DORA and digital sovereignty in the financial sector: where many banks fail

In many financial institutions, the situation is similar. The compliance team has carefully translated the DORA requirements into guidelines and process documentation. Responsibilities have been defined and the company is formally considered to be prepared.

Once the audit begins, the focus shifts from documentation to operational practice. BaFin is increasingly examines whether digital resilience and IT controls actually function in day-to-day operations.

During discussions, operational weaknesses quickly become apparent. The ICT inventory is incomplete. Critical systems and their dependencies are not fully recorded. A third-party service provider supporting a central payment process is barely mentioned in the emergency plans. Monitoring ceases outside business hours.

Such findings are not isolated cases. At the BaFin event “IT Supervision in the Financial Sector: The First Year of DORA” in December 2025, the regulator described precisely this pattern: whilst regulatory requirements had been documented in many places, they had not yet been fully operationalised.

This brings a fundamental question to the fore: what does digital sovereignty mean for banks and insurance companies in the financial sector?

Digital sovereignty in financial institutions is often equated with data protection or cloud strategies. For IT decision-makers in regulated financial organisations, this falls short.
At its core, it is about three operational capabilities.

The term ‘data sovereignty’ describes the legal and technical access conditions under which data is held. Anyone using cloud services from US providers operates within the scope of the CLOUD Act: US authorities can compel American providers to hand over data, regardless of the country in which the servers are located. For banks and insurance companies that work with highly sensitive customer data on a daily basis, this poses a real liability risk.

Operational sovereignty refers to the operational control over critical IT systems in banks and insurance companies. This includes comprehensive ICT inventories, clearly documented dependencies, tested emergency plans and an operational model that does not rely solely on a single provider. If a financial institution cannot demonstrate these points, operational control effectively lies outside its own organisation, regardless of contractual clauses.

Regulatory sovereignty means being able to demonstrate the effectiveness of one’s own controls at any time. In BaFin’s DORA audits, the regulator assesses actual operations rather than documents. This is the standard applied by the regulator, and one at which many institutions are currently failing.

The concept of digital sovereignty is not new. However, 2026 is the point in time when several developments are escalating in parallel.

In many discussions, we regularly encounter two misconceptions that can prove costly.

This is incorrect. Digital sovereignty in the financial sector does not mean avoiding public cloud services. What matters is how they are used.
Financial firms need architectural models that guarantee them operational control, transparency and the ability to exit at any time. Without these prerequisites, dependency arises.

This assumption is also short-sighted. Documented processes do not guarantee operational control. What matters is whether they work in practice. BaFin therefore does not primarily examine guidelines, but concrete evidence. The audit includes, amongst other things, verifying the 24-hour operation of monitoring, the actual involvement of third parties in emergency tests, and the completeness and up-to-date status of the ICT inventory.

Sovereignty does not arise from documentation. It arises from operation.

For banks, digital sovereignty means retaining control over their data, IT systems and external service providers at all times. Financial institutions must be able to trace where their data is stored, what dependencies exist with cloud providers, and how critical systems are operated. At the same time, they must be able to demonstrate this control to the regulator during DORA audits.

For financial institutions, this has specific operational implications:

These requirements do not arise from one-off implementation projects. They must be ensured in day-to-day operations and verifiable at all times.

Digital sovereignty is not a state that is achieved once and then ticked off the list. Rather, it is an operational capability that must be demonstrated during day-to-day operations.

The central question is therefore not: “Are we digitally sovereign?”

It is: “Can we prove this sovereignty to the regulator today during ongoing operations?”

This is the difference between sovereignty as a concept and sovereignty as a lived reality. This is where it becomes clear who actually controls their IT and who merely manages it.

→ In the second part of this series, we analyse how the relevant cloud providers actually perform. We assess them according to the criteria that really matter for regulated financial organisations: data sovereignty, DORA compliance, exit capability and European legal certainty.