Contents
- IT-Supervision under DORA: BaFin’s Experience After 11–12 Months
- BaFin’s Macro-Assessment: From Paper Compliance to Effectiveness
- CIF Identification: The Central Weak Point in IT-Supervision
- ICT Third-Party Oversight: Dependency, Concentration, Substitutability
- ICT Incidents & Reporting: Quality, Detection and Dependencies
- On-site Inspections: What BaFin Is Finding in Practice
- Supervisory Expectations for 2026/27: What BaFin Will Look For Next
IT-Supervision under DORA: BaFin’s Experience After 11–12 Months
IT-supervision under DORA has entered a new phase. After one year of implementation, BaFin has delivered a clear picture of where German institutions stand — and where the supervisory expectations for 2026/27 are heading. The insights from four BaFin presentations reveal recurring patterns: strong progress on governance and documentation, but significant gaps in effectiveness, inventories, detection and ICT third-party oversight.
This page summarises BaFin’s consolidated view and highlights what “good IT-supervision under DORA” now means in practice.
BaFin’s Macro-Assessment: From Paper Compliance to Effectiveness
BaFin considers 2025 a transition year. Institutions have built frameworks, policies and information registers, but now must prove measurable operational resilience.
The supervisory focus has shifted to:
- Consistent identification and management of critical or important functions (CIFs)
- Integration of ICT risk management into business processes
- Demonstrable effectiveness of controls, not merely their existence
- Solid governance with active board involvement
Supervision is now laser-focused on how resilience performs in real scenarios: outages, cyberattacks, vendor failures and prolonged disruptions.
CIF Identification: The Central Weak Point in IT-Supervision
Across all inspections, BaFin finds the same issue: CIFs are poorly or implausibly identified.
Typical supervisory findings:
- CIFs classified too broadly (“everything is critical”) or too granularly (not manageable)
- Missing linkage between CIFs and supporting ICT assets
- Incomplete inventories and missing process dependencies
- No clear, documented methodology aligned with Business Impact Analysis
For BaFin, the CIF framework is the pivot point for the entire DORA regime. Incorrect CIF classification distorts the scope of contracts, monitoring, incident reporting and business continuity planning.
ICT Third-Party Oversight: Dependency, Concentration, Substitutability
BaFin’s network analysis shows a highly concentrated ICT ecosystem:
- 19 EU-designated Critical ICT Third-Party Providers (CTPPs)
- Top 10 of them represent >85% of all CTPP contracts in German institutions
- Around 75% of these contracts support CIFs
- Majority of providers headquartered in third countries, predominantly the US
Supervisory lessons:
- Third-party risk is systemic, not isolated
- Institutions underestimate substitutability challenges
- Exit plans are missing for more than half of CIF-relevant services
- Many risk assessments are formalistic, lacking analysis of geopolitical, operational and concentration risks
DORA’s dedicated CTPP oversight regime exists precisely because these risks cannot be managed through bilateral contracts alone.
ICT Incidents & Reporting: Quality, Detection and Dependencies
After one year, BaFin’s incident dataset reveals:
- ~2,250 submissions, but only 805 actual incidents (high duplication rate)
- Without aggregated service-provider reports, the volume would have been 4.7 times higher
- Cyber incidents are discovered late — median 14 days in the >3-day category
- One third of security incidents originate at ICT service providers
- Less than 10% of incidents account for ~95% of the reported transaction volume
Supervisory concerns:
- Detection deficits, especially in cyber
- Incorrect or inconsistent classification
- Incomplete incident forms
- Weak integration between IT, operations and the reporting function
BaFin is responding with technical improvements (JSON/SOAP channels) and stricter guidance on classification quality.
On-site Inspections: What BaFin Is Finding in Practice
The first round of DORA on-site inspections uncovered systematic gaps:
Governance
- Strategies vague, risk appetite not measurable
- Weak board involvement
- Late or superficial updates to security frameworks
ICT Risk Management
- Inventories incomplete
- Missing dependencies between processes and ICT assets
- Weak ICT control function
Protection & Prevention
- Patch and vulnerability management not comprehensive
- Insufficient privileged access management and encryption
- Security requirements in contracts too weak
Detection & Response
- Incomplete SIEM coverage of CIF systems
- Insufficient 24/7 alert handling
- Use cases not tested or not maintained
Business Continuity
- RTO/RPO from BIAs not implemented in contingency plans
- Exercises unrealistic or outdated
- Third parties barely involved in BCM
BaFin’s consolidated message: responsibilities, data quality, integration and operational tests must improve significantly.
Supervisory Expectations for 2026/27: What BaFin Will Look For Next
BaFin’s lessons learned translate into clear forward-looking expectations:
- A hardened CIF framework: methodologically sound, process-based, inventory-driven
- End-to-end third-party lifecycle management: due diligence, subcontracting chains, exit planning
- Full SIEM coverage for all CIF-related systems; proven reduction of detection times
- Resilience testing as a standard practice: technical + organisational tests
- Professional incident reporting: correct classification, complete data, consistent internal processes
- Board accountability in action: meaningful reporting, decision-making and follow-up
DORA compliance is now multi-year and iterative — and BaFin will assess institutions on actual resilience, not documented intentions.
Source: https://www.bafin.de/SharedDocs/Veranstaltungen/DE/neu/261208_it_finanzsektor.html