German Banks Face A DORA Test With AI In The Threat Model
Germany’s 2026 bank-supervision cycle is turning DORA from a compliance project into a practical test of how banks understand technology concentration, cyber attack paths and AI-enabled operational risk.
The signal is visible in the joint BaFin and Bundesbank priorities for banking supervision. For 2026, supervisors list geopolitical risks, liquidity and funding risks, structural change, credit risk, market risk, governance and operational resilience. Under operational resilience, they explicitly name cyber and IT risks. They also say digitalisation, ESG and artificial intelligence remain cross-cutting issues running across the work programme.
That matters because DORA, the EU’s Digital Operational Resilience Act, is now being applied inside a German risk map that already treats cyber incidents and outsourced IT concentration as financial-sector risks. BaFin’s Risiken im Fokus 2025 identified cyber incidents with serious effects and concentration in outsourced IT services among the main risks facing German finance. In the same risk cycle, BaFin’s digitalisation chapter said financial firms were increasingly testing and using AI, especially generative AI, with many projects still in pilot or test phases.
The result is a narrower and more demanding supervisory question for German banks: can the institution explain how its DORA controls work when critical processes are spread across cloud providers, software vendors, data platforms, security tools and internal AI use?
BMF’s February 2026 monthly report, “Wie das BMF fuer Sicherheit sorgt”, gives the policy context. The ministry describes DORA as requiring financial companies to manage cyber risks, report relevant ICT incidents to supervisors without delay and conduct regular cyber tests. It also notes that systemically relevant ICT service providers, including large cloud providers, can fall into supervisory scope when they serve financial firms.
The same BMF report places that legal architecture against a live threat picture. It says cyberattacks against financial-market actors have continued to increase, with banks and securities firms particularly in focus. It names state actors and organised crime as key threat sources, phishing and malware as common tools, and AI use for cyberattacks on financial companies as a current trend. BMF also says DORA implementation is one of BaFin’s examination priorities for 2026.
That framing should change how bank boards read their DORA dashboards. A simple implementation scorecard is not enough. Supervisors are likely to care about whether the bank can connect critical functions, third-party dependencies, cyber scenarios, incident response, testing evidence and management oversight.
AI sharpens the issue because it can accelerate familiar attacks without creating a wholly new category of cyber risk. The BSI’s threat-intelligence note on AI and current cyber threats discusses AI-supported reconnaissance, vulnerability exploitation, social engineering and disinformation. It also cautions against assuming that AI has already produced a completely new extreme threat environment. That is the right balance for finance. The near-term risk is not science fiction. It is faster, cheaper and more tailored execution of known attack chains.
For a German bank, that can affect ordinary controls. Phishing can be localised in better German and tuned to specific internal workflows. Supplier reconnaissance can be scaled. Fraud attempts can use synthetic voice or video against authorisation routines. Developers may rely on code assistants inside production-adjacent work. Staff may paste sensitive data into unapproved tools. Security teams may use AI-enabled detection systems whose own model behaviour becomes part of the control environment.
DORA gives supervisors a route into those questions because it is built around operational impact. The act is not only an incident-reporting regime. It pushes firms to identify critical functions, govern ICT risk, test resilience, manage third-party dependencies and prepare for severe disruption. In Germany, those requirements now sit next to BaFin’s concern that outsourced IT concentration can itself become a sector-wide vulnerability.
Cloud dependency is the clearest example. A bank can pass a narrow vendor due-diligence checklist and still be exposed if too many important functions depend on the same external provider, the same managed service, or the same recovery architecture. DORA’s framework for critical ICT third-party providers makes that a supervisory issue, not just a procurement issue. BaFin’s concentration-risk focus makes it a German financial-stability issue as well.
The BMF report adds one more reason the topic is not abstract. It says the ministry is responsible for keeping federal payment traffic running, with more than EUR 2,000bn in payment volume and around 220m bookings each year, and that crisis-management measures for federal payments are being strengthened. Payment continuity is the practical end point of the resilience debate. The question is whether money can still move, instructions can still be trusted and core services can still operate under stress.
The immediate implication for German financial firms is organisational. DORA cannot sit only with compliance. AI governance cannot sit only with model risk. Outsourcing cannot sit only with procurement. Cyber scenarios cannot sit only with security operations. A credible 2026 answer will have to show how these teams share a common map of critical processes and dependencies.
For international readers, that is the German lens on the European rule. DORA is EU law, but the supervisory texture is national. In Germany, BaFin, Bundesbank and BMF are aligning operational resilience with cyber security, outsourced technology concentration and AI-enabled attack trends. The floor breach is not that DORA exists. It is that the 2026 test is becoming an integrated technology-risk exam.
Discussion
Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.