Austria’s FMA & OeNB Point to Early Gains One Year Into DORA

Key Takeaways

• Early Impact Visible: Austrian regulators say DORA has already improved transparency and supervisory insight into digital risk.
• Third-Party Exposure Stands Out: Almost two-thirds of reported ICT incidents in 2025 were linked to external service providers.
• Resilience Testing Goes Deeper: Threat-led penetration testing using ethical hackers is now embedded for systemically important firms.
• EU Oversight Expands: Critical ICT providers are subject to direct, coordinated supervision at the European level.

Deep Dive

In a joint assessment published this week, Austria’s financial authorities say the regulation is beginning to reshape how digital risk is understood, reported, and managed across the financial system. The Financial Market Authority (FMA and the Oesterreichische Nationalbank (OeNB) described the first year of the Digital Operational Resilience Act (DORA) as a constructive one, pointing to clearer insight into cyber incidents, tighter oversight of critical service providers, and what they call an emerging cultural shift in IT security across financial institutions.

The update comes at a time when cyber threats are growing more frequent and more sophisticated, increasingly shaped by the use of artificial intelligence. Regulators also flagged a structural weakness that has become harder to ignore: many banks and financial firms rely heavily on a small number of large ICT providers, often based outside the EU. Even brief outages affecting ATMs, online banking, or payment services can unsettle customers and generate significant costs.

Since 17 January 2025, DORA has introduced a harmonized supervisory framework across the EU. It requires financial entities to report serious digital incidents, carry out regular security testing, and strengthen controls over third-party ICT providers. In Austria, the framework is being implemented jointly by the FMA and the OeNB.

FMA Executive Director Helmut Ettl said the most immediate benefit has been visibility. One year on, he noted, supervisors are seeing “significantly more transparency regarding digital risks,” describing DORA as a foundational step in reinforcing financial stability in an increasingly digital market.

His fellow Executive Director Mariana Kühnel pointed to how quickly the threat landscape is evolving, particularly with AI-enabled cyber attacks. DORA, she said, helps regulators and firms maintain focus on resilience rather than reacting piecemeal to each new incident.

From the central bank’s perspective, the change has been as much about mindset as mechanics. Thomas Steiner, a Director at the OeNB, said the regulation has helped foster a shared understanding across the sector that digital resilience depends on preparation, clearly defined responsibilities, close cooperation, and regular testing, not just technical fixes.

That shift is beginning to show up in the data. During 2025, Austrian financial institutions reported 103 major ICT-related incidents to the FMA. Nearly two-thirds of those incidents involved external ICT service providers, underscoring how central third-party risk has become to operational resilience. New registers of information on ICT providers now allow Austrian and European supervisors to assess potential systemic impacts more quickly and coordinate responses when incidents occur. For the first time, authorities say, there is also a common EU-wide basis for sharing information on cyber threats, enabling faster reactions across borders.

Testing has also moved closer to real-world conditions. Under DORA, systemically important financial entities must carry out threat-led penetration tests every three years, with ethical hackers simulating realistic attacks on critical systems. In Austria, the OeNB’s TIBER-Cyber Team, working alongside the FMA, oversees these exercises. Regulators say the initial pilot phase has been completed successfully and obligated entities have been identified and informed.

The FMA and OeNB say DORA is giving supervisors and firms a common, Europe-wide toolkit for spotting digital risks earlier and responding more coherently. Both authorities say they will continue their close cooperation as the framework matures, with the goal of embedding these practices and strengthening trust in the resilience of the financial system.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.