National Supervisory Programme 2025-2027: Focus on Cyber Resilience and DORA

In 2025, banks and their service providers will face a multitude of new challenges: Cyberattacks are on the rise, digital dependencies are growing and DORA is bringing profound changes. But which aspects will the supervisory authorities examine most critically? The German National Supervisory Programme (NSP) 2025 – 2027 provides a clear direction.

Overview of the German National Supervisory Programme (NSP) 2025-2027

The National Supervisory Programme (NSP) is defined annually by the Federal Financial Supervisory Authority (BaFin) and the Deutsche Bundesbank. It serves as a guideline for the supervision of national credit institutions in Germany and is based on a comprehensive assessment of the risks and the areas of activity of the institutions under supervision. The programme also takes into account the priorities of the Single Supervisory Mechanism (SSM) and adapts to current economic and geopolitical developments.

The following supervisory priorities have been defined for 2025-2027:

1. Digital resilience and implementation of DORA – Ensuring the IT resilience of financial institutions and reviewing the implementation of DORA.
2. Cyber Security and cyber risks – Increased requirements for protection against cyber attacks and reliance on third-party providers.
3. Risk management and credit monitoring – Monitoring lending standards and collateral valuation, particularly in the commercial real estate market.
4. Governance and business models – reviewing management structures and the long-term sustainability of business models.
5. Interest rate risk and market volatility – analyzing institutions’ interest rate sensitivity and potential impact on their financial stability.

DORA as a Focus: Implementation and Regulatory Control

Strengthening digital resilience is the central objective of DORA, and in 2025 the supervisory authority will specifically examine the extent to which financial institutions actually have their IT risks under control. In recent years, regulators have found that although many banks have adopted guidelines, their implementation often remains patchy in practice.

There is therefore a particular focus on the operational implementation of ICT risk management. Institutions must prove that their identification, assessment and mitigation of IT risks not only exist on paper, but are anchored in their business processes. The following questions in particular will be relevant in the context of supervision:

• Are there established and regularly tested contingency and crisis plans that realistically simulate cyber attacks or system failures?

• Are ICT risks continuously monitored or do institutions only react when problems occur?

• How is third-party management implemented, particularly with regard to critical third-party ICT service providers?

• Have banks created a complete register of information about their IT service providers and, if necessary, have they also recorded all subcontractors?

Excursus Information Register:

The requirements for the information register for third-party ICT service providers have been further specified. According to Article 28 (3) DORA, financial institutions must not only keep a complete overview of their contracts with IT service providers, but also submit this to the supervisory authority in a timely manner. In addition to direct contractual partners, subcontractors must also be documented if they perform critical or important functions for the institution.

BaFin has specified that the first registers must be submitted via the Reporting and Publication Platform (MVP) by April 11, 2025 in order to meet the requirements of the European Supervisory Authorities (ESAs). These registers will then be forwarded to the ESAs by the competent authorities by April 30, 2025. From 2026, the transmission will take place annually on March 31, based on the previous year’s contract information.

Practical Examples: Recurring Weak Points from Audits

Past audits by the supervisory authorities have shown that financial institutions continue to have significant deficits in their digital resilience. According to the Bundesbank’s monthly report from September 2024, the five most common vulnerabilities relate to

• Critical vulnerabilities in ICT risk management – Over half of the identified findings were classified as “major” or “critical”.

• Deficits in third-party risk management – Financial institutions often have incomplete contracts with third-party ICT service providers and insufficient risk management in this area.

• Inadequate contingency planning and backup strategies – Ransomware attacks have shown that many financial institutions have not implemented robust backup and recovery mechanisms.

• Poor identification and documentation of ICT assets – Several audits have found that banks have deficiencies in identifying information protection needs and therefore do not maintain complete and up-to-date inventories of their ICT assets.

• Lack of training for employees on Cyber Security best practices – More than two thirds of employees deliberately circumvent security requirements. Audits show that protective measures are often insufficiently implemented or reviewed, making banks more vulnerable to cyberattacks.

Conclusion: DORA as the Basis for a future-proof Banking Landscape

The consistent implementation of DORA and the strengthening of digital resilience will be the focus of banking supervision in 2025. The supervisory authorities are increasingly focusing on targeted audits and close monitoring of the implementation of Cyber Security measures. Banks that act early will not only be able to meet regulatory requirements, but also secure strategic competitive advantages. The coming years will show which institutions are able to successfully master the new challenges.

Your Expert for Questions about Regulatory Compliance Consulting

Thomas Lang

Partner & Managing Director

valantic GmbH

Email LinkedIn