THREAT BRIEFING · 04.07.2026 DEENFRES

News/10 min

DORA after 15 months: Security lessons from first 2026 audits

Von Alec Chizhik · 17. April 2026

7 min read

Since 17 January 2025, DORA has been binding on financial institutions across the EU. After fifteen months of routine operation, the first audit cycles are complete. The lessons for security teams at banks, insurers and asset managers are both concrete and uncomfortable. The four-hour incident-reporting window, the new clauses in third-party contracts and the TLPT testing regime are pushing operations to the limit – limits that can no longer be met with standard processes.

Key Takeaways

  • Four-hour classification is the bottleneck. After the initial notification to the supervisor, 72 hours remain for an interim report and one month for the final report. In practice, the limiting factor is the first classification decision, which must be made within hours.
  • Third-party register is audit priority one. The required contract clauses (audit rights, exit strategy, SLA guarantees) are missing from many legacy agreements. Renegotiation with cloud providers and critical SaaS vendors is running in parallel with routine operations at many institutions.
  • TLPT meets under-resourced red teams. Threat-led penetration testing under TIBER-EU requires accredited providers and internal defenders who can keep pace. Capacity on both sides is tight, with planning lead times of six to nine months.

RelatedNIS2 Reporting Channels: Shaping the First Incident Hour  /  Adaptive MFA in Entra, Okta & Duo: Rolling Out NIS2

What the first audits in 2026 have really revealed

The EU supervisors (BaFin, EBA, ESMA, EIOPA and the ECB for the largest institutions) conducted their first audit rounds in 2025 and the first quarter of 2026. The substantive questions were predictable; the answers from the institutions rarely were. The most frequent findings from these discussions in German banks’ compliance departments can be grouped into three key themes: incident classification within the tight deadline, contractual gaps with third-party providers, and under-dimensioned testing capacities for TLPT. None of these issues is new, but each now falls under DORA’s binding framework, which has shattered the former internal tolerances. On top of that, supervisors are sharpening their interpretations as more cases come in. What passed as pilot rule interpretation in 2025 is being applied more strictly in 2026.

The first hour after an incident is the decisive window. Regulation requires an initial report within four hours of classifying an ICT incident as major. The classification itself must be based on verifiable criteria. In practice, this means: if an alert arrives at 3 a.m. that might be a major incident, the SOC has just hours to decide whether the reporting threshold is met – while simultaneously preparing the report itself. Those without this process baked into their runbook automation are under immediate pressure. The early audits’ lesson is clear: institutions lacking unambiguous escalation chains and a defined classification matrix racked up more than one finding in this area during their first months.

4 hours
Deadline for the initial major ICT-incident report to the competent supervisor. Interim report due after 72 hours, final report within one month. The clock starts ticking from the internal classification, not from the first alert.
Source: DORA Regulation (EU) 2022/2554, Article 19, in force since 17 January 2025.

Third-Party Registers and Exit Scenarios

The second major challenge lies in contracts with ICT third-party providers. DORA mandates explicit clauses on audit rights, exit strategies, service-level guarantees, security obligations, and incident reporting requirements. The reality: most cloud contracts, SaaS subscriptions, and outsourcing agreements from previous years do not fully meet these requirements. Renegotiation is not one-sided. Providers with market power (hyperscalers, leading SaaS platforms) have their own contract standards that do not always align with DORA requirements.

The lesson from the first fifteen months: institutions that proactively addressed the issue early received adjusted contract annexes from hyperscalers that cover a large portion of DORA requirements. Institutions that waited are now renegotiating under less favorable conditions, as providers know time is pressing. One often-overlooked detail: the register obligation is cumulative. Every contract update, every new subcontractor integration, and every criticality change must be promptly recorded in the DORA register. Without a workflow for continuous maintenance, the register becomes outdated within months.

