{"id":12804,"date":"2026-04-17T11:30:00","date_gmt":"2026-04-17T11:30:00","guid":{"rendered":"https:\/\/www.securitytoday.de\/2026\/04\/23\/dora-after-15-months-what-security-teams-at-financial\/"},"modified":"2026-07-04T11:54:57","modified_gmt":"2026-07-04T11:54:57","slug":"dora-after-15-months-what-security-teams-at-financial","status":"publish","type":"post","link":"https:\/\/www.securitytoday.de\/en\/2026\/04\/17\/dora-after-15-months-what-security-teams-at-financial\/","title":{"rendered":"DORA after 15 months: Security lessons from first 2026 audits"},"content":{"rendered":"<p style=\"color:#69d8ed;font-size:0.9em;margin:0 0 16px;padding:0;\">7 min read<\/p>\n<p><strong>Since 17 January 2025, DORA has been binding on financial institutions across the EU. After fifteen months of routine operation, the first audit cycles are complete. The lessons for security teams at banks, insurers and asset managers are both concrete and uncomfortable. The four-hour incident-reporting window, the new clauses in third-party contracts and the TLPT testing regime are pushing operations to the limit \u2013 limits that can no longer be met with standard processes.<\/strong><\/p>\n<div style=\"background:#003340;color:#fff;padding:32px 36px;margin:32px 0;border-radius:8px;\">\n<p style=\"margin:0 0 18px 0;font-size:0.95em;font-weight:800;text-transform:uppercase;letter-spacing:0.2em;color:#69d8ed;border-bottom:2px solid rgba(105,216,237,0.25);padding-bottom:12px;\">Key Takeaways<\/p>\n<ul style=\"margin:0;padding-left:22px;color:rgba(255,255,255,0.92);line-height:1.6;\">\n<li style=\"margin-bottom:12px;\"><strong style=\"color:#69d8ed;\">Four-hour classification is the bottleneck.<\/strong> After the initial notification to the supervisor, 72 hours remain for an interim report and one month for the final report. In practice, the limiting factor is the first classification decision, which must be made within hours.<\/li>\n<li style=\"margin-bottom:12px;\"><strong style=\"color:#69d8ed;\">Third-party register is audit priority one.<\/strong> The required contract clauses (audit rights, exit strategy, SLA guarantees) are missing from many legacy agreements. Renegotiation with cloud providers and critical SaaS vendors is running in parallel with routine operations at many institutions.<\/li>\n<li><strong style=\"color:#69d8ed;\">TLPT meets under-resourced red teams.<\/strong> Threat-led penetration testing under TIBER-EU requires accredited providers and internal defenders who can keep pace. Capacity on both sides is tight, with planning lead times of six to nine months.<\/li>\n<\/ul>\n<\/div>\n<p style=\"font-size:0.88em;color:#b8c5ce;margin:20px 0 32px 0;border-top:1px solid rgba(230,227,218,0.12);border-bottom:1px solid rgba(230,227,218,0.12);padding:10px 0;\"><span style=\"color:#69d8ed;font-weight:700;text-transform:uppercase;font-size:0.72em;letter-spacing:0.14em;margin-right:14px;\">Related<\/span><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/04\/13\/nis2-crisis-2026-three-reporting-channels-companies-need-in\/\" style=\"color:#333;text-decoration:underline;\">NIS2 Reporting Channels: Shaping the First Incident Hour<\/a>&nbsp;&nbsp;<span style=\"color:#ccc;\">\/<\/span>&nbsp;&nbsp;<a href=\"https:\/\/www.securitytoday.de\/en\/2026\/04\/21\/adaptive-mfa-in-entra-okta-and-duo-how-security-teams-hook\/\" style=\"color:#333;text-decoration:underline;\">Adaptive MFA in Entra, Okta &#038; Duo: Rolling Out NIS2<\/a><\/p>\n<h2>What the first audits in 2026 have really revealed<\/h2>\n<p>The EU supervisors (BaFin, EBA, ESMA, EIOPA and the ECB for the largest institutions) conducted their first audit rounds in 2025 and the first quarter of 2026. The substantive questions were predictable; the answers from the institutions rarely were. The most frequent findings from these discussions in German banks\u2019 compliance departments can be grouped into three key themes: incident classification within the tight deadline, contractual gaps with third-party providers, and under-dimensioned testing capacities for TLPT. None of these issues is new, but each now falls under DORA\u2019s binding framework, which has shattered the former internal tolerances. On top of that, supervisors are sharpening their interpretations as more cases come in. What passed as pilot rule interpretation in 2025 is being applied more strictly in 2026.<\/p>\n<p>The first hour after an incident is the decisive window. Regulation requires an initial report within four hours of classifying an ICT incident as major. The classification itself must be based on verifiable criteria. In practice, this means: if an alert arrives at 3 a.m. that might be a major incident, the SOC has just hours to decide whether the reporting threshold is met \u2013 while simultaneously preparing the report itself. Those without this process baked into their runbook automation are under immediate pressure. The early audits\u2019 lesson is clear: institutions lacking unambiguous escalation chains and a defined classification matrix racked up more than one finding in this area during their first months.