The frame
German financial firms usually treat regulation as a layered stack. Today the stack feels less like a hierarchy and more like a switchgear box.
On one side, BaFin’s DORA pages and guidance materials are now part of routine supervisory operations: information registers, incident reporting mechanics, and third-party concentration controls are no longer theoretical. On the other side, the implementation obligations under NIS-2 are now active, with the BSI requiring registration and incident reporting via the new federal portal.
In practice, both regimes are converging on the same corporate question: can the operating model survive the combined reporting and resilience burden without turning into a checklist treadmill?
Why DORA is no longer just a legal memo
DORA became operationally live for financial firms from 17 January 2025 in Europe’s legal timeline, under Article 64 of Regulation (EU) 2022/2554. BaFin’s German landing page for DORA and multiple thematic pages now position it as a live operational framework, not a future target. That matters because the supervisory logic has changed in tone.
The most concrete signal in recent BaFin pages is process maturity. On the information register and notification obligations page, last changed on 18 July 2025, BaFin states that the first 2025 submission process with reference date 31 March 2025 is complete. It also notes that from 2 June 2025, submissions in the official DORA portal no longer undergo EBA validation in the same way as before, with firms expected to use TEST channels for internal validation and readiness drills.
That does not sound dramatic, but it is a quiet operational shift. A bank can no longer outsource “done” to a supervisory platform and hope a downstream regulator catches structural issues later. The burden moves inward: risk owners must validate their own data chains, update internal controls, and keep their documentation in a state that can survive repeated checks across jurisdictions and reporting channels.
In the same space, DORA’s core requirement remains unchanged by this transition: operational resilience is now a central governance outcome, not a separate IT risk line item. BaFin pages on IKT risk management and third-party risk repeatedly frame DORA as requiring risk controls over the whole lifecycle of digital dependence: design, onboarding, monitoring, and recovery.
NIS-2 changes the reporting topology, not only the rules
The BSI portal now sets the practical entry point for NIS-2 compliance for covered entities. BSI’s NIS-2 registration page says NIS-2 registration and reporting requirements apply from 6 December 2025 and that registration is to be carried out via portal.bsi.bund.de, not legacy paths.
At first glance, this looks like an administrative migration. In reality, it changes who is touched by an incident and when:
- Covered firms must now have BSI registration and reporting pathways operational.
- Incident reporting can route into the same national channel that spans aviation and other critical infrastructure obligations.
- MIP2 remains available for KRITIS operators and authorities during transition, but only as a temporary overlap.
The same BSI page gives a practical date window for that overlap: MIP2 remains available at least until 31 July 2026 and is expected to remain available through 31 December 2026. In other words, the old and new channels are both present for now, which increases near-term complexity.
This is the opposite of simplification.
The compliance implication is that firms cannot wait for a migration deadline and then flip channels. They need dual-accountability logic now: one governance model must cover both DORA evidence quality and NIS-2 cyber incident and reporting expectations. For cross-border groups with decentralized technology stacks, that usually means duplicate internal definitions of ownership, which is where firms often fail.
The operational consequence: control rooms, not filing teams
The key shift is organisational: compliance can no longer be confined to a policy team with a tick-box output. The first line of defense is no longer “submit on time,” but “capture and translate risk data consistently.”
The combined burden reveals three recurring weak points:
- Model drift between frameworks
IT teams often build one dictionary for DORA cyber incident events and another for critical-infrastructure-style reporting categories. The result is semantic mismatch, especially around what counts as “material,” how quickly severity is graded, and which executives need immediate notification.
- Third-party dependency blind spots
DORA insists on full lifecycle scrutiny of critical digital service chains. NIS-2 raises similar expectations for continuity under external dependence and incident readiness. Yet both fail when a dependency register is not tied to incident taxonomy and contractual remedies.
- Governance fatigue in medium-sized banks
For firms with lean compliance teams, the overlap can become administrative inflation: duplicate logs, duplicate validation cycles, duplicate reviews. That risks moving attention from system hardening to formatting.
What to watch this quarter
If BaFin and the BSI overlap continues without explicit harmonisation guidance, expect three friction points to dominate exams:
- how firms document governance accountability in real time,
- whether board-level committees can explain cross-regime incident triage in decision terms,
- and whether outsourced or cloud-critical functions have enforceable continuity obligations across both DORA and NIS-2 channels.
The first firms to gain advantage will not be those with the largest compliance departments, but those that build one integrated risk operating model where DORA records and NIS-2 reporting data are produced from the same source of truth.
In that world, the question is not whether German banks can keep up with regulation. It is whether they can convert dual compliance pressure into stronger, simpler operational certainty.
Sources
- EUR-Lex, Regulation (EU) 2022/2554 (DORA), Article 64: DORA applies from 17 January 2025. URL: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554
- BaFin DORA landing page: German DORA supervisory materials and implementation guidance hub. URL: https://www.bafin.de/DE/Aufsicht/DORA/DORA_node.html
- BaFin, “Informationsregister und Anzeigepflichten,” changed 18 July 2025: first 2025 information-register submission with reference date 31 March 2025 completed; from 2 June 2025, official DORA portal submissions no longer receive EBA validation as before; TEST procedure remains available for validation and 2026 readiness. URL: https://www.bafin.de/DE/Aufsicht/DORA/Informationsregister_und_Anzeigepflichten/Informationsregister_und_Anzeigepflichten_artikel.html
- BSI, “About NIS-2”: NIS-2 registration and reporting requirements apply from 6 December 2025; registration is via portal.bsi.bund.de; MIP2 remains available at least until 31 July 2026 and is expected through 31 December 2026 for KRITIS operators and federal authorities during transition. URL: https://mip2.bsi.bund.de/en/info-nis2-registrierung/
Discussion
Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.