Financial ServicesPublished: April 28, 20261 min readLast updated: April 28, 2026

DORA Article 9: Why German Banks Are Failing Basic ICT Access Controls

M

Marcus T.

Financial Reg Expert

The Digital Operational Resilience Act (DORA) has fundamentally shifted how EU financial entities must manage ICT risk. Yet, despite years of preparation, major institutions are still failing.

Case in point: BaFin's recent €4.2M fine against a German bank under DORA Article 9.

The Root Cause

The bank didn't suffer a massive cyber breach. Their failure was far more mundane: they were tracking third-party ICT access controls using massive, manually updated Excel spreadsheets.

When auditors requested proof of access revocation for offboarded contractors over a 6-month period, the spreadsheets didn't match the active directory logs. The manual tracking process had fallen out of sync with the technical reality.

Automating DORA Compliance

DORA's requirements are too complex and fast-moving for manual mapping. Financial institutions must implement upstream intelligence that automatically translates DORA mandates into specific API checks and IAM automated workflows.

Beacon's integration with downstream tools like SAP GRC ensures that when an access control policy updates, the compliance verification is automated, eliminating the human error that leads to multi-million euro fines.

Strategic Regulatory Context

This blog is part of Beacon's 2026 Intelligence Series. For a comprehensive view of the evolving regulatory landscape, explore our core strategic guides.