DORA: BaFin announces simplifications for the first-time audit

BaFin clarifies: There will be simplifications for the affected financial institutions during the initial audit of DORA.
Categories:
, ,
Picture of Aristotelis Zervos

Aristotelis Zervos

Aristotelis Zervos, Editorial Director at 2B Advice, combines legal and journalistic expertise in Data protectionIT compliance and AI regulation.

The Digital Operational Resilience Act (DORA) has required financial institutions to make their IT systems, processes and security architectures resistant to cyber incidents or operational disruptions since January 17, 2025. At the same time, DORA tightens the requirements for traceability: implementation must be comprehensively documented and presented transparently as part of audits. This makes it clear that not only the technical resilience, but also the Documentation is a central element of the new regulation. However, BaFin has announced simplifications for the first-time audit.

DORA as the new audit reality

For audits of financial statements, this means an expansion of the scope of the audit: in addition to the previous requirements of BAIT (banking supervisory requirements for IT), ZAIT (payment services supervisory requirements for IT) and KAIT (capital management company supervisory requirements for IT), the DORA requirements are moving into focus as a new audit dimension.

These national circulars each contain detailed minimum requirements for IT governance, security management, emergency concepts and outsourcing management. The first audit cycles under DORA are particularly important, as they allow the supervisory authorities and companies to independently assess the status of implementation for the first time.

Against this background, BaFin explained two practical simplifications for the first-time audit of directly supervised financial companies in a letter to the Institute of Public Auditors in Germany (IDW) dated August 11, 2025.

Exemption from the reporting obligation for fully remedied defects

In practice, it can be assumed that a large number of findings will occur in the first year of DORA application. However, many of these deficiencies are rectified within the same audit period. Not least because some of the necessary technical standards (RTS/ITS) were only published very late. For example, on the reporting system, information register or subcontracting.

According to the relevant auditing standards, such corrected deficiencies would also have to be listed in the audit report. However, this could lead to a Overload and confusion lead.

BaFin therefore permits this for the transitional period:

  • SimplificationDeficiencies that have already been fully remedied do not have to appear in detail in the audit report.
  • Duty to inform: However, the auditor shall briefly point outthat there were deficiencies in the reporting period that have been rectified. This enables the report recipients to ask questions.
  • DocumentationThe findings remain in the auditor's internal working papers and are therefore still traceable.
  • ClarificationThe relief only applies to the Reportingbut not the Carrying out the audit.


From subsequent years, the comprehensive reporting obligation for all findings applies again.

Audit subject matter for deviating financial year 2024/2025

For financial companies with a financial year that deviates from the calendar year (e.g. July 2024 to June 2025), the question arises as to which requirements must be examined from January 17, 2025. This problem particularly affects institutions whose financial year still falls within the period before DORA comes into force as well as the first few months thereafter.

BaFin clarifies:

  • A complete DORA audit in this interim period is ruled out, as the Financial Market Digitization Act (FinmadiG) provides for transitional provisions.
  • Nevertheless, the obligation to perform an IT audit remains as part of the adequacy and effectiveness audit of risk management and the business organization.
  • During this period, the audit should be based on BAIT, ZAIT and KAIT, insofar as their requirements are also included in DORA.
  • DORA requirements that go beyond the previous national circulars are not the subject of the audit.


This creates a clear transitional framework: On the one hand, it ensures that key aspects of IT governance and resilience continue to be reviewed. On the other hand, companies are not burdened with a complete changeover in the middle of the financial year. This solution prevents duplicate audits and creates clarity for auditors and companies as to how the audit topics are to be defined in the transition year. It also supports the continuation of audit practice without incurring excessive additional expenses.

Reading tip: BaFin publishes guidance on documentation requirements

DORA audit 2025: evaluation and outlook

For the supervised institutions, the simplifications mean a noticeable reduction in the first year of the audit. In particular, the possibility of no longer having to report fully remedied deficiencies in detail significantly reduces the burden of follow-up work and subsequent communication. At the same time, the clear demarcation for deviating financial years allows for better planning: companies know that they will not immediately be subject to a full audit in accordance with DORA during the transition period, but will continue to be audited within the familiar framework (BAIT/ZAIT/KAIT).

BaFin's letter creates legal certainty and clear audit standards for auditors. Without this clarification, there would have been a risk that auditors would have been forced to list numerous deficiencies that had already been resolved, which would have overloaded the report and reduced the added value for the supervisory authority. With the chosen solution, the audit report focuses on the key weaknesses that still exist at the end of the period. This increases the readability and relevance for decision-making for addressees such as supervisory boards or BaFin itself.

BaFin is pursuing a clear objective with these simplifications: to ease the burden on institutions while at the same time ensuring audit quality. The obligation to provide information in the report means that the necessary Transparency received. If an institution or the supervisory authority has any questions about deficiencies that have been rectified, these can be clarified via the working papers or in dialog with the auditors. The supervisory authority therefore does not lose any information, but merely reduces the formal reporting burden.

The simplifications described only apply to the initial audit in 2025. From the 2025/2026 financial year, the full DORA audit will be mandatory and all findings must be reported comprehensively again. This also includes findings remedied during the reporting period. Financial companies should therefore use the transition phase to complete their DORA implementation projects quickly and in full.

It is also to be expected that BaFin will gain valuable insights into implementation practice from the first audits. These will presumably be incorporated into future audit priorities, guidelines or circulars. It is therefore strategically advisable not only to implement the minimum to fulfill the transitional rules, but also to ensure a high level of DORA compliance at an early stage.

Focus on the main risks

With the two simplifications

  1. Exemption from the reporting obligation for rectified defects and
  2. Transitional regulation for deviating financial years 


BaFin takes into account the special challenges of the DORA initial audit.

The measures provide relief, legal certainty and increased readability of the audit reports without compromising audit quality. At the same time, BaFin is sending out a signal: even in the first year, the focus is not on the formal completeness of the reports, but on the content of the key risks.

For the institutions, however, this does not mean a carte blanche, but rather a call for consistent DORA implementation in order to meet the full requirements from 2026 at the latest.

Source: Letter from BaFin dated 11.08.2025 to the Institute of Public Auditors in Germany (IDW)

Our offer: As experts for data protection, Compliance and risk management, we support you in implementing the DORA requirements. Arrange an appointment to get to know us and let us work together to make your organization future-proof.

Aristotelis Zervos is Editorial Director at 2B Advice, a lawyer and journalist with profound expertise in data protection, GDPRIT compliance and AI governance. He regularly publishes in-depth articles on AI regulation, GDPR compliance and risk management. You can find out more about him on his Author profile page.

Contact us
Tags:
, , , , ,
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts