Germany’s DORA Year Is Also An AI Cyber Test
Germany’s 2026 financial-cyber story is not only DORA implementation. It is DORA implementation under an AI threat model.
The Federal Ministry of Finance makes that explicit in its February 2026 monthly report, “Wie das BMF fuer Sicherheit sorgt”. In the section on protecting the financial market from cyberattacks, the ministry says DORA requires financial companies to take extensive cyber-risk-management measures, report relevant incidents to supervisors without delay and conduct regular cyber tests. It also notes that systemically relevant ICT providers, including large cloud providers, are brought into supervisory scope when they serve financial firms.
Then the report moves from legal architecture to the risk environment. BMF says cyberattacks against financial-market actors have recently continued to increase, with banks and securities firms particularly in focus. It identifies state actors and organised crime as primary threat sources, phishing and malware as typical tools, and AI use for cyberattacks on financial companies as a current trend. It adds that the BMF is closely accompanying BaFin’s cyber supervisory practice, and that DORA implementation is one of BaFin’s examination priorities for 2026.
That combination is the story. DORA is often treated as a compliance deadline: policies, incident forms, testing calendars, contracts and board reports. The German framing is sharper. For BaFin and BMF, operational resilience is now part of financial-market security. AI is not a side topic in that file. It is one of the ways the attack surface is changing.
BaFin’s Risiken im Fokus 2025 supports the same reading. The supervisor lists cyber incidents with serious effects and concentration in outsourced IT services among its six main risks for the German financial sector. It also treats digitalisation as a significant trend. In its dedicated digitalisation chapter, BaFin says financial firms are increasingly using AI, especially generative AI, while many initiatives remain in pilot or test phases.
The two sides should not be separated. A bank’s DORA programme cannot be limited to perimeter security and incident reporting if its operational processes are increasingly shaped by machine-learning tools, generative assistants, vendor platforms and cloud-hosted services. Nor can its AI governance sit in a model-risk silo if the model or service is part of a critical business process. Operational resilience and AI control are becoming the same supervisory conversation.
There is a practical reason for that convergence. AI may not create wholly new cyber categories overnight, but it can make existing categories cheaper, faster and more tailored. The BSI’s threat-intelligence note on AI and current cyber threats distinguishes several forms of AI-supported attack activity, including reconnaissance, vulnerability exploitation, social engineering and disinformation. It also argues against assuming a completely new extreme threat situation has already arrived. That is a useful constraint. The German risk view is not science fiction. It is acceleration of known attack chains.
For banks, that acceleration changes control expectations. Phishing becomes easier to personalise. Social engineering becomes easier to localise. Reconnaissance against employees and suppliers becomes faster. Malware and vulnerability workflows can be supported by automated analysis. Deepfake and synthetic-media risks can affect internal authorisation processes, investor communications and fraud controls. None of this requires a new class of attacker. It requires more scalable attackers.
DORA is designed for exactly that kind of environment. Its value is not only that firms must report incidents. It is that firms must understand critical functions, test resilience, manage ICT third-party risk and prepare for disruption. In Germany, the third-party point has particular weight because BaFin has repeatedly flagged concentration risk in outsourced IT services. If a small number of cloud, core-banking, data or security vendors sit behind many institutions, an incident is no longer a bilateral service failure. It becomes a market-structure problem.
The BMF report also points to the public-sector side of the same risk. It says the ministry is responsible for keeping federal payment traffic running, a function covering more than EUR 2,000bn in payment volume and around 220m bookings each year. With rising threats, crisis-management measures for federal payments are being strengthened. That figure should keep the discussion grounded. Cyber resilience is not an abstract compliance theme. It is connected to payment continuity, state capacity and confidence in basic financial infrastructure.
The near-term supervisory implication is simple. German financial firms should expect 2026 DORA reviews to ask not only whether the rulebook has been implemented, but whether the institution can explain how AI-enabled threats affect the resilience file. The answer cannot be a generic AI policy. It has to connect threat scenarios, critical processes, supplier dependencies, incident response, test design and board oversight.
This will be uncomfortable because it crosses internal boundaries. Cyber teams own security controls. Compliance teams own DORA mapping. Model-risk teams own AI validation. Procurement owns outsourcing. Business lines own processes. BaFin’s risk map cuts through that structure. A serious incident will not respect the organisational chart, and a regulator will not either.
Germany’s DORA year is therefore a test of supervisory integration. The law is European. The enforcement texture will be national. In Germany, BMF has put cyberattacks, AI, cloud providers, BaFin examination priorities and federal payment continuity in the same security narrative. That is the signal. Operational resilience is becoming a financial-stability discipline, and AI is already inside the test.
Discussion
Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.