Introduction: A regulatory paradigm shift

It was a morning in July 2024 that provided European financial supervisors with the last argument they may have needed: a single faulty software update from IT security provider CrowdStrike brought computer systems worldwide to a halt – airports, hospitals, and indeed financial institutions. The immediate damage to the financial markets remained manageable. But the message was unmistakable: the digital vulnerability of the financial system is no longer a theoretical exercise.

Since 17 January 2025, the Digital Operational Resilience Act (DORA) has been mandatory. EU Regulation (EU) 2022/2554 affects approximately 22,000 financial entities across the European Union, including 3,600 in Germany alone. It creates, for the first time, a harmonised, cross-sectoral legal framework for ICT risk management, cybersecurity and digital operational stability. National frameworks such as Germany's Supervisory Requirements for IT in Financial Institutions (BAIT) are gradually receding into the background.

For German banks – particularly in their Capital Markets operations and Asset Management divisions – DORA represents far more than an IT compliance project. It is a structural transformation that reaches into trading floors, portfolio management systems, and contractual relationships with cloud providers.

DORA at a Glance
  • Legal basis: Regulation (EU) 2022/2554 on digital operational resilience for the financial sector
  • Application: Mandatory since 17 January 2025, no transitional period
  • Scope: ~22,000 financial entities EU-wide, 3,600 in Germany – incl. banks, investment firms, management companies, trading venues, insurers, crypto service providers
  • Supervision DE: BaFin as the central reporting hub for ICT incidents
  • Sanctions: Fines up to €5 million, plus potential capital add-ons
  • Novelty: First-ever direct EU oversight of critical ICT third-party providers (cloud hyperscalers)

The five pillars of DORA – and what they mean for Capital Markets

DORA rests on five regulatory pillars that, taken together, represent a paradigm shift. None of these pillars can be viewed in isolation – they interlock and generate considerable transformation pressure, particularly in the technologically highly interconnected domains of Capital Markets and Asset Management.

Pillar 1: ICT risk management

Financial entities must maintain a comprehensive, documented framework for managing their information and communication technology (ICT) risks. For Capital Markets divisions, this means the complete recording and annual review of all IT systems supporting trading processes, risk modelling, order routing and settlement. All ICT assets and business-critical functions must be inventoried.

Pillar 2: Incident reporting and management

Major ICT incidents must be reported to BaFin under a three-stage reporting procedure – within one business day of detection, an interim report within one week, and a final report including root-cause analysis within one month. In Capital Markets, where milliseconds determine profits and losses, this requires real-time monitoring at a level many institutions have not yet achieved.

Pillar 3: Digital resilience testing

From basic vulnerability scans to threat-led penetration tests (TLPT) – systemically important institutions must subject their trading infrastructure to such tests at least every three years. The TLPT requirements have been integrated into the supervisory review and evaluation process (SREP) of the Capital Requirements Directive.

Pillar 4: Third-party risk management

This pillar strikes at the core of Capital Markets operations. Trading platforms, market data providers, cloud-based risk modelling, algorithmic trading systems – dependence on external ICT service providers is greater in no other business line of German banks. DORA requires comprehensive due diligence, minimum contractual standards and, above all, exit strategies for the event that a critical provider fails.

Pillar 5: Information sharing

Financial entities are encouraged to participate in voluntary but structured exchanges of threat intelligence – under strict observance of data protection requirements.

Capital Markets: When latency meets regulation

The Capital Markets operations of German banks function within a technological ecosystem of high complexity. Electronic trading platforms, algorithmic systems, real-time risk models, central counterparties (CCPs) and central securities depositories form a value chain in which every link depends on ICT systems – and in which a failure has immediate financial consequences.

DORA explicitly addresses trading venues, investment firms and clearing houses as regulated entities. But its reach extends further: the ICT service providers operating this infrastructure – from market data providers such as Bloomberg or Refinitiv to the cloud hyperscalers on whose infrastructure an increasing share of trading operations runs – also come under supervisory focus.

"The concentration on a few providers and a fragmented value chain make it difficult to control critical processes. An incident at a systemically important IT service provider can trigger a domino effect." Jens Obermöller, BaFin – IT Supervision Division

For major German banks with significant Capital Markets operations, this gives rise to concrete challenges. BaFin is increasingly focusing on concentration risks: what happens if several systemically important institutions use the same cloud provider for their trading infrastructure and it fails? DORA requires precisely this scenario to be played out – with documented contingency plans and functional exit strategies.

Particularly sensitive is the question of legacy systems. Many trading infrastructures at German banks have grown over decades, often merged through acquisitions into a patchwork of different technologies. DORA's requirements for seamless documentation, regular testing and complete inventorisation of all ICT assets meet a reality in which not every system and not every interface is fully mapped.

Asset Management: Delegation does not shield from responsibility

In Asset Management, DORA encounters an industry structure that has traditionally relied heavily on delegation and outsourcing. Management companies (KVGen), UCITS management companies and alternative investment fund managers (AIFMs) are explicitly within the scope of the regulation.

The core regulatory message is: delegation does not relieve responsibility. Even when portfolio management, risk control or fund accounting is outsourced to third-party providers, the obligation to monitor and manage the associated ICT risks remains with the outsourcing institution. DORA requires governing bodies to fully understand the impact of their ICT dependencies on critical business functions.

Affected Actors in Asset Management
  • MiFID investment firms – incl. portfolio management and investment advice
  • UCITS management companies – management of retail funds
  • Alternative investment fund managers (AIFMs) – except sub-threshold AIFMs
  • Management companies (KVGen) – already regulated via KAIT, now DORA-obligated
  • ICT third-party providers – portfolio management systems, custodians, fund accounting, market data providers

For German asset managers, this means considerable adjustment to contractual relationships with their technology partners. Existing contracts with portfolio management systems, custodians, transfer agents and fund accounting platforms must be reviewed against the DORA requirements of Article 30 and renegotiated where necessary. A KPMG study shows that the bulk of these renegotiations has shifted to 2025, keeping institutions occupied for months.

