Regulation, resilience, responsibility: Why IT security is becoming a management task in the financial sector.
DORA, MaRisk, BAIT, BSI Act – IT regulation in the financial sector has long been a reality for companies. The requirements are increasing, but not only on a technical level: IT security becomes a strategic management taskBecause digital attacks are no longer an exception – they are part of everyday operations.
What you will learn in this article:
Resilience is not an IT goal – it is a management goal. And it begins with clarity.
This article provides you with the overview you need to make informed decisions – and withstand not only the next audit, but also a real attack.
Many companies underestimate how much they are already – or will soon be – affected by regulatory IT requirements. Check it out for yourself:
Then BAIT, MaRisk or DORA may apply – regardless of whether you are directly regulated or “only” outsourced tasks.
Internal IT units, outsourcing partners or specialized providers are also becoming the focus of supervision.
Such developments can change your regulatory classification – and trigger new audit obligations.
If you answer at least one question with “Yes”, it is worth taking a look at our compact Executive Summary: Which IT requirements apply – and why.
Including Orientation matrix for typical company profiles.
The increasing density of regulation in the financial sector is not a bureaucratic overreaction—it is a response to real threats. Anyone involved with IT security in the financial world knows that attempted attacks are no longer the exception, but part of everyday life.
According to the report Threat Landscape: Finance Sector (2025) ENISA (European Union Agency for Cybersecurity) were carried out between January 2023 and June 2024 488 publicly reported cyber incidents registered in the European financial sector. Particularly alarming: Ransomware attacks and targeted attacks on third parties are among the fastest growing threat categories.
The BSI Status Report 2024 describes the IT security situation in Germany as still tense. The increasing professionalization and specialization of cybercriminals is particularly worrying. The cybercriminal shadow economy has become more differentiated, with a clear division of labor between ransomware operators, their partners (affiliates), and so-called access brokers. The latter specialize in gaining access to compromised corporate systems and reselling this access for profit on underground platforms.
This development allows criminals to carry out their attacks more efficiently and more specifically – while simultaneously lowering the barriers to entry. Ransomware-as-a-Service now makes it possible to book complete extortion campaigns as a finished product – including malware, instructions, support, and profit sharing. Anyone who wants to attack no longer has to be a hacker, but merely a "user" with criminal intent.
The European Central Bank highlights in her Financial Stability Review (05/2025) reiterates the risks to financial stability – including information and communication technology (ICT) risks, ongoing geopolitical uncertainty, and the increasing dependence on digital infrastructures. systemic impact of cyberattacks on critical service providers, potential Spillover effects on third-party service providers and the growing importance of Resilience to operational shocks.
That regulations such as DORA, NIS2 or updated national guidelines such as MaRisk are necessary is not just a narrative from regulators – it is a factual consequence.
Und: Many decision-makers in the financial sector welcome this development Indeed, uniform standards like DORA ensure clear requirements, comparable security levels, and fair competition – especially in an increasingly interconnected European financial market. Instead of a regulatory patchwork, a common framework is created that offers planning security and better safeguards investments in resilience.
What we know from numerous customer projects in the regulated sector:
Many companies are not faced with the question, ob they have to act – but how concrete.
Because the challenge lies not in insight, but in implementation:
As a partner familiar with both the technical depth and regulatory expectations, we help our clients To make commitments tangible and derive realistic measures from them – understandable, practical and compliance-safe.
Our role doesn't end with a report—it often begins right there. As a trusted hacking advisor, we guide our clients through complex regulatory requirements and translate them into concrete, realistic measures.
Especially in our collaboration with IT management and technical teams, we consciously focus on Knowledge transfer, direct communication and genuine partnershipInstead of anonymous PDF reports, we deliver comprehensible results, provide technical feedback at eye level, and transparently demonstrate how risks arise – and how they can be remedied.
The goal: Our customers should not only survive – but emerge stronger from the project.
In the next section We show which regulations currently apply – and why similar companies sometimes have to meet very different requirements.
With the introduction of the EU Regulation DORA and the ongoing updating of national regulations such as MaRisk, BAIT or the BSI Act, many companies in the financial sector are faced with a complex question: Which regulatory requirements are binding for my company – and why don’t they apply equally to everyone?