<\/p>\n<div class=\"evm-stat evm-stat-highlight\" style=\"text-align:center;background:#003340;border-radius:12px;padding:32px 24px;margin:32px 0;\">\n<div style=\"font-size:48px;font-weight:700;color:#fff;letter-spacing:-0.03em;\">4 hours<\/div>\n<div style=\"font-size:15px;color:#fff;margin-top:8px;max-width:480px;margin-left:auto;margin-right:auto;line-height:1.5;\">Deadline for the initial major ICT-incident report to the competent supervisor. Interim report due after 72 hours, final report within one month. The clock starts ticking from the internal classification, not from the first alert.<\/div>\n<div style=\"font-size:12px;color:#69d8ed;margin-top:12px;\">Source: DORA Regulation (EU) 2022\/2554, Article 19, in force since 17 January 2025.<\/div>\n<\/div>\n<h2>Third-Party Registers and Exit Scenarios<\/h2>\n<p>The second major challenge lies in contracts with ICT third-party providers. DORA mandates explicit clauses on audit rights, exit strategies, service-level guarantees, security obligations, and incident reporting requirements. The reality: most cloud contracts, SaaS subscriptions, and outsourcing agreements from previous years do not fully meet these requirements. Renegotiation is not one-sided. Providers with market power (hyperscalers, leading SaaS platforms) have their own contract standards that do not always align with DORA requirements.<\/p>\n<p>The lesson from the first fifteen months: institutions that proactively addressed the issue early received adjusted contract annexes from hyperscalers that cover a large portion of DORA requirements. Institutions that waited are now renegotiating under less favorable conditions, as providers know time is pressing. One often-overlooked detail: the register obligation is cumulative. Every contract update, every new subcontractor integration, and every criticality change must be promptly recorded in the DORA register. Without a workflow for continuous maintenance, the register becomes outdated within months.<\/p>\n<div style=\"display:grid;grid-template-columns:repeat(auto-fit,minmax(280px,1fr));gap:16px;margin:28px 0;\">\n<div style=\"background:#fafafa;border-top:3px solid #c0392b;padding:18px 20px;border-radius:4px;\">\n<p style=\"margin:0 0 10px 0;font-size:0.78em;font-weight:700;text-transform:uppercase;letter-spacing:0.12em;color:#c0392b;\">Where DORA implementations may fail by 2026<\/p>\n<ul style=\"margin:0;padding-left:18px;color:#333;line-height:1.55;font-size:0.95em;\">\n<li style=\"margin-bottom:6px;\">Classification matrix exists only on paper, not in the SOC runbook<\/li>\n<li style=\"margin-bottom:6px;\">Third-party register lacks centralized maintenance responsibility<\/li>\n<li style=\"margin-bottom:6px;\">Contract gaps with critical cloud and SaaS providers are ignored<\/li>\n<li>TLPT planning starts in the audit year instead of six months prior<\/li>\n<\/ul><\/div>\n<div style=\"background:#fafafa;border-top:3px solid #2d7a3e;padding:18px 20px;border-radius:4px;\">\n<p style=\"margin:0 0 10px 0;font-size:0.78em;font-weight:700;text-transform:uppercase;letter-spacing:0.12em;color:#2d7a3e;\">What supports DORA readiness<\/p>\n<ul style=\"margin:0;padding-left:18px;color:#333;line-height:1.55;font-size:0.95em;\">\n<li style=\"margin-bottom:6px;\">Automated classification in the SIEM, not an Excel spreadsheet<\/li>\n<li style=\"margin-bottom:6px;\">Dedicated register team with interface to contract management<\/li>\n<li style=\"margin-bottom:6px;\">Contract addenda negotiated in parallel with the top 20 providers<\/li>\n<li>TLPT planning with nine months lead time, including internal red-team preparation<\/li>\n<\/ul><\/div>\n<\/div>\n<p>The exit strategy is the area where many institutions have underestimated the demands. DORA does not merely require a termination clause; it demands a robust plan for how operations transition to an alternative within a reasonable timeframe in the event of provider failure or contract termination. For a critical SaaS core banking system, this is not a legal matter but a multi-year transition project. Supervisors have documented in early audits that a paper exit plan without realistic testing is insufficient.<\/p>\n<p>In practice, this means: for the top five to ten critical third-party providers per institution, a detailed transition plan is required, including timelines, target architecture, data migration approach, and clear ownership. For cloud providers, this often involves a multi-cloud or multi-region setup; for SaaS core systems, a backup provider strategy or internal fallback. Documenting these plans is the first step; periodic updates and occasional simulation exercises are the second. Those who implement this rigorously will uncover weaknesses in their own processes that remain invisible during regular operations.