Where DORA implementations may fail by 2026

  • Classification matrix exists only on paper, not in the SOC runbook
  • Third-party register lacks centralized maintenance responsibility
  • Contract gaps with critical cloud and SaaS providers are ignored
  • TLPT planning starts in the audit year instead of six months prior

What supports DORA readiness

  • Automated classification in the SIEM, not an Excel spreadsheet
  • Dedicated register team with interface to contract management
  • Contract addenda negotiated in parallel with the top 20 providers
  • TLPT planning with nine months lead time, including internal red-team preparation

The exit strategy is the area where many institutions have underestimated the demands. DORA does not merely require a termination clause; it demands a robust plan for how operations transition to an alternative within a reasonable timeframe in the event of provider failure or contract termination. For a critical SaaS core banking system, this is not a legal matter but a multi-year transition project. Supervisors have documented in early audits that a paper exit plan without realistic testing is insufficient.

In practice, this means: for the top five to ten critical third-party providers per institution, a detailed transition plan is required, including timelines, target architecture, data migration approach, and clear ownership. For cloud providers, this often involves a multi-cloud or multi-region setup; for SaaS core systems, a backup provider strategy or internal fallback. Documenting these plans is the first step; periodic updates and occasional simulation exercises are the second. Those who implement this rigorously will uncover weaknesses in their own processes that remain invisible during regular operations.

TLPT in practice: market, capacity and internal maturity

Threat-Led Penetration Testing under TIBER-EU represents the most stringent testing requirement under DORA and applies to institutions that fall under the TLPT thresholds (simplified: larger banks, payment service providers and market infrastructure operators). The test is conducted by accredited red-team providers, targeting the live production system without prior notice to the operational defence team. The challenge in 2026 is twofold.

First, the market of accredited providers is tight. In Germany and across Europe, there are double-digit – not triple-digit – numbers of accredited red-team providers for TLPT. Calendars are booked six to nine months in advance. Anyone aiming to test in the second half of 2026 needs to start negotiations now. Second, internal maturity is decisive. A TLPT only yields insights if the blue team, detection pipeline and incident-response processes are mature enough to process the simulation. Institutions that choose the TLPT timing too early waste valuable red-team capacity on findings already visible from an asset inventory.

The pragmatic sequence crystallising in 2026 looks like this: first, an internal maturity assessment; then targeted purple-team exercises over six months; finally, TLPT with an external accredited provider. Institutions that jump straight to TLPT risk an expensive audit yielding mostly generic findings. Those who build the preparatory stages receive specific vulnerability reports that justify the investment.

An additional point emerging in the second DORA cycle is the integration of TLPT findings into ongoing risk management. Many institutions treat TLPT reports like standard penetration-test reports: findings are prioritised, fixed and closed. That falls short. Supervisors expect TLPT insights to feed into strategic risk analysis, trends across multiple tests to be documented and the effectiveness of mitigations verified in follow-up tests. The difference between simple pentest tracking and genuine resilience management becomes a key audit field in the second round.

The interface with business-continuity planning is also under scrutiny. TLPT simulates attacker scenarios; BCP plans for outage scenarios. In many institutions, these disciplines operate separately. DORA demands their integration. Coordinating both exercises creates evidence for resilience assessments that is far more robust than isolated proofs.

The Operational Roadmap for Security Teams in DORA’s Second Phase

For security teams that have survived the first DORA year and are now preparing for the second audit cycle, a four-phase rhythm has proven effective.

DORA Rhythm for Round Two
Q2 2026
Gap review: address findings from the first audit round, complete third-party register, finalise contract amendments with critical providers.
Q3 2026
TLPT preparation: select and contract an accredited red-team provider, update blue-team runbooks, run purple-team exercises as pre-training.
Q4 2026
TLPT execution and debrief: six to twelve weeks of red-team engagement, followed by purple-team review with insights. Move remediation backlog into next year’s budget.
Q1 2027
Audit preparation: compile documentation, build evidence packages per requirement, run a dry run with internal audit. Update risk documents.

The rhythm offers two key advantages. First, it decouples TLPT execution from audit preparation, giving both topics the focused attention they require. Second, it gives the incident-management team breathing room to fold runbook changes into operations after each phase without creating a last-minute pile-up. Institutions that cram everything into Q4 may produce paperwork that looks pristine on audit day but fails in real-world operations.

