Contents
- The 10 most common and serious DORA-findings
- 1. Governance, DOR Strategy & the Role of the Management Body
- 2. Incorrect or Insufficient Definition of Critical or Important Functions (CIFs)
- 3. Incomplete Inventories & Unclear Dependencies
- 4. Third-Party Lifecycle & Inadequate Risk Analyses
- 5. Subcontracting Chains: Lack of Transparency as a Structural Risk
- 6. CTPPs: Concentration Risks, Substitutability & Missing Exit Plans
- 7. Protection & Prevention: Vulnerabilities, Patches and Basic Controls
- 8. Detection & SIEM: Detection, Response and 24/7 Capability
- 9. ICT Business Continuity: BIA, RTO/RPO & Resilience Testing
- 10. Incident Reporting Quality & Reporting Framework
The 10 most common and serious DORA-findings
1. Governance, DOR Strategy & the Role of the Management Body
The single largest construction site is governance.
Typical deficiencies include:
- unclear or contradictory DOR strategies
- risk tolerances not defined in measurable terms
- written organisational frameworks that are too generic or updated too late
- management bodies that merely receive information instead of actively steering
Why this is critical:
DORA is a board-accountability regime. Weak governance directly affects all other areas: third-party management, CIFs, BCM, SIEM, incident response and reporting.
2. Incorrect or Insufficient Definition of Critical or Important Functions (CIFs)
Few issues have such extensive consequences as unclear CIF methodology.
Common mistakes include:
- everything is critical – or nothing is
- CIF criteria not documented or not process-based
- applications, data and dependencies poorly assigned
Why this is critical:
The CIF definition determines the scope of the entire DORA regime:
monitoring, contractual requirements, BCM, testing, SIEM coverage and reporting.
3. Incomplete Inventories & Unclear Dependencies
BaFin classifies this as one of the most serious structural weaknesses.
Frequent findings:
- incomplete inventories (systems, data, interfaces, processes)
- undocumented dependencies (system → provider → data → CIF)
- poor data quality and inconsistencies across registers
Why this is critical:
Inventories form the foundation for risk analyses, resilience testing and incident detection. Without them, supervisory compliance cannot be achieved.
4. Third-Party Lifecycle & Inadequate Risk Analyses
Most institutions have created DORA-aligned frameworks, but:
- ex-ante risk analyses are superficial or purely formal
- due-diligence reviews do not fully integrate security, legal, geopolitical or resilience criteria
- provider risk assessments are adopted uncritically
- contract management does not reflect the actual risk profile
Why this is critical:
DORA requires end-to-end third-party risk management that functions continuously – not only at contract signature.
5. Subcontracting Chains: Lack of Transparency as a Structural Risk
BaFin highlights this issue explicitly:
- subcontracting chains are almost never fully visible
- many institutions only know levels 1–2, although DORA requires full transparency
- risks arising in levels 3+ remain unassessed
Why this is critical:
Particularly for cloud and platform operators, subcontracting chains can create hidden systemic risks that undermine resilience and compliance.
6. CTPPs: Concentration Risks, Substitutability & Missing Exit Plans
BaFin refers to this as the core systemic risk:
- only 10 of 19 CTPPs hold over 85% of all relevant contracts
- 75% of these services support CIFs
- software and cloud are considered hardest to substitute – yet exit plans are missing in >50% of cases
- reintegration is highly complex (62% of services)
Why this is critical:
Missing exit strategies for critical or non-substitutable providers are not acceptable from a supervisory perspective. DORA has therefore introduced its own European oversight regime for CTPPs.
7. Protection & Prevention: Vulnerabilities, Patches and Basic Controls
A domain in which BaFin identified a large number of deficiencies:
- patch management inconsistent, not automated, deadlines missed
- vulnerability processes lack prioritisation or tracking
- network segmentation, encryption and privileged access management below industry standards
- third parties insufficiently integrated into security processes
Why this is critical:
This results in persistently open attack surfaces — especially in highly critical environments (payments, cloud, core banking systems).
8. Detection & SIEM: Detection, Response and 24/7 Capability
One of the most severe operational weaknesses:
- CIF-relevant systems often not fully integrated with SIEM
- log data insufficiently protected
- detection use-cases not systematically developed or tested
- incomplete 24/7 incident-response capability
BaFin’s analysis shows: cyber incidents are detected days later (median 14 days).
Why this is critical:
An institution without robust detection capability cannot meet incident-reporting obligations, limit damage or demonstrate resilience.
9. ICT Business Continuity: BIA, RTO/RPO & Resilience Testing
BaFin identifies:
- BIA results not linked to BCM plans
- RTO/RPO targets not realised in practice
- tests unrealistic, infrequent or undocumented
- service providers absent from exercises
- weak follow-up of deficiencies
Why this is critical:
BCM deficiencies strike at the heart of DORA’s resilience requirements – the ability to maintain operations during disruption.
10. Incident Reporting Quality & Reporting Framework
Even after the first year of DORA, the reporting system remains strained:
- of 2,250 submissions, only 805 were genuine incidents
- misclassifications, missing data and incorrect amounts are common
- aggregated reporting is indispensable yet error-prone
- cyber incidents often detected late → delayed reporting
Why this is critical:
DORA incident reporting is the supervisory early-warning mechanism.
Poor data quality weakens the entire European resilience framework.