DORA – FMA Activities

Activities

The FMA is active in various committees focused on further legislative development and for reaching agreements on supervisory convergence and is also supporting supervised entities in their implementation of DORA.

Latest news

On 2 June 2026, the FMA and OeNB held a DORA Dialogue event with financial undertakings on “AI-based vulnerability searching and exploitation”.

It focused on current challenges presented by and potential reactions to modern AI models.

The following are available in German only.

Introductory video to the DORA Dialogue on 2 June 2026

Dialog KI-basierte Schwachstellensuche und -ausnutzung (Format: pdf, Size: 6,4 MB, Language: German)

Fragenbeantwortungen_DORA-Dialog_2.6.2026 (Format: pdf, Size: 160,8 KB, Language: German)

The relationship between DORA and NIS2/NISG 2026 for financial undertakings

Regulation (EU) 2022/2554 on digital operational resilience in the financial sector (DORA) is qualified as a sector-specific legal act compared with the NIS2 Directive and NISG (lex specialis). Pursuant to Article 24 para. 7 NISG 2026 for financial undertakings that fall under DORA’s scope of application, the relevant provisions of DORA take prevalence over the provisions of the NISG 2026. Over and beyond that, NISG 2026 generally applies for financial undertakings.

What provisions of the NISG 2026 are not applicable for financial undertakings?
For financial undertaking that are subject both to DORA as well as also being classified as essential or important entities as defined in the NISG 2026, in particular the following NISG 2026 provisions do not apply:

    • Governance Requirements (Article 31 NISG 2026),
    • Cybersecurity Risk Management Measures (Article 32),
    • Proof of Effectiveness of such Measures (Article 33),
    • Reporting Obligations (Article 34),
    • Specific rules on the exchange of information between financial undertakings (Article 36),
    • Supervisory and Enforcement Measures (Articles 38 and 39) as well as
    • Relevant administrative penal provisions (Article 45)

Which provisions continue to apply?

    • Inclusion in the national cybersecurity strategy (Article 15 NISG 2026),
    • Cooperation with Computer Security Incident Response Teams (CSIRTs) (Articles 8 et seq.),
    • Cooperation in the Management of Large-Scale Cybersecurity Incidents (Article 16) as well as within EU-CyCLONe,
    • Registration requirements pursuant to Article 29 para. 2 NISG 2026

Is a parallel application of DORA and NISG 2026 possible?

A parallel application of DORA and NISG 2026 is possible where a financial undertaking performs other activities in other sectors in the scope of NISG 2026. In such cases, the respective NISG 2026 obligations continue to apply, where those activities are affected.

What specificities apply for ICT third-party service providers?

Under Article 2 (2) DORA, ICT third-party service providers are not financial undertakings as defined in DORA. DORA therefore does not apply to them as a lex specialised. Consequently they subject in full to the requirements of the NISG 2026, including supervision and enforcement.

The FMA is monitoring current developments relating to AI models such as “Claude Mythos,” which enable the automated discovery and exploitation of software vulnerabilities.

According to CERT.at, successful exploitation of vulnerabilities—particularly in edge devices—is to be expected. CERT.at therefore recommends designing all processes related to patch management to be effective and timely, reducing the attack surface, and ensuring adequate network segmentation, rapid detection, and robust recovery processes.

CERT-EU points out that AI-supported tools fundamentally change previous assumptions regarding available reaction times. The time window between the discovery and exploitation of vulnerabilities is shrinking significantly, requiring existing security measures to be adapted to this new pace. CERT-EU recommends not waiting until specific incidents occur to review existing protective measures, but instead to already implement organisational and technical adjustments now and to proactively strengthen defence and response capabilities.

Against this background, the FMA expects financial institutions to take current recommendations into account without delay and to adjust their existing measures where necessary. ICT officers should therefore check whether their organisation is able to withstand such an increased demand, especially in the event of multiple ICT security incidents and in parallel a need for patch deployment require attention at the same time. Third-party ICT service providers that provide services for financial institutions should also be involved in this review. For example, table top exercises are recommended to be held to test this threat scenario. In addition, we recommend obtaining information about the latest developments on an ongoing basis, and to ensure that resources are available to be able to regards to peaks in load.

A related information event is currently being planned.