A recurring theme in supervisory conversations: regulators don’t just check whether processes exist; they verify that they are actually used. A six-month-old incident-classification workflow that hasn’t been touched because no major incidents occurred will still be scrutinised. Supervisors then demand evidence of readiness – exercises or tabletop drills that prove the process works. Banks that run quarterly tabletop exercises sail through these questions, while those that schedule them annually face extra scrutiny.

Another recurring issue in the second wave is the role of senior management. DORA is neither a pure compliance matter nor a pure IT project; responsibility sits with the board, not the second tier. Supervisors examine whether the board actively steers DORA measures, receives regular reports, and has co-signed the remediation roadmap. Delegating oversight to the IT leadership team invites findings at board level. Institutions with a standing ICT-risk review in the board agenda – typically quarterly and with its own agenda – produce far more credible evidence than those treating DORA as a technical project.

Finally, DORA reshapes collaboration between information security, IT operations, and operational compliance. The three functions must operate in shared workflows, not siloed handoffs. Banks that relied on Excel-based handovers between CISO, CIO, and compliance in round one are now rolling out unified GRC platforms where findings, actions, and evidence are centrally tracked. This cuts search time during audits and presents supervisors with a coordinated organisation instead of a stack of separate documents.

One last point that separates compliance from resilience payoff: in practice, DORA is a framework that elevates incident-response maturity and third-party risk management to levels many institutions already need. Treating the requirements as mere checkboxes yields costly documentation with no added value. Viewing them as an opportunity to harden resilience against ICT disruptions delivers, within twelve months, not only a clean audit report but also fewer sleepless nights. Investments in SIEM automation, clear runbooks, and robust exit plans pay off regardless of regulation; DORA simply sets the timeline for building them.

Frequently Asked Questions

Every question is locked. A tap unlocks the answer.

Which institutions fall under DORA?

The regulation applies to all supervised financial institutions in the EU: banks, insurance companies, securities firms, payment service providers, e-money institutions, investment funds, trading infrastructures, and critical ICT third-party providers. There are relief measures for small institutions below certain thresholds, but no complete exemption. If you provide services to financial institutions without being regulated yourself, you will still face DORA-relevant requirements through the backdoor via your customers’ third-party provider clauses.

How does DORA differ from NIS2?

DORA is sector-specific for financial institutions and imposes more detailed requirements for incident reporting, testing, and third-party provider management. NIS2 applies across sectors and is in some respects more general. Where both regulations overlap, DORA takes precedence within its scope.

What is the role of critical ICT third-party providers (CTPP)?

EU supervisors designate providers that are critical to multiple financial institutions as CTPP and subject them to a dedicated supervisory regime. This typically includes large cloud providers, central payment service providers, and specialized core banking system vendors. The CTPP list is updated annually.

How often must a TLPT be conducted?

Institutions subject to TLPT obligations must perform a test at least every three years. The supervisory authority may require an early test following significant changes to the IT landscape or after major incidents. Planning lead times range from six to nine months.

What role do internal audits play in DORA implementation?

The internal audit function plays a central role. It continuously reviews whether ICT risk management processes comply with DORA requirements and reports to the executive board and supervisory board. Without adequate internal audit capacity, the external supervisory review becomes a stress test for which you are unprepared.

More from the MBF Media Network

cloudmagazinOpus 4.7 vs. GPT-5.4: Local AI Inference with European Cloud ProvidersMyBusinessFuturePredictive Maintenance for SMEs: 100-Day Entry in 2026Digital ChiefsSaaS Sprawl: Consolidating the Application Portfolio in 2026

Further reading

News · 2. July 2026

When Attackers Are Faster Than the Patch

Between disclosure and exploitation of a vulnerability, only days often pass today. The State of Vulnerabilities Report 2026 reveals what matters now.

Ein Magazin der Evernine Media GmbH