German Banks Flunk Stress Tests
The first true cyber resilience tests under European supervision are underway, and the results are more uncomfortable than anticipated. Mid-sized bank leaders and IT managers are discovering just how vulnerable their threat intelligence really is.
06.05.2026
Key Takeaways
- Obligation of TLPT every three years: BaFin and the Bundesbank will designate the affected institutions. Those named in the first wave of 2026 will have only six months before submitting their scope. This is a shorter timeframe than typical audit preparation.
- Threat intelligence is the bottleneck: The tests rely on external intelligence that adapts real attacker profiles to each institution’s specific context. In the initial trials, this is where the main delays occur, not during the red teaming itself.
- TIBER-DE tests are considered: Institutions tested after January 17, 2025, according to the updated TIBER-EU framework, can integrate this test into their three-year cycle. This offers a margin of maneuver to banks with a TIBER history at the expense of FinTechs without one.
Related:RegTech 2026: DORA, AI Act, MiCA / PSD3 for Mid-Sized Institutions: Banking APIs and Integrated Finance
What Early Q1 Launches Truly Reveal
What is a Threat-Led Penetration Test (TLPT) mandated by DORA? A TLPT is a simulation of an attack directed by threat intelligence against the production systems of a financial entity, as required by Articles 26 and 27 of Regulation (EU) 2022/2554 (DORA). External threat intelligence serves as the foundation, with a red team acting clandestinely against the organization’s critical or important functions, while the internal blue team remains unaware of the test. Selection and supervision are managed by BaFin and the Bundesbank, with the cycle lasting a minimum of three years.
DORA mandates threat-led penetration tests at least every three years under Articles 26 and 27. The operational mechanism has been known in the German market since 2019 as TIBER-DE. The key difference in 2026 is active supervision by BaFin and the Bundesbank, who now directly contact and monitor the process. This is no longer a voluntary resilience exercise as seen in 2022.
In institutions affected by the first wave of designations, similar observations are circulating. The technical component of red teaming itself is proceeding correctly. Providers are familiar with DORA-RTS, the methodology is well-understood, and escalation paths are already documented in most banks since TIBER experiences. The bottleneck lies in three upstream steps.
Firstly, defining the perimeter. DORA requires coverage of critical or important functions, meaning processes whose interruption would directly impact business operations, regulatory obligations, or customer commitments. This seems straightforward but is not. In a typical mid-sized bank, a critical function may depend on three to seven applications, two of which are hosted by a third-party TIC service provider. To precisely define the perimeter, it is necessary to understand not only one’s own application stack but also all outsourced services.
Secondly, acquiring threat intelligence (TI). DORA mandates engaging an external TI provider capable of identifying concrete attacker profiles. This is not generic lists of CVEs but actual actors targeting banks of similar size and economic model to the institution being tested. This TI phase is the most frequent cause of delay in early Q1 launches. Qualified providers are scarce in the DACH market, and response times can reach three to four months if not initiated promptly.
Thirdly, internal governance. A TLPT involves three roles: the internal oversight team, which is aware of the exercise in its entirety, the operational blue team, which must remain uninformed, and the TLPT responsible within the Bundesbank. If governance is not established early by the COO, the communication matrix can lose two weeks by the fifth week, as the blue team may gain access via Slack channels to information they should not have seen.
Where the DORA Maturity of Intermediate Companies Truly Stops
In presentations to the board of directors, the DORA maturity often looks like a checklist with green checkboxes. It includes items such as ICT risk management, incident reporting systems, third-party supplier registers, and resilience testing. However, the first TLPT (Tabletop Exercise) sessions quickly reveal where the illusion fades.
The first issue is the inventory of outsourced services. The Register of Information, which DORA requires as a central overview of third-party suppliers, has been submitted by most institutions since the first quarter of 2026. However, it is rarely updated rigorously. During the TLPT, any inconsistencies become immediately apparent—such as when a critical service is hosted in a different region than indicated in the register. The test does not seek plausibility; it demands truth.
The second issue is the detection logic. Many intermediate sector banks have implemented a SIEM (Security Information and Event Management) system or subscribed to an MDR (Managed Detection and Response) contract over the past two years. However, this does not replace operational use cases. The TLPT reveals whether the blue team actually detects an unusual connection from a backbone country, or whether it passes under the alert threshold as a mundane anomaly. In three of the four Q1 trials mentioned in sectoral discussions, this was precisely where the most significant gap was identified.
We spent nine months debating the improvement of our own blue team before the TLPT. In five days of TLPT, we learned what we truly saw—and what we did not see. The first two days were disappointing, but the next three constituted the most honest assessment we have ever undergone.
CISO of an intermediate bank in the DACH region, cited anonymously during a sectoral debate in April 2026.
The third issue is the board’s involvement. DORA makes the board of directors personally responsible for ICT resilience. The TLPT closure reports not only mention the access points obtained by the red team but also indicate which escalation decisions were made by the control team and how long it took for the board to be informed. Anyone approaching a TLPT with a 2019 penetration testing mindset as a COO will be surprised by the speed of information flow.
Six months, six phases: What a TLPT looks like in practice
The sequence is defined in the DORA-RTS and the updated TIBER-EU framework. In practice, the friction is not caused by transitions between phases, but rather by the calendar weeks between them.
Where FinTechs Are Hit Harder Than Mid-Sized Banks
FinTechs were long considered as “native digital” actors, and thus operationally more agile. In the context of TLPT, this perception reverses in several respects. Three of them are visible from the initial observations of T1.
The first point concerns cloud topology. A typical FinTech relies on one or two hyperscalers, with its own container platform, several SaaS sub-services, and a level of third-party provider integration that, compared to mid-sized banks, exceeds the classic model by two orders of magnitude. The subcontracting register thus becomes a full-time job, rather than a quarterly subject.
The second point is the TIBER history. A FinTech that has not undergone previous TIBER-DE exercises starts the first cycle without experience. Mid-sized banks, which have conducted three or four tests since 2020, know how a control team operates, while FinTechs learn this in real-time. This consumes two to three weeks not planned in the schedule.
The third point concerns the board’s responsibility. In FinTechs, founders often sit on the board, having delegated DORA as a compliance issue. However, in the TLPT report, the board is explicitly named. The person who operationally transferred the subject to the security team is handed a dossier at the closing workshop for which they are unprepared.
What a COO Model Should Include in the First Week
Over the past few months, I’ve worked with several organizations to determine what a first draft of a TLPT (Threat-Led Penetration Test) for the executive team should look like, without delving into the methodological details. Three fields are sufficient for the initial version; the rest should be included in appendices.
Firstly, an honest mapping of its own detection capabilities. Not the marketing brochure from the SIEM vendor, but a table listing ten realistic attack scenarios and indicating whether the blue team can detect them today or not. This table will be shorter than it should be in week 1. This is precisely what constitutes the diagnosis.
Secondly, a list of external providers whose failure would directly interrupt a critical function. For each, include the contract status, the date of the last audit, and the ICT risk classification in the register. Anyone who takes more than two days to establish this list has already found the bottleneck before the test reveals it.
Thirdly, a communication matrix. This matrix outlines who is part of the steering team, who is part of the blue team, and who informs the board at each escalation level. This matrix often determines the smooth running of the process more than any technical question, especially in the eyes of Q1.
A side note: In many organizations, the discussion around TLPT is still confined to the cyber domain. This is no longer the case. It is now an exercise in managerial clarity, external provider hygiene, and board accountability. This is a COO issue, not just a CISO issue. The person designing the program gains two things: a more rigorous preparation and a report that, once completed, is not forgotten in a drawer.
Honestly, I was initially cautious about the scope of the work. Six months of availability from the COO and CISO is not a side project. However, after the sectoral exchanges in April and reading the first closure reports, my opinion has changed. The effort is real, as is the learning effect. Organizations that take the first iteration seriously emerge with a much clearer view of their dependence on external providers, their detection capabilities, and their escalation culture than three years of internal audits could have provided.
Frequently Asked Questions
Which institutions will be required to conduct a TLPT during the first wave in 2026?
The DORA-RTS mandates a quantitative and qualitative selection process. Large banks, major payment service providers, certain insurers, and systematically relevant fintechs will be identified based on thresholds and the assessment of the supervisory authority. BaFin and the Bundesbank will directly notify the affected institutions. Any entity that does not receive a notification will not be part of the first wave but will still be subject to regular resilience testing as outlined in Article 24.
Will a previously conducted TIBER-DE test be considered in the DORA cycle?
Tests conducted after January 17, 2025, within the updated TIBER-EU framework, aligned with the DORA-RTS, can be integrated into the three-year cycle. Previous TIBER tests from 2022 or 2023 will not be automatically considered. The Bundesbank will publish a corresponding document (mapping) in spring 2026, which must be reviewed on a case-by-case basis.
Which external threat intelligence provider can be mandated?
The DORA-RTS specifies that the threat intelligence (TI) provider must be independent of the entity responsible for the Red Team and must demonstrate experience with financial sector actors. In the DACH market, several established actors with TIBER experience are available. The lead time before the mandate is currently three to four months. Any institution that starts only in the notification phase risks a delay in the scope phase.
What is the typical workload for an intermediate-sized institution?
Reliable sector data from the first Q1 tests range between 600,000 and 1.2 million euros for external services, plus approximately 1.5 to 2 full-time equivalents internally over a six-month period. This range depends on the scope, the number of critical applications, and the number of external service providers included. Planning below these figures is insufficient.
What happens after a concerning TLPT result?
The DORA regulation does not automatically impose sanctions, and the report is not made public. However, a remediation plan with binding deadlines must be established and documented for the supervisory authority. BaFin may impose measures in case of structural weaknesses, and prudential consequences may apply in case of recurrence. Management remains personally responsible.
About the Author
Angelika Beierlein is the COO of Evernine Media GmbH. She writes about governance in detail, focusing on the decisive points where programs succeed or fail, and on the culture within regulated institutions, where compliance is not just a formality but part of daily operations.
Sources and Additional References:
- BaFin, Technical Article Simulating Attacks to Enhance Security, BaFin-Journal 11/2024, updated in spring 2026.
- Deutsche Bundesbank, TIBER-DE Framework and TIBER-EU-DORA Mapping, as of March 2026.
- BCE, TIBER-EU Framework Updated to Align with DORA, press release of February 11, 2025.
- EU Regulation 2022/2554 (DORA), BCE Press Release on TIBER-EU-DORA Adaptation, Articles 26 and 27, and associated RTS on Threat-Led Penetration Testing.
- Sector-specific roundtables and closure reports of intermediate-sized institutions in the DACH market, March to April 2026 (synthesized, without naming specific institutions).
Main Image Source: Pexels / Tima Miroshnichenko (px:5380603)