(Updated as of 30 April 2026 to include information from CERT-EU, additional links and a reference to a planned information event)

The FMA will request the following documents to be submitted by all LSI banks as well as selected other supervised financial entities by 29 May 2026:

  • strategy on ICT third-party risk (Art. 28 (2) DORA)
  • exit strategies (Art. 28 (8) DORA, Art. 10 RTS 2024/1773)

Institutions will be individually informed in a timely manner, but we would already like to make institutions aware of the documents to review now.

An FMA/OeNB Dialogue event was held on 18 February 2026 together with financial undertakings on the topic of “Ein Jahr DORA – Highlights, Herausforderungen & Way Forward” (DORA at one – highlights, challenges, & the way forward).

It focussed on experience and findings about the key areas in relation to DORA: ICT risk management, ICT-related incidents and the exchange of information, operational resilience, ICT third-party risk management, the new Oversight Framework for critical ICT third-party service providers as well as the latest developments about ICT and cyber-risk inspections. The dialogue event concluded by looking forward to the next steps.

DORA-Dialog_1 Jahr DORA – Rückblick_Ausblick (Format: pdf, Size: 2,6 MB, Language: German)

Fragenbeantwortungen zum DORA-Dialog: Ein Jahr DORA – Highlights, Herausforderungen & Way Forward 18.02.2026 (Format: pdf, Size: 128,4 KB, Language: German)

Older news

The FMA requires the complete Register of Information pursuant to Article 28 (3) fourth subparagraph of Regulation (EU) 2022/2554 with a reference date of 31.12.2025 by 13.03.2026 at the latest. Details can be found on the page  “Management of ICT third-party risk”.

The key issues about digital operational resilience were address at the FMA/OeNB Dialogue event held on 23 October 2025.

The focus was on the experiences with the Registers of Information of ICT third-party service providers for 2025, a look ahead to the 2026 report, as well as current issues regarding ICT-related incidents and the new Oversight Framework for critical ICT third-party service providers.

Präsentationsunterlagen FMA-OeNB-DORA-Dialog 23.10.2025 (Format: pdf, Size: 3,1 MB, Language: German)

Fragenbeantwortungen zum DORA-Dialog: DORA-Informationsregister & aktuelle Hinweise 23.10.2025 (Format: pdf, Size: 185,9 KB, Language: German)

The FMA selects thematic priorities for supervision, and in 2024 is drawing up its Austrian Digital Landscape: as well as evaluating the level of digitalisation of business operations, in particular, it also evaluates supervised entities’ operational resilience regarding their information technology landscape (IT Landscape) for interdependencies arising from information and communication technologies (ICT interdependencies) as well as their cyber-resilience.

This focus allows the FMA to include the implications of digitalisation among supervised entities adequately in its risk-based approach to supervision as well the general supervisory assessment of undertakings and to identify the relevant ICT service providers in the Austrian financial market.

The Austrian Digital Landscape is a continuation of the Digitalisation Studies conducted to date.

The webinar organised by the FMA on 5 November 2024 presented various DORA-related topics and questions were answered.

The presentation from the event and questions are available in German only.

Präsentationsunterlagen DORA-Webinar 5.11.2024 (Format: pdf, Size: 1,6 MB, Language: German)

Hinweise zum Webinar 5.11.24 (Format: pdf, Size: 214,6 KB, Language: German) 

As announced, ‘Questions and answers’ on the respective subject areas will also be updated subsequently.

Contact us

DORA-related questions should be addressed to the following e-mail address:

[email protected]

The contents on this website as well as hyperlinks to third party websites serve the purpose of providing general and non-binding information. “Questions and Answers” do not constitute the FMA’s binding interpretation and in particular do not constitute interpretation within the scope of the question and answer processes (Q&As) of the three European Supervisory Authorities (EBA – European Banking Authority, ESMA – European Securities and Markets Authority, and EIOPA – European Insurance and Occupational Pensions Authority). All information on this website is provided without any guarantee, especially with regard to the up-to-dateness, completeness and correctness, and the FMA, including its employees or the persons responsible for this website, assume no liability whatsoever for the content; in addition, the FMA neither guarantees nor assumes liability for the use of hyperlinks or content that can be accessed via them.