The First Year of DORA

In 2025, financial companies submitted 103 reports of serious ICT incidents to the Austrian Financial Market Authority. Sixty-three percent of these were related to external ICT service providers.¹ In Germany, 600 serious ICT incidents were reported.² 
With the Digital Operational Resilience Act, the EU has created a uniform framework for exchanging information on cyber threats, identifying systemic risks, and responding more quickly to attacks. After the first year of DORA, the supervisory authorities took stock. "DORA was a key step toward sustainably strengthening the stability of the European financial market in the digital age. After one year, we are already seeing significantly more transparency regarding digital risks," said Helmut Ettl, Executive Director of the FMA.¹ Some of the current developments and findings are summarized below.

Register of information submission 2026

In Austria, the register of information must be submitted between February 16 and March 13, 2026. For registration, it is mandatory to use the FMA's Excel template. 
All details can be found here: FMA
In Germany, the submission period is slightly later: from March 9 to March 30, 2026. Financial companies must use either a structured file (xBRL) that complies with the ESAs' taxonomy or the BaFin Excel template.
All details can be found here: BaFin
In terms of content, the RoI must reflect the status as of December 31, 2025, the cut-off date. The ESAs have not made any technical changes to the taxonomy for the submission process.³ When using the automated creation of the register of information by Fabasoft Dora, the new validation rules in accordance with EBA requirements are already implemented in the system.

High proportion of critical third-party service providers from the US

After reviewing the information registers submitted in 2025, the European Supervisory Authorities (ESAs) have published a list of critical ICT third-party service providers. The list includes 19 providers, including international technology companies such as Amazon, Microsoft, and Google, which will be subject to direct supervision by the ESAs under the new DORA supervisory framework.
The list of critical ICT third-party service providers can be found here: ESMA 
According to an analysis by BaFin, three-quarters of the third-party ICT service providers that financial companies in Germany have classified as critical come from third countries, with a significant percentage hailing from the US.4 Although most institutions ensure that data is stored in Europe or Germany, this is insufficient for full GDPR compliance and preserving digital sovereignty. In this context, it makes sense to consider a European alternative.

Lack of contractual adjustments and exit plans 

According to statements by the supervisory authorities, a large number of existing ICT contracts have not yet been updated to comply with the new minimum contractual requirements under DORA and the associated RTS. Financial institutions are urged to make these adjustments promptly.⁴ The ICT contract portfolio can be quickly checked using Fabasoft Dora's customizable AI review. Using checklists, the AI analyzes the contract content for knockout criteria and regulatory requirements and clearly presents the identified risks. The subsequent creation of DORA-compliant supplementary agreements is easily accomplished using digital workflows and clause libraries.
Another surprising finding is that, according to German financial institutions, many contractual agreements with third-party ICT service providers have no exit plans in place. The easier a service is to replace, the less likely it is that an exit plan exists. DORA requires an exit plan for all ICT services that support critical or important functions. This regulatory requirement poses a challenge for institutions, particularly those in the "irreplaceable" category, as reported by BaFin.⁴ Fabasoft DORA provides digital templates for exit plans to support institutions in this regard.

Room for improvement in on-site inspections

Where there was still room for improvement in the on-site inspections of many financial companies was in terms of clear responsibilities and processes for implementing and monitoring measures. Often, these are incomplete, do not sufficiently involve management bodies, and are not comprehensible to auditors.⁴ To ensure consistent and transparent documentation, it is essential to digitize all business processes associated with outsourcing. Graphical process designers allow users to create customized workflows without programming knowledge. Electronic workflow signatures and audit logs make every activity verifiable.

Harmonization of regulations

As announced at an information event held by BaFin, the European Banking Authority is currently working on a new version of the Guidelines on Outsourcing. The aim is to eliminate the current redundancies in DORA (register of information vs. outsourcing register). As a result, ICT services will no longer fall under the definition of outsourcing according to EBA guidelines and will therefore only have to be reported once in the DORA information register. The amendment is expected by the first half of 2026.⁴
 

Sources:
1) Increased cybersecurity: FMA and OeNB report first year of DORA has been a positive one - FMA Österreich
2) BaFin meldet über 600 schwere IKT-Vorfälle seit Dora-Start
3) BaFin - Informationsregister und Anzeigepflichten
4) BaFin - News & Maßnahmen - IT-Aufsicht im Finanzsektor: Das erste Jahr DORA