To Author's Page
In recent years, there have been frequent power outages, which have been followed immediately by disruptions to the information and communication infrastructure. This has resulted in significant problems for business activities, affecting financial institutes and other companies, public administrations as well as private individuals.
In future, further disruptions to the energy and telecommunications infrastructure, as well as to IT services and data centre operations, are expected. These will also have a direct impact on financial companies. The main causes are our ever-increasing reliance on third parties, the potential for escalating (geo)political threats (e.g. the sabotage of power lines in Berlin in early January 2026) and the increased risk of natural hazards.
For these reasons, there is an urgent need for better crisis management and more effective protective measures in regard to critical dependencies, particularly relating to energy, telecommunications, and cloud services. These are considered fundamental third-party services for financial companies. So far, the Digital Operational Resilience Act (DORA) has focused too much on ensuring that financial companies subject to this regulatory framework fulfil formal compliance and governance requirements, often without providing substantial added value compared to previous supervisory requirements.
Nevertheless, DORA has made some progress in the areas of emergency and third-party risk management, including information and telecommunications technology (ICT) risk management. Noteworthy developments include the introduction of expanded crisis scenarios and the requirement for financial companies to maintain information registers that fully document all ICT third-party services used. As part of the implementation of DORA, financial companies will further improve IT security this year by updating their information registers, reviewing the classification of ICT services supporting critical/important functions and conducting expanded emergency tests. They will also revise contractual agreements with third-party service providers and regularly review the performance quality of service providers. Auditors and supervisory authorities can contribute to this through their auditing activities.
An important additional step would be better government coordination of vulnerability analyses and emergency response exercises, based on the critical third-party ICT service providers identified at EU level under DORA. Although the list of these service providers is quite short at first glance, it highlights the importance of the general telecommunications infrastructure, large data centre providers and cloud providers.
As part of the implementation measures for NIS 2 (based on the NIS 2 Implementation Act (NIS2UmsuCG) published in the German Federal Law Gazette (Bundesgesetzblatt) in December 2025) and the CRITIS (critical infrastructure) umbrella law, which was passed by the Bundestag on 29 January 2026, relevant companies in the energy, water, telecommunications, and IT sectors must now be identified and integrated into European and national risk management and the emergency drills.
In general, it would be highly desirable to compile a list of the most important CRITIS operators in Germany and require them to conduct comprehensive emergency drills for their physical infrastructure. Additionally, particularly important CRITIS operators should identify significant vulnerabilities with the help of an external service provider, similar to threat-led penetration testing in accordance with DORA. This specially certified penetration testing service provider would analyse vulnerabilities in the ICT infrastructure and report to the CRITIS operator in strict confidence about specific ways to sabotage the entire physical infrastructure, including power lines. This would lay the foundation for concrete risk mitigation measures.
It would also make sense to further expand warning and emergency drills in municipalities and districts with the participation of the Federal Office for Civil Protection and Disaster Assistance (Bundesamt für Bevölkerungsschutz und Katastrophenhilfe BBK) and local companies. The practical expansion of the Technical Relief Service (Technisches Hilfswerk THW) for crisis management should also be considered. To this end, the AG KRITIS has already developed a concept for a “cyber aid organisation” (Cyber-Hilfswerk). In the short term, closer collaboration between THW and BSI crisis teams, including the German Armed Forces, is desirable for emergency drills designed to counter hybrid attacks. Further exercises involving a “cyber attack” scenario at a regional level in Germany should also be conducted, simulating successful attacks on the ICT systems of public administrations (see also LÜKEX 2023 ) in combination with physical sabotage attacks on the power supply and telecommunications transmission infrastructure. Such cyber and infrastructure emergency drills should also involve interested companies and could complement their own emergency drills.
The financial resources for such a federal initiative to increase the resilience of critical infrastructure, particularly in the areas of energy and telecommunications, could be made available in Germany through special funds following the reform of the Federal debt rule (debt brake).
Under the new multiannual financial framework, the EU could provide substantial funding to implement a wide range of measures from 2028 onwards, increasing the redundancy of technical infrastructure and reducing dependence on non-European ICT infrastructure providers. In this context, consideration should also be given early on to linking this with regulatory requirements in the field of AI, as well as to promoting AI providers in the EU, in order to avoid creating new dependencies on relevant third-party service providers outside of Europe.
The Frankfurt School offers courses on IT security in the financial services sector as part of the certificate programme in Non-Financial Risk Management. These courses are delivered in cooperation with the German Society for Operational Risk Management. We also offer a certificate programme in IT Regulatory Assurance Management in cooperation with ISACA®, as well as one-day seminars on DORA and NIS2.
Co-Author
Dr. Jens Gampe (German Armed Forces, lecturer at Leipzig University, formerly employed by BaFin in IT supervision)
Frankfurt School gGmbH
Adickesallee 32-34
60322 Frankfurt am Main
