 50% of all incidents are payments related.
Security vs. Operational Incidents
- 68 security incidents (11.1% total) - higher than under PSD2 reporting.
- 543 operational incidents (88.9%).
Incident Causes (multiple selections possible)
- External events: 49.3%, of which failures at third parties constituted 50.9%.
- System failure/malfunction: 10.9%.
- Process failure: 9.6%.
- Human error: 9.5%.
- Malicious actions: 46.6%.
Third party providers are increasingly the source of cyber incidents
We’ve recently taken part in speaking events organised by HANFA, the Croatian financial services supervisory agency, with participation from the Austrian regulator (the FMA), and the Croatian National Cyber Security Center. At these events, it was noted that third party providers were increasingly the source of cyber incidents, with upwards of 50% of incidents reported this year identifying them as the originator of problems.
The second annual HANFA DORA conference indicated that the DORA supervisory focus was now firmly on oversight in ICT Third Party Risk Management. This is reflective of the data reported in the BaFin. We also spoke at the MFSA event in Malta, where ICT TPRM was also pinpointed as a supervisory priority in 2026. This pattern was further confirmed at the DNB in the Netherlands, where supervisory priorities for 2026 include managing IT/cyber risks and risks associated with outsourced ICT services, and obtaining and maintaining up-to-date information on ICT concentration risk in outsourcing chains through information registers.
Year One Dora Take-Homes
Year 1 DORA implementation has provided supervisors with valuable insights into how financial institutions can and should manage ICT risks, incidents, and third party dependencies.
Third party risk management has emerged as a central pillar of digital resilience. Financial institutions must now shift their focus toward ongoing risk management and oversight (DORA requires comprehensive ex-ante risk assessments, robust due diligence, and continuous monitoring, particularly where ICT services support critical or important functions).
Overall, the early DORA experience shows meaningful progress, but also reveals persistent gaps in detection capabilities, third party oversight, and practical implementation. Supervisors expect institutions to move beyond foundational work toward demonstrably effective, tested, and integrated resilience measures in the coming years. Financial institutions must move beyond documentation compliance toward demonstrating effective implementation through regular testing, continuous monitoring, and measurable risk reduction.
