Regulation (EU) 2