BaFin is auditing — are you ready?
DORA Compliance
From gap analysis to audit support. DORA has been mandatory since 17 January 2025 — and BaFin is acting: over 600 reported ICT incidents, ongoing §44 special audits, and in Q3 2025 the first DORA fine proceedings due to inadequate ICT third-party documentation. The new IDW audit standard EPS 528 defines how statutory auditors will assess your DORA compliance. We make your organization audit-ready — across all five DORA pillars, based on our ISO 27001-certified methodology and years of BAIT/MaRisk experience in the financial sector.
- ✓Comprehensive DORA gap analysis across all 5 pillars with a prioritized action plan
- ✓ICT risk management and incident reporting in accordance with BaFin requirements and RTS/ITS Level 2 standards
- ✓Third-party information register and concentration risk analysis (submission deadline: 30.03.2026)
- ✓Audit preparation for IDW EPS 528, §44 special audits, and internal review
- ✓TLPT support according to TIBER-EU for systemically important institutions
Your strategic success starts here
Our clients trust our expertise in digital transformation, compliance, and risk management
30 Minutes • Non-binding • Immediately available
For optimal preparation of your strategy session:
- Your strategic goals and objectives
- Desired business outcomes and ROI
- Steps already taken
Or contact us directly:
Certifications, Partners and more...
1 Year of DORA: The Grace Period Is Over — BaFin Is Auditing
Why ADVISORI for DORA Compliance
- ISO 27001-certified — our own information security meets the highest standards that we implement for our clients
- Deep experience with BAIT, MaRisk, KAIT, VAIT, and ZAIT — DORA builds on these frameworks, and we know each of them from years of practice at banks and insurance companies
- Dedicated DORA team with its own readiness check, two-day training program (dora.advisori.de), and experience from over 30 DORA projects
- AI platform Synthara AI Studio for automated compliance documentation, information register maintenance, and continuous monitoring
- Practical experience at banks, insurance companies, capital management companies, payment institutions, and investment firms of all sizes — from fintech to large bank
- In-depth knowledge of RTS/ITS Level 2 standards and close exchange with auditors conducting reviews under IDW EPS 528 and §44 KWG
⚠
Expert Consultation Available
Contact our specialists today for a personalized assessment of your requirements.
ADVISORI in Numbers
11+
Years of Experience
120+
Employees
520+
Projects
We follow a structured yet pragmatic approach. No overengineering, no paper compliance — but resilience that works in day-to-day operations, withstands any BaFin audit, and meets the RTS/ITS requirements of the ESAs.
Our Approach:
Phase 1 — Assessment (2–4 weeks): Systematic as-is analysis of your ICT governance against all DORA requirements and RTS/ITS. Benchmark against KPMG industry maturity levels, identification of regulatory gaps and quick wins. Output: gap report, maturity scoring, prioritized roadmap.
Phase 2 — Design (4–8 weeks): Development of the required frameworks, processes, and role models. Establishment of the ICT risk manager function, definition of reporting chains according to DORA deadlines (4h/72h/1M), build-out of the information register. Output: framework documentation, process map, role model.
Phase 3 — Implementation (8–16 weeks): Stepwise implementation with minimal impact on ongoing operations. Integration into existing ISMS, BCM, and outsourcing structures. Migration of existing BAIT/MaRisk evidence into the DORA framework. Output: implemented processes, populated information register, training records.
Phase 4 — Operationalization (ongoing): Embedding into day-to-day operations with KPI tracking, automated monitoring, and regular resilience exercises. Because DORA is not a project — it is a permanent state. Output: KPI dashboard, exercise protocols, quarterly reporting.
Phase 5 — Audit preparation (4–6 weeks): Targeted preparation for IDW EPS 528 audits, §44 special audits, and internal reviews. Documentation, evidence management, dry runs, and interview coaching. Output: audit readiness report, documentation matrix, dry-run protocol.
"ADVISORI provided exceptional expertise and guidance throughout our project. Their deep understanding of regulatory requirements and practical approach helped us achieve our compliance goals efficiently."