<\/p>\n<h2>TLPT in practice: market, capacity and internal maturity<\/h2>\n<p>Threat-Led Penetration Testing under TIBER-EU represents the most stringent testing requirement under DORA and applies to institutions that fall under the TLPT thresholds (simplified: larger banks, payment service providers and market infrastructure operators). The test is conducted by accredited red-team providers, targeting the live production system without prior notice to the operational defence team. The challenge in 2026 is twofold.<\/p>\n<p>First, the market of accredited providers is tight. In Germany and across Europe, there are double-digit \u2013 not triple-digit \u2013 numbers of accredited red-team providers for TLPT. Calendars are booked six to nine months in advance. Anyone aiming to test in the second half of 2026 needs to start negotiations now. Second, internal maturity is decisive. A TLPT only yields insights if the blue team, detection pipeline and incident-response processes are mature enough to process the simulation. Institutions that choose the TLPT timing too early waste valuable red-team capacity on findings already visible from an asset inventory.<\/p>\n<p>The pragmatic sequence crystallising in 2026 looks like this: first, an internal maturity assessment; then targeted purple-team exercises over six months; finally, TLPT with an external accredited provider. Institutions that jump straight to TLPT risk an expensive audit yielding mostly generic findings. Those who build the preparatory stages receive specific vulnerability reports that justify the investment.<\/p>\n<p>An additional point emerging in the second DORA cycle is the integration of TLPT findings into ongoing risk management. Many institutions treat TLPT reports like standard penetration-test reports: findings are prioritised, fixed and closed. That falls short. Supervisors expect TLPT insights to feed into strategic risk analysis, trends across multiple tests to be documented and the effectiveness of mitigations verified in follow-up tests. The difference between simple pentest tracking and genuine resilience management becomes a key audit field in the second round.<\/p>\n<p>The interface with business-continuity planning is also under scrutiny. TLPT simulates attacker scenarios; BCP plans for outage scenarios. In many institutions, these disciplines operate separately. DORA demands their integration. Coordinating both exercises creates evidence for resilience assessments that is far more robust than isolated proofs.<\/p>\n<h2>The Operational Roadmap for Security Teams in DORA\u2019s Second Phase<\/h2>\n<p>For security teams that have survived the first DORA year and are now preparing for the second audit cycle, a four-phase rhythm has proven effective.<\/p>\n<div style=\"margin:28px 0;border:1px solid rgba(230,227,218,0.12);border-radius:6px;overflow:hidden;\">\n<div style=\"background:#003340;color:#fff;padding:12px 18px;font-size:0.78em;font-weight:700;text-transform:uppercase;letter-spacing:0.14em;\">DORA Rhythm for Round Two<\/div>\n<div style=\"padding:8px 0;\">\n<div style=\"display:flex;gap:18px;padding:12px 20px;border-bottom:1px solid #f0f0f0;\">\n<div style=\"min-width:130px;font-weight:700;color:#69d8ed;\">Q2 2026<\/div>\n<div style=\"color:#333;line-height:1.55;\">Gap review: address findings from the first audit round, complete third-party register, finalise contract amendments with critical providers.<\/div>\n<\/div>\n<div style=\"display:flex;gap:18px;padding:12px 20px;border-bottom:1px solid #f0f0f0;\">\n<div style=\"min-width:130px;font-weight:700;color:#69d8ed;\">Q3 2026<\/div>\n<div style=\"color:#333;line-height:1.55;\">TLPT preparation: select and contract an accredited red-team provider, update blue-team runbooks, run purple-team exercises as pre-training.<\/div>\n<\/div>\n<div style=\"display:flex;gap:18px;padding:12px 20px;border-bottom:1px solid #f0f0f0;\">\n<div style=\"min-width:130px;font-weight:700;color:#69d8ed;\">Q4 2026<\/div>\n<div style=\"color:#333;line-height:1.55;\">TLPT execution and debrief: six to twelve weeks of red-team engagement, followed by purple-team review with insights. Move remediation backlog into next year\u2019s budget.<\/div>\n<\/div>\n<div style=\"display:flex;gap:18px;padding:12px 20px;\">\n<div style=\"min-width:130px;font-weight:700;color:#69d8ed;\">Q1 2027<\/div>\n<div style=\"color:#333;line-height:1.55;\">Audit preparation: compile documentation, build evidence packages per requirement, run a dry run with internal audit. Update risk documents.