Organizations operating in the financial sector must comply with DORA requirements. Here, you can learn exactly what this important EU regulation requires and what role System Hardening plays in this process.
(AI-)Cyberattacks threaten the financial industry
“BaFin is highlighting cyberattacks and IT failures as the greatest risks to the financial sector,” wrote the German newspaper ‘Süddeutsche Zeitung’ in an article. The article also includes this quote from Mark Branson: “We feel that these attacks are getting closer and closer to the heart of the financial system,” said the BaFin president. “We must do everything we can to ward this off.”
BaFin (Bundesanstalt für Finanzdienstleistungsaufsicht – the German Federal Financial Supervisory Authority) has recognized the signs of the times. That is why it supports the rapid implementation of DORA (Digital Operational Resilience Act). In times when cyberattacks are on the rise and AI systems can provide massive support for them, cybersecurity and cyber hygiene are more important than ever.
What steps need to be taken?
As an IT manager, you must initiate, monitor, and optimize numerous measures to implement the DORA requirements. Because, as is so often the case, this is not a quick sprint, but a marathon – one that never ends, but continues indefinitely.
In June 2026, the Austrian Financial Market Authority (FMA, Finanzmarktaufsicht) and the Austrian National Bank (OeNB, Österreichische Nationalbank) jointly published the paper “DORA Dialogue: AI-Based Vulnerability Detection and Exploitation.” This paper outlines essential tasks related to DORA in general and AI attacks in particular.
Here is a screenshot from the summary (in German):
These are not new concepts, but rather tried-and-true cybersecurity strategies. Strategies that help defend against both “traditional” cyberattacks and modern AI-based attacks.
The mandatory measures mentioned above include bringing infrastructure up to the “state of the art“, reducing the attack surface, and increasing system resilience.
How can you establish a solid foundation for DORA?
Prevention – Detection – Response: This is a well-known triad in information security. In other words, you should first take preventive measures to protect your IT systems as effectively as possible before investing in detection and response solutions.
In short: Start by implementing professional System Hardening as a foundation, which can significantly reduce your attack surface!
Important: Comprehensive, up-to-date System Hardening requires you to adjust, log, monitor, and, if necessary, optimize hundreds of settings per system. For most IT teams, this is simply too time-consuming when dealing with large system landscapes, such as those commonly found at financial institutions or insurance companies.
The solution? Automation! A hardening tool like Enforce Administrator can implement the desired hardening configuration virtually at the push of a button, continuously monitor it, and automatically correct it.
⏬ Download: Enforce Administrator
Product Brochure (PDF)
Enforce Administrator is used by numerous organizations subject to DORA. These include Bankhaus Metzler, Aachener Grundvermögen, and SÜDVERS, among others.
Do you need more information about DORA?
Do you want to delve deeper into the requirements of DORA? Do you need additional tips on implementation? Or would you like us to explain in more detail why DORA and System Hardening are closely intertwined?
Then be sure to read the rest of our DORA guide!
_________________
What is DORA?
The acronym “DORA” stands for “Digital Operational Resilience Act”. This European Union regulation aims to strengthen digital operational resilience across the financial sector. It is designed to ensure that financial institutions such as banks and insurance companies are able to protect their IT systems and digital processes from cyber threats, to recover quickly from security incidents.
When is DORA “valid”?
The regulation (specifically: Regulation (EU) 2022/2554) was adopted by the European Parliament and the Council of the European Union on 14 December 2022. DORA has been applicable since January 17, 2025. This means that from this date, the institutions and companies concerned must implement the requirements in practice.
But there are exceptions: “There is a transitional period for some institutions. They do not have to fully apply DORA until January 1, 2027. This is regulated by the KWG, the German Banking Act,” explains Jens Obermöller in a German interview.
The Head of Division, IT Supervision Group at BaFin (Bundesanstalt für
Finanzdienstleistungsaufsicht / Federal Financial Supervisory
Financial Services Supervision), continues: “After the transitional period, we will also repeal the BAIT [Bankenaufsichtliche Anforderungen an die IT / banking supervisory requirements for IT] in full. Who exactly is affected and which DORA requirements must be met and when has been defined in the German Finanzmarktdigitalisierungsgesetz (Financial Market Digitization Act).”