Sarah Richter
Head of Information Security, Cyber Security
Expertise & Experience:
10+ years of experience, CISA, CISM, Lead Auditor, DORA, NIS2, BCM, Cyber and Information Security
DORA Audit Packages
Our DORA audit packages offer a structured assessment of your ICT risk management – aligned with regulatory requirements according to DORA. Get an overview here:
View DORA Audit PackagesOur Services
We offer you tailored solutions for your digital transformation
DORA Readiness Assessment
Where do you actually stand? Our readiness assessment systematically evaluates your current ICT governance against all DORA requirements and the 13 RTS/2 ITS of the ESAs — from ICT risk management and incident reporting to the third-party register. You receive a detailed gap report with a prioritized action plan, effort estimate, and timeline. Companies with an existing ISMS (e.g., ISO 27001) have, in our experience, already covered 40–60% of the requirements. Deliverables: gap report, maturity scoring per DORA pillar, management presentation, prioritized roadmap.
- Review of all 5 DORA pillars and RTS/ITS against your existing structures
- Gap report with risk assessment, prioritization, and effort estimate
- Management-ready results presentation for the executive board and supervisory board
- Benchmarking against KPMG industry maturity levels and current BaFin expectations
ICT Risk Management Framework
DORA Art. 5–16 requires a comprehensive ICT risk management framework — significantly beyond what BAIT and MaRisk previously demanded. The associated RTS specify requirements for risk taxonomy, protective measures, detection mechanisms, and recovery strategies. We design and implement this framework tailored to your organization, including the new role of the ICT risk manager. Deliverables: ICT risk framework, risk taxonomy, role model, process documentation.
- Development of a DORA-compliant ICT risk taxonomy and assessment methodology
- Definition and staffing of the ICT risk manager function pursuant to DORA Art. 6(4)
- Integration into existing ISMS (ISO 27001), BCM, and operational risk management
- Derivation of protection, detection, and recovery measures in accordance with RTS requirements
Incident Management & BaFin Reporting
Since January 2025, BaFin has registered over 600 serious ICT incidents — and explicitly checks whether documented incident response processes exist and are regularly exercised. DORA defines clear reporting deadlines: initial notification within 4 hours, intermediate report after 72 hours, final report after 1 month. We implement a complete incident management system including tabletop exercises. Deliverables: incident response playbook, reporting chain documentation, BaFin reporting templates, exercise program.
- Classification scheme for ICT incidents pursuant to DORA Art. 17–23 and the associated RTS
- Reporting chains and escalation paths with DORA deadlines (4h / 72h / 1 month)
- BaFin MVP reporting integration and process automation
- Incident response exercise program (tabletop exercises, simulations, lessons learned)
Third-Party Risk Management & Information Register
According to industry surveys, ICT third-party management is the greatest DORA challenge — 75% of critical outsourcing service providers originate from third countries. DORA requires a complete information register of all contractual arrangements with ICT third-party service providers. The next BaFin submission deadline is 30 March 2026. In Q3 2025, the first fine was imposed for inadequate third-party documentation. Deliverables: BaFin-compliant information register, concentration risk report, exit strategies, monitoring process.
- Build-out of the BaFin-compliant information register (submission deadline: 30.03.2026)
- Concentration risk analysis and substitutability assessment of critical providers
- Exit strategies and contingency plans for critical ICT service providers
- Ongoing monitoring and risk assessment of the third-party portfolio
TLPT & Resilience Testing
DORA Art. 24–27 requires regular testing of digital operational resilience — for systemically important institutions including Threat-Led Penetration Testing (TLPT) under the TIBER-EU framework, at least every 3 years. We plan and support your testing programs: from vulnerability assessments and scenario-based tests to full TLPT with qualified red team providers. Deliverables: test strategy, TLPT scope definition, provider selection, test support, measure tracking.
- Test planning and strategy pursuant to DORA Art. 24–27 and the associated RTS
- TLPT support according to the TIBER-EU/TIBER-DE framework
- Coordination with qualified threat intelligence and red team providers
- Derivation, prioritization, and tracking of measures from test results
DORA Audit Preparation & Audit Support
BaFin has announced DORA as an audit focus, and the IDW standard EPS 528 defines for the first time how statutory auditors must assess DORA compliance. In addition, §44 KWG special audits with a DORA focus are already underway. We prepare you specifically: documentation, evidence management, dry runs, and support during the audit. From 2026, the leniency for first-year deficiencies no longer applies. Deliverables: audit readiness report, documentation matrix, dry-run protocol, audit support.