<\/div>\n<\/div><\/div>\n<\/div>\n<p>The rhythm offers two key advantages. First, it decouples TLPT execution from audit preparation, giving both topics the focused attention they require. Second, it gives the incident-management team breathing room to fold runbook changes into operations after each phase without creating a last-minute pile-up. Institutions that cram everything into Q4 may produce paperwork that looks pristine on audit day but fails in real-world operations.<\/p>\n<p>A recurring theme in supervisory conversations: regulators don\u2019t just check whether processes exist; they verify that they are actually used. A six-month-old incident-classification workflow that hasn\u2019t been touched because no major incidents occurred will still be scrutinised. Supervisors then demand evidence of readiness \u2013 exercises or tabletop drills that prove the process works. Banks that run quarterly tabletop exercises sail through these questions, while those that schedule them annually face extra scrutiny.<\/p>\n<p>Another recurring issue in the second wave is the role of senior management. DORA is neither a pure compliance matter nor a pure IT project; responsibility sits with the board, not the second tier. Supervisors examine whether the board actively steers DORA measures, receives regular reports, and has co-signed the remediation roadmap. Delegating oversight to the IT leadership team invites findings at board level. Institutions with a standing ICT-risk review in the board agenda \u2013 typically quarterly and with its own agenda \u2013 produce far more credible evidence than those treating DORA as a technical project.<\/p>\n<p>Finally, DORA reshapes collaboration between information security, IT operations, and operational compliance. The three functions must operate in shared workflows, not siloed handoffs. Banks that relied on Excel-based handovers between CISO, CIO, and compliance in round one are now rolling out unified GRC platforms where findings, actions, and evidence are centrally tracked. This cuts search time during audits and presents supervisors with a coordinated organisation instead of a stack of separate documents.<\/p>\n<p>One last point that separates compliance from resilience payoff: in practice, DORA is a framework that elevates incident-response maturity and third-party risk management to levels many institutions already need. Treating the requirements as mere checkboxes yields costly documentation with no added value. Viewing them as an opportunity to harden resilience against ICT disruptions delivers, within twelve months, not only a clean audit report but also fewer sleepless nights. Investments in SIEM automation, clear runbooks, and robust exit plans pay off regardless of regulation; DORA simply sets the timeline for building them.<\/p>\n<h2>Frequently Asked Questions<\/h2>\n<p class=\"st-faq-hint\">Every question is locked. A tap unlocks the answer.<\/p>\n<details>\n<summary><strong>Which institutions fall under DORA?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">The regulation applies to all supervised financial institutions in the EU: banks, insurance companies, securities firms, payment service providers, e-money institutions, investment funds, trading infrastructures, and critical ICT third-party providers. There are relief measures for small institutions below certain thresholds, but no complete exemption. If you provide services to financial institutions without being regulated yourself, you will still face DORA-relevant requirements through the backdoor via your customers\u2019 third-party provider clauses.<\/p>\n<\/details>\n<details>\n<summary><strong>How does DORA differ from NIS2?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">DORA is sector-specific for financial institutions and imposes more detailed requirements for incident reporting, testing, and third-party provider management. NIS2 applies across sectors and is in some respects more general. Where both regulations overlap, DORA takes precedence within its scope.<\/p>\n<\/details>\n<details>\n<summary><strong>What is the role of critical ICT third-party providers (CTPP)?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">EU supervisors designate providers that are critical to multiple financial institutions as CTPP and subject them to a dedicated supervisory regime. This typically includes large cloud providers, central payment service providers, and specialized core banking system vendors. The CTPP list is updated annually.<\/p>\n<\/details>\n<details>\n<summary><strong>How often must a TLPT be conducted?