Why is DORA needed?
With the increasing digitalisation and networking in the financial sector, the risk of cyber attacks and IT failures is growing. These can endanger not only individual institutions, but also the stability of the entire financial system.
The Digital Operational Resilience Act was therefore introduced to create a uniform framework for digital resilience in the financial sector, which is intended to improve prevention, detection, response and recovery in the event of disruptions and threats.
All organisations and companies affected by DORA must therefore take appropriate technical and organisational measures to minimise the risks of a cyber security incident. In addition, any possible compromises must be reported and eliminated without delay.

Which companies does DORA apply to?
The European regulation on digital resilience in the financial sector applies to a wide range of companies and organisations, for example
-
- credit institutions
- payment service providers
- investment firms
- providers of crypto services
- trading venues
- transaction registers
- insurance and reinsurance companies
- crowdfunding platforms
- IT service providers that work for the companies mentioned above
The Digital Operational Resilience Act does not apply to, for example
-
- post office giro institutions in accordance with Directive 2013/36/EU
- micro-enterprises or SMEs in the field of insurance mediation
- institutions for occupational retirement provision with fewer than 15 members
What do IT Managers need to be aware of regarding DORA?
If you are responsible for the IT systems of a company that has to comply with the Digital Operational Resilience Act, you will have to implement, optimise and constantly monitor the following measures, among others:
Extended IT risk management
DORA requires you to implement a comprehensive risk management framework that assesses existing risks and includes preventive and reactive measures. You must ensure that risks are continuously identified, assessed, monitored and mitigated.
You also have to develop guidelines and procedures that increase the resilience of your systems to a wide range of cyber threats.
Increasing resilience
When implementing DORA, you must take measures to make your IT system landscape more robust against cyber attacks. This includes reducing the attack surface by deactivating unnecessary services, implementing strict access controls, professional patch management and encrypting sensitive data.
In other words, make sure that your systems are better protected – for example, by System Hardening.
Testing digital operational resilience
DORA requires you to regularly demonstrate the resilience of your IT systems. To do this, you must check your systems and processes using a range of tests, including anomaly detection and penetration testing. These tests are designed to uncover vulnerabilities and verify the effectiveness of your response and recovery plans.
As the person responsible for IT, you are responsible for ensuring that these tests are carried out at appropriate intervals and that the results are used to continuously improve security measures.
Reporting and transparency
The European cybersecurity regulation for the financial sector also emphasises the importance of reporting. According to DORA, you must be able to report significant cybersecurity incidents immediately in order to enable a rapid response and mitigation.
This requires the establishment of efficient communication channels and reporting mechanisms within your organisation and to the supervisory authorities.
Managing third-party risks
Many companies and organisations work closely with IT service providers to overcome the many challenges they face. However, there are risks associated with this cooperation. You therefore need to ensure that the contracts with third-party providers contain appropriate security requirements.
You also need access, inspection and audit rights to verify compliance with these requirements. This is the only way to find out how well your service provider is working.

Promoting cybersecurity
The Digital Operational Resilience Act aims to promote the internal exchange of information and the development of cybersecurity knowledge. They therefore have to create awareness and understanding of security risks among employees. Training and regular information campaigns are crucial to ensuring that security guidelines are followed.
What does DORA mean for System Hardening?
The new EU regulation creates a legal framework aimed at strengthening the digital resilience of your financial institution. System Hardening plays a central role in this framework, as it directly contributes to increased resilience against numerous cybersecurity threats.
Specifically, DORA addresses various issues, some of which we would like to present here as examples:
DORA example 1: SectionVI – Network Security (Art. 13 RTS RMF)
In point 71 in the “Network Security” section, it says:
“Secure configuration baselines, network hardening, and session termination after inactivity limit potential attack vectors.”
This can be freely translated as: “System Hardening reduces the potential (…) attack surface.”