- Preparation for IDW EPS 528 audits and §44 KWG special audits
- Documentation matrix: mapping of all DORA requirements to your evidence
- Dry runs with realistic audit scenarios and interview preparation
- Support during the audit as a technical sparring partner
Looking for a complete overview of all our services?
View Complete Service OverviewOur Areas of Expertise in Regulatory Compliance Management
Our expertise in managing regulatory compliance and transformation, including DORA.
DORA Digital Operational Resilience Act
Stärken Sie Ihre digitale operationelle Widerstandsfähigkeit gemäß DORA.
▼
Regulatory Transformation Projektmanagement
Wir steuern Ihre regulatorischen Transformationsprojekte erfolgreich – von der Konzeption bis zur nachhaltigen Implementierung.
▼
Frequently Asked Questions about DORA Compliance
Who does DORA apply to?
DORA applies to virtually the entire regulated financial sector in the EU: credit institutions, insurance undertakings, reinsurers, investment firms, payment service providers, e-money institutions, crypto-asset service providers (MiCAR), central securities depositories, and central counterparties — a total of
21 categories of financial entities. Critical ICT third-party service providers (e.g., cloud providers, data centers) that provide services to these entities also fall under the EU-wide oversight framework. With the Financial Market Digitalization Act (FinmadiG), Germany has further extended the scope at the national level — companies that were previously not subject to KRITIS requirements may now also be affected. Micro-enterprises are subject to a simplified framework (Art. 16) but are not exempt.
When will DORA be audited — and how?
DORA has been mandatory since
17 January
2025 — and BaFin is already actively supervising. In December 2025, BaFin informed over 4,
500 participants in a virtual event about its expectations. Initial §
44 special audits with a DORA focus have already taken place, and in Q
3 2025 the first DORA-related fine proceedings were initiated. The Institute of Public Auditors in Germany (IDW) is finalizing the audit standard EPS 528, which defines how statutory auditors must assess DORA compliance. For the
2025 audit year, leniency applies to deficiencies remediated by year-end — from
2026 onwards, this grace period no longer applies.
What is the DORA information register?
The information register (Art. 28(3)) is a central DORA requirement: financial entities must maintain a complete register of all contractual arrangements with ICT third-party service providers and make it available to BaFin. The next submission deadline is
30 March 2026. BaFin held its own workshops on the submission process in February
2026 and clarified the technical requirements via the MVP platform. The register must include, among other things, details on the type of service, criticality, subcontractors, data storage locations, and contractual exit options. KPMG recommends low-code-based solutions for ongoing maintenance.
What is the difference between DORA and NIS2?
DORA is sector-specific for the financial sector and goes significantly beyond NIS 2 in several areas: stricter requirements for ICT risk management, mandatory Threat-Led Penetration Testing (TLPT), a detailed third-party regulatory regime with an information register, and an EU-wide oversight framework for critical ICT providers. NIS 2 applies across sectors. For financial entities, DORA takes precedence (lex specialis pursuant to Art.
4 of the NIS 2 Directive) — NIS 2 requirements apply only supplementarily to the extent not already covered by DORA. In practice, this means: financial entities must fully implement DORA; for NIS2, a gap analysis of the remaining requirements is sufficient.
What sanctions are at risk for DORA violations?
DORA and the German FinmadiG provide for a multi-tiered sanctions regime. For ICT third-party providers subject to EU oversight, periodic penalty payments of up to 1% of average daily worldwide turnover may be imposed — on a daily basis until compliance is achieved. FinmadiG defines administrative offense provisions for financial entities with fines of up to EUR
5 million. In Q
3 2025, BaFin initiated its first DORA-related proceedings — due to inadequate ICT third-party risk documentation. In addition, supervisory measures are at risk: orders, public disclosures, and in extreme cases the withdrawal of the operating license.
What does DORA compliance cost?
Costs depend heavily on the maturity of your existing ICT governance. Companies with an established ISMS (e.g., ISO 27001) and functioning BAIT/MaRisk processes have, in our experience, already covered 40–60% of DORA requirements. The additional effort then focuses on the information register, formalized incident reporting under the new RTS reporting deadlines, and enhanced resilience testing. For a reliable effort estimate, we recommend an initial readiness assessment — this produces a concrete, prioritized action plan with realistic budget planning. For companies without a BAIT/MaRisk foundation, the effort is correspondingly higher.
Why is third-party risk management the greatest challenge?