Adding to this is the growing importance of cloud-based solutions in Asset Management – from risk modelling and ESG data analysis to AI-powered investment processes. Each of these technology applications falls under DORA's ICT third-party risk management and requires an independent risk assessment, contractual safeguards and ongoing monitoring.

The role of BaFin: From national supervisor to European team player

DORA also shifts the supervisory architecture. BaFin continues to serve as the central reporting hub for ICT incidents in Germany. At the same time, so-called critical ICT third-party providers – primarily the large cloud hyperscalers such as Amazon Web Services (AWS), Microsoft Azure or Google Cloud – are for the first time placed under direct European supervision.

EU-wide teams are being formed for this oversight, led by one of the three European Supervisory Authorities (EBA, ESMA, EIOPA) and staffed with examiners from national authorities. BaFin has announced its active participation in these oversight teams. It is a novelty in European financial supervision: technology companies that are not themselves financial institutions are subject to direct regulatory oversight for the first time.

BaFin's supervisory notice from August 2025 on simplified ICT risk management frameworks also shows that the authority takes the proportionality principle seriously. Smaller institutions and management companies may apply lighter requirements – provided their risk profiles justify this.

The implementation gap: No German institution was fully compliant by the deadline

"None of the surveyed banks had fully met the DORA requirements by January 2025." KPMG Benchmark Study, 2025

The uncomfortable truth: at the time of application on 17 January 2025, according to a KPMG study, none of the surveyed German banks had fully implemented all DORA requirements. The largest gaps exist in contract adjustments with ICT third-party providers, the complete inventorisation of all ICT assets, and the implementation of end-to-end reporting processes for ICT incidents.

The reasons are multifaceted: resource bottlenecks in IT, differing interpretations of the technical regulatory standards, the sheer volume of contract adjustments, and the acute shortage of skilled professionals in cybersecurity. Fines of up to five million euros are possible for non-compliance; BaFin can also impose capital add-ons – an instrument already familiar from supervisory practice in cases of IT deficiencies.

Another milestone lies ahead: from 1 January 2027, the Financial Market Digitalisation Act (FinmadiG) will expand the scope of DORA in Germany. Additional institutions, including factoring and leasing companies, will then fall under the regulation.

Recommendations: What German banks should do now

For boards and senior management of German banks active in Capital Markets and Asset Management, the call to action extends well beyond mere compliance:

1. Update gap analyses and prioritise high-risk areas

An updated gap analysis – measured against the complete DORA requirements catalogue including Level 2 regulatory standards – is the immediate first step. Capital Markets and Asset Management divisions should be prioritised as high-risk segments, given their greatest dependence on third-party providers and the complexity of their ICT landscape.

2. Strategically restructure third-party risk management

Contractual relationships with all critical ICT service providers must be systematically reviewed against Article 30 DORA requirements, documented exit strategies developed, and concentration risks with cloud providers actively managed. Contract adjustments are not a one-off project but an ongoing process.

3. Anchor DORA compliance as a board-level topic

DORA explicitly requires the governing body to define, be accountable for, and regularly review the ICT risk strategy. A dedicated governance structure linking IT security, compliance, risk management and operational business lines is essential.

4. Invest in technology and talent

Artificial intelligence can support anomaly detection and continuous monitoring. At the same time, banks must invest in training and professional development to address the skills shortage in cybersecurity and penetration testing.

5. Leverage information sharing as a strategic advantage

German institutions should view the voluntary exchange of cyber threat intelligence not as a regulatory checkbox but as a necessity. In an environment where AI-powered attacks grow ever more sophisticated, collective defence is not a luxury.

Regulatory Timeline
Sep 2020
EU Commission legislative proposal
Published as part of the Digital Finance Package.
Dec 2022
Publication in the Official Journal of the EU
Regulation (EU) 2022/2554. Start of the two-year implementation period.
Jan 2023
DORA Regulation enters into force
DORA formally enters into force on 16 January 2023.
Jan 2024
First package: RTS and ITS
Three regulatory technical standards and one implementing technical standard.
Jul 2024
Second package: Further standards and guidelines
Four RTS, one ITS and guidelines on TLPT, subcontracting, incident reporting.
Jan 2025
Mandatory application of DORA
From 17 January 2025, all financial entities must comply. BAIT is gradually superseded.
2025 ongoing
Implementation, audits and contract adjustments
Gap analyses, renegotiation of third-party contracts, building reporting processes. No German institution fully compliant.
Dec 2025
NIS 2 Implementing Act enters into force
DORA takes precedence over NIS 2 for financial entities – synergies in incident reporting.
End of 2026
Final sunset of BAIT
National BAIT definitively loses validity in favour of EU-wide DORA standards.
Jan 2027
Extended scope in Germany
FinmadiG brings additional institutions under DORA – including factoring and leasing companies.
From 2027+
Ongoing oversight of critical ICT third-party providers
EU-wide teams audit cloud hyperscalers. Continuous TLPT cycles for systemically important institutions.
All information is based on publicly available sources, as of February 2026. This article was partially created with the assistance of AI but has been edited, reviewed and fact-checked by a human.
newsletter
the agentic banker

Keep reading – in your inbox every two weeks.

Capital markets insights, regulatory updates and AI trends. Concise, well-founded, free of charge.

GDPR-compliant. Unsubscribe at any time.

← Back to overview