In fact, the scope of many regulations does not depend solely on the industry, but on the specific Corporate structure, business activities and relevance for financial market stabilityTwo companies with similar offerings may therefore be subject to completely different obligations.
An example: A large payment service provider with a Europe-wide infrastructure is directly subject to the DORA Regulation and, starting in 2025, must, among other things, demonstrate comprehensive ICT risk management and conduct regular resilience tests. A small regional provider without critical interfaces, on the other hand, may (initially) only be subject to national requirements such as the BAIT or the BSI Act.
Another example: Two credit institutions may face different requirements in the context of MaRisk and BAIT due to different IT outsourcing and customer segments – for example, with regard to emergency management, reporting obligations or risk aggregation.
These differences make it clear: a blanket classification is hardly possible.
An overview of the most important regulations, typical company forms and concrete implementation priorities can be found in our Executive Summary on regulatory requirements in the financial sector.
Many regulations in financial supervision follow a gradual development process: from individual national requirements to uniform European frameworks. This is particularly evident Change using the example of IT-related requirements for banks and financial institutions. while the B.A.I.T. (Banking supervisory requirements for IT) based on the MaRisk (Minimum requirements for risk management) in Germany has long served as a central orientation, is now established with DORA (Digital Operational Resilience Act) is now a uniform standard across Europe – binding for everyone.
Related regulations such as VAIT, KAIT and ZAIT also follow the same principle: They are national derivatives of the BAIT for specific types of companies and are becoming increasingly less relevant with the full implementation of DORA. Nevertheless, they formally remain in place – most of them until the end of 2026 – and continue to shape the design of many ICT security measures.
What is important here is that DORA does not radically replace these guidelines, but rather builds on them in terms of content. Existing structures and implementations were not in vain – on the contrary: they often form the foundation for an efficient implementation of the new requirements. DORA is not a theoretical set of rules from the drawing board, but rather a practical development of existing standards. Those who have already dealt with BAIT & Co. don't have to start from scratch – they can build on existing measures.
The following overview shows the most important milestones in the development of regulatory IT security requirements:
The developments of the last 20 years make one thing clear: expectations of digital resilience are rising – and with DORA they are becoming binding.
DORA ushers in a new era of traceability – it is no longer just a question of ob Measures exist, but whether they work in an emergency.
What this means in concrete terms is shown by the current look at practice – and at the level of maturity of implementation.
Cyber incidents are no longer hypothetical threats – they are part of everyday life in the financial industry. The supervisory authority’s reaction: Tests should not only document, but also prove that protective mechanisms also work under real pressure. practical resilience tests in focus – with realistic attack simulations instead of theoretical simulation games and a focus on the Interaction of technology, processes and people.
A look at the current BSI 2024 status report shows that although many critical infrastructure companies in the financial and insurance sectors have already documented information security systems (ISMS), the maturity levels make it clear that there is often a lack of regular effectiveness testing and targeted further development.
Less than half of the assessed financial companies achieve maturity level 4 or 5 in the ISMS area – the area where not only documentation takes place, but also real-world testing and improvement takes place. The path from maturity level 3 to 4 is not a formal step, but rather a strategic shift: from theory to a lived security culture.
The good news: The transition from maturity level 3 to 4 is challenging – but an advanced level targeted resilience tests achievable. Many companies remain mediocre – but those who want true resilience need realistic tests. They close the crucial gap between theory and practice – and start exactly where many still stall today.
What exactly characterizes resilience tests?
Audits are based on checklists, documents, and rules. They check whether processes, guidelines, and configurations have been formally implemented correctly.
Resilience tests go one step further:
They simulate real attacks, emergency scenarios or critical disruptions – and thus test systems, processes and teams under real conditionsThe aim is not only to ensure compliance with the rules, but Resilience in practice to prove.
Typical test forms:
A structured overview of the differences, requirements and possible applications of penetration tests and TLPT can be found in our Whitepaper Penetration Testing vs. TLPT.
Whether it is a technical attack, human error or process failure – resilience tests reveal what traditional audits often do not show: How well an organization really functions in an emergency.
And that is exactly why Regulatory authorities in Europe are increasingly relying on these testing formats. While audits primarily document, MaRisk, BAIT and DORA today require proof of effectiveness – under real conditions.
A clear trend is emerging in financial supervision: from reactive control framework to active resilience strategy. The reason:
Evidence from current regulations:
The common goal: Demonstrate resilience under real conditions – not just on paper.
What many companies underestimate: Cyberattacks do not comply with compliance requirements.
They target human errors, organizational weaknesses, and technical gaps in day-to-day business – not perfect documentation.
Resilience tests offer:
The ability to put yourself in the perspective of an attacker becomes a strategic asset.
Those who identify and test vulnerabilities early on, is not only compliant – but prepared.
For companies in the financial sector, adhering to regulatory requirements in IT security is no longer a mere compliance exercise. Those who ignore the requirements or merely process them formally risk significantly more than a fine. Regulatory failures can develop into real threats for the entire company – with consequences for Reputation, business relationships, operational continuity and ultimately the Continuation of the business model.
Although the legal framework differs depending on the regulation – for example DORA, MaRisk, BAIT, VAIT, KAIT, ZAIT, the BSI Act or the GDPR – but they have one thing in common: non-compliance can lead to serious consequences.
Reputational and market consequences: More than just a regulatory debate
For financial companies, a security incident, including regulatory failures, can cost them market access:
What all these risks have in common is that they often only become apparent in an emergency. Those who only meet the minimum legally required remain in damage limitation mode.
However, anyone who recognizes that regulatory requirements such as DORA, MaRisk, BAIT, VAIT, KAIT or the BSI Act are practical levers for sustainable resilience, can actively use them – as an impulse for stronger security processes, better decision-making bases and resilient crisis capability.
An in-depth analysis of the DORA regulation – including concrete implementation requirements, strategic opportunities and a comparison of classic penetration tests vs. TLPT – can be found in our Deep dive into DORA implementation 2025.
Resilience is not just an IT goal – it is a management goal.
While MaRisk and BAIT primarily focus on IT risk management and organizational requirements, DORA goes much further: for the first time, it calls for uniform, Europe-wide standards for security incidents, third-party risks, and simulation-based resilience tests (e.g., TLPT).
DORA applies to virtually all regulated financial institutions—banks, insurers, and FinTechs. However, simulation-based tests such as TLPT are only mandatory for "critical" institutions. The precise classification is determined by the supervisory authority. An early gap analysis is crucial.
These industry-specific requirements complement MaRisk but are regulated nationally. DORA is intended to largely replace them – by the end of 2025 at the latest. BaFin plans to repeal or harmonize them in phases. Proactive companies are already adapting.
The era of checklists is over. Regulators evaluate effectiveness, not just documentation. What's required are risk-based protection measures, meaningful tests, and robust evidence—ideally through independent penetration tests or simulations.
The range extends from fines to the dismissal of managing directors (Section 25 of the German Banking Act). Particularly critical are violations of DORA reporting obligations or failure to detect attacks under Section 8a of the German Federal Banking Act (BSIG). In addition, there are reputational damages, ESG downgrades, and market losses.
Internal assessments often only capture known risks or are based on formalistic specifications. Our external tests follow real-world attack scenarios and deliver more than just technical findings: They reveal where regulatory gaps exist – and how they can be closed. Instead of mere audit reports, companies receive implementable action plans that combine technical reality with compliance requirements. This creates reliable evidence for regulators, protects against audits – and sustainably increases resilience.
Digital Operational Resilience Act – EU regulation on digital resilience in the financial sector
Minimum requirements for risk management for banks (BaFin circular)
Industry-specific IT requirements for banks, insurers, asset management companies, payment service providers
Obligation to detect attacks for KRITIS companies in the BSI Act
Threat-Led Penetration Testing – simulation-based resilience testing with an attacker perspective
Risks from information and communication technology – in the focus of DORA, MaRisk, etc.
Analysis of whether internal processes already meet regulatory requirements
The warning issued by the US agency CISA regarding the vulnerability CVE-2025-9242 in WatchGuard fireware systems once again highlights the dangers of a connected world. Businesses are potentially vulnerable to attack, even without authentication. This risk impacts overall business stability and trust. A proactive approach to addressing security vulnerabilities is urgently needed.
This article highlights the strategic risks of a security vulnerability in the WordPress plugin “AI Engine” for businesses and emphasizes the need to make decisions about plugins and IT risks a top priority.
Efficiently uncover hidden attack paths in scheduled tasks. TaskHound helps! TaskHound: Search for scheduled task credentials in Windows systems and their associated information.