An industry survey by IT-Finanzmagazin shows: ICT third-party management ranks first among DORA challenges by a wide margin. The reason is the extreme heterogeneity of dependencies: 75% of critical outsourcing service providers originate from third countries. Financial entities must be able to justify why they use certain providers for critical functions, assess substitutability, and maintain viable exit scenarios. The European designation of critical ICT third-party providers by the ESAs is anticipated and could trigger additional requirements. The first BaFin fine related specifically to this area.
What are the RTS/ITS and why do they matter?
The European supervisory authorities (EBA, ESMA, EIOPA) have issued
13 regulatory technical standards (RTS) and
2 implementing technical standards (ITS) that specify DORA at Level 2. These standards define in detail, for example, how the ICT risk management framework must be structured, what information the third-party register must contain, how ICT incidents must be classified and reported, and what requirements apply to TLPT. The RTS/ITS are directly applicable and binding — they are not guidelines but enforceable EU law. Companies that read only the DORA regulation itself will overlook significant operational requirements.
What is TLPT and who must conduct it?
Threat-Led Penetration Testing (TLPT) under Art. 26–
27 DORA is the most demanding testing requirement: systemically important financial entities must conduct threat-led penetration tests based on the TIBER-EU framework at least every
3 years. TLPT goes far beyond conventional penetration tests — it simulates real attack scenarios based on current threat intelligence and tests people, processes, and technology. The tests must be carried out by qualified external red team providers and approved by BaFin. Transitional arrangements apply for the first TLPT wave from 2025; from 2026, an expansion of the scope of entities required to conduct TLPT is expected.
What does FinmadiG regulate?
The Financial Market Digitalization Act (FinmadiG) is the German implementing legislation that accompanies DORA at the national level. It designates BaFin as the competent supervisory authority, defines national administrative offense provisions (fines of up to EUR
5 million), extends the scope beyond the EU regulation, and aligns existing legislation (KWG, VAG, ZAG, WpIG) with DORA requirements. FinmadiG also harmonizes the interaction between DORA and the existing German supervisory frameworks BAIT, KAIT, VAIT, and ZAIT, which are expected to be absorbed into DORA over time.
Success Stories
Discover how we support companies in their digital transformation
Generative KI in der Fertigung
Bosch
KI-Prozessoptimierung für bessere Produktionseffizienz
Fallstudie
Ergebnisse
Reduzierung der Implementierungszeit von AI-Anwendungen auf wenige Wochen
Verbesserung der Produktqualität durch frühzeitige Fehlererkennung
Steigerung der Effizienz in der Fertigung durch reduzierte Downtime
AI Automatisierung in der Produktion
Festo
Intelligente Vernetzung für zukunftsfähige Produktionssysteme
Fallstudie
Ergebnisse
Verbesserung der Produktionsgeschwindigkeit und Flexibilität
Reduzierung der Herstellungskosten durch effizientere Ressourcennutzung
Erhöhung der Kundenzufriedenheit durch personalisierte Produkte
KI-gestützte Fertigungsoptimierung
Siemens
Smarte Fertigungslösungen für maximale Wertschöpfung
Fallstudie
Ergebnisse
Erhebliche Steigerung der Produktionsleistung
Reduzierung von Downtime und Produktionskosten
Verbesserung der Nachhaltigkeit durch effizientere Ressourcennutzung
Digitalisierung im Stahlhandel
Klöckner & Co
Digitalisierung im Stahlhandel
Fallstudie
Ergebnisse
Über 2 Milliarden Euro Umsatz jährlich über digitale Kanäle
Ziel, bis 2022 60% des Umsatzes online zu erzielen
Verbesserung der Kundenzufriedenheit durch automatisierte Prozesse
Let's
Work Together!
Is your organization ready for the next step into the digital future? Contact us for a personal consultation.
Your strategic success starts here
Our clients trust our expertise in digital transformation, compliance, and risk management
Ready for the next step?
Schedule a strategic consultation with our experts now
30 Minutes • Non-binding • Immediately available
For optimal preparation of your strategy session:
Your strategic goals and challenges
Desired business outcomes and ROI expectations
Current compliance and risk situation
Stakeholders and decision-makers in the project
Prefer direct contact?
Direct hotline for decision-makers
Strategic inquiries via email
Detailed Project Inquiry
For complex inquiries or if you want to provide specific information in advance