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">Institutions subject to TLPT obligations must perform a test at least every three years. The supervisory authority may require an early test following significant changes to the IT landscape or after major incidents. Planning lead times range from six to nine months.<\/p>\n<\/details>\n<details>\n<summary><strong>What role do internal audits play in DORA implementation?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">The internal audit function plays a central role. It continuously reviews whether ICT risk management processes comply with DORA requirements and reports to the executive board and supervisory board. Without adequate internal audit capacity, the external supervisory review becomes a stress test for which you are unprepared.<\/p>\n<\/details>\n<p style=\"font-weight:700;color:#e6e3da;font-size:1.05em;margin:48px 0 16px;\">More from the MBF Media Network<\/p>\n<div style=\"display:flex;flex-direction:column;gap:14px;margin-bottom:40px;\"><a href=\"https:\/\/www.cloudmagazin.com\/2026\/04\/21\/opus-4-7-gpt-5-4-eu-cloud-inference-2026\/\" class=\"st-net-card\" style=\"display:block;padding:16px 18px;background:#23261f;border:1px solid rgba(105,216,237,0.22);border-radius:10px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 2px 10px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;\"><span style=\"display:block;margin-bottom:6px;font-size:0.72em;font-weight:700;letter-spacing:0.06em;text-transform:uppercase;color:#0bb7fd;\">cloudmagazin<\/span><span style=\"display:block;color:#e6e3da;line-height:1.45;\">Opus 4.7 vs. GPT-5.4: Local AI Inference with European Cloud Providers<\/span><\/a><a href=\"https:\/\/mybusinessfuture.com\/predictive-maintenance-mittelstand-100-tage-einstieg-2026\/\" class=\"st-net-card\" style=\"display:block;padding:16px 18px;background:#23261f;border:1px solid rgba(105,216,237,0.22);border-radius:10px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 2px 10px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;\"><span style=\"display:block;margin-bottom:6px;font-size:0.72em;font-weight:700;letter-spacing:0.06em;text-transform:uppercase;color:#aa8ac2;\">MyBusinessFuture<\/span><span style=\"display:block;color:#e6e3da;line-height:1.45;\">Predictive Maintenance for SMEs: 100-Day Entry in 2026<\/span><\/a><a href=\"https:\/\/www.digital-chiefs.de\/saas-sprawl-portfolio-konsolidierung-cio-2026\/\" class=\"st-net-card\" style=\"display:block;padding:16px 18px;background:#23261f;border:1px solid rgba(105,216,237,0.22);border-radius:10px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 2px 10px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;\"><span style=\"display:block;margin-bottom:6px;font-size:0.72em;font-weight:700;letter-spacing:0.06em;text-transform:uppercase;color:#d65663;\">Digital Chiefs<\/span><span style=\"display:block;color:#e6e3da;line-height:1.45;\">SaaS Sprawl: Consolidating the Application Portfolio in 2026<\/span><\/a><\/div>\n","protected":false},"excerpt":{"rendered":"15 months of DORA: four-hour reporting deadline, third-party register, and TLPT planning in practice. What security teams are taking away from the first audits in 2026.","protected":false},"author":10,"featured_media":12546,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"Financial D","_yoast_wpseo_title":"DORA after 15 months: What security teams at financial institutions learn from t","_yoast_wpseo_metadesc":"15 months into DORA: incident reporting, third-party registers, and TLPT. Key lessons for security teams from the first 2026 audit cycles.","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_meta-robots-adv":"","_yoast_wpseo_canonical":"","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_opengraph-image":"","_yoast_wpseo_opengraph-image-id":0,"_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_yoast_wpseo_twitter-image":"","_yoast_wpseo_twitter-image-id":0,"_evm_translation_lang":"","featured_post":0,"featured_post_sortierung":0,"_wp_old_slug":[],"footnotes":""},"categories":[251],"tags":[],"class_list":["post-12804","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"evm_reading_time_minutes":12,"wpml_language":"en","wpml_translation_of":12547,"_links":{"self":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/12804","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/comments?post=12804"}],"version-history":[{"count":6,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/12804\/revisions"}],"predecessor-version":[{"id":19625,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/12804\/revisions\/19625"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media\/12546"}],"wp:attachment":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media?parent=12804"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/categories?post=12804"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/tags?post=12804"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}