DORA example 2: Article 11 RTS RMF – Data and System Security
This area is particularly interesting because it not only refers to the one-off application, but also to the regular monitoring of leading standards. The wording is as follows:
“The data and ICT system security procedure referred to in paragraph 1 shall include all of the following elements related to data and ICT system security, in accordance with the classification performed pursuant to Article 8(1) of Regulation (EU) 2022/2554:
(a) the access restrictions, in line with Article 21, supporting the protection requirements for each level of classification;
(b) identification of secure configuration baseline for ICT assets that will minimise their exposure to cyber threats and measures to verify regularly that these baselines are those that are effectively deployed. The secure configuration baseline shall take into account leading practices and appropriate techniques referred to in standards (..)”
Update: BaFin implementation notes
On 8 July 2024, BaFin published on its German website the implementation guidelines for DORA.
In our view, BaFin has once again made it very clear with this publication that the actual technical situation must be brought into line with the paper/document situation to a much greater extent than before.
The following is an example of the wording used:
“(…) for the area of operational information security in DORA, it can be seen that the level of detail of the requirements is significantly higher than previously described in Chapter 5 of the BAIT/VAIT. The level of detail corresponds more to the explanations of the BAIT/VAIT as minimum requirements (..)”
For System Hardening, it is clearly stated that “(..) hardening measures are taken and these are regularly checked (..)”
“Protection” as the top priority – that applies to everyone!
You must implement preventive measures to minimise IT risks – this is not only required by DORA, but also recommended by the NIST Cybersecurity Framework.
By hardening your system, you can reduce the attack surface by removing or disabling insecure or unnecessary services, functions and applications, for example. This ensures that many attacks cause no or very little damage.
Implementing robust access controls
Access control is an essential component of System Hardening. DORA expects you to implement strict control mechanisms to ensure that only authorised persons have access to sensitive systems and data.
It is important that you detect (configurational) changes as quickly as possible, whether intentional or not. A tool such as Enforce Administrator is suitable for monitoring access controls and system configurations.
🛠 Enforce Administrator: more information
Regular security assessment
You need to conduct regular audits to identify and fix vulnerabilities in your systems. This includes checking how secure your systems are configured.
With a programme like Enforce Administrator, you can carry out the necessary checks and create evidence for individual systems in just a few minutes.
The hardening reports (“Security Configuration Assessment”) provide you with a transparent and comprehensible overview of the extent to which your operating systems and applications are hardened in accordance with the requirements of CIS, DISA, ACSC, BSI and Microsoft.
How Enforce Administrator fulfills the DORA requirements
This overview shows you the requirements of the Digital Operational Resilience Act in the area of “Secure Configuration” and “System Hardening” and how the Enforce Administrator meets these requirements:
|
DORA findings |
Enforce Administrator solutions |
|
Nothing works in the financial sector without Secure Configuration or System Hardening. |
Enforce Administrator ensures continuous, automated hardening of your IT systems. |
|
Self-devised security configurations are a thing of the past. Established standards must be used. |
With Enforce Administrator, your systems are hardened according to the latest standards – for example, according to the recommendations of CIS, DISA, BSI, ACSC and Microsoft. |
|
Measures that control the actual implementation of the configuration are extremely important. |
A core function of the Enforce Administrator is the independent monitoring of systems and centralized reporting. |
|
DORA demands clear and comprehensible documentation of the measures taken. |
Recognized reporting, for example for audits, can be created with the Enforce Administrator at the touch of a button. |
|
All these measures are extremely difficult and very time-consuming to implement with Windows group policies. |
Enforce Administrator does not work on the basis of GPOs, but with PowerShell scripts. As it is a no-code tool, you do not have to write a line of code yourself. |
Conclusion
At first glance, it may seem annoying that the European Union has issued another regulation that will mean more work for companies and their IT departments. But DORA, like other regulations, laws and standards (for example, GDPR, NIS2 and ISO27001), makes perfect sense!
All players in the financial sector are of eminent importance for the stability of the basic order of state entities and institutions, and their IT systems must therefore be protected as best as possible – not just once, but on an ongoing basis. You can achieve this resilience against cyber attacks and their consequences by implementing System Hardening, among other things.
Can we help you?
Would you like to know how you can professionally implement an (automated) system hardening in your company? Talk to us – our System Hardening experts are glad to help!
Images: Freepik/Magnific, FMA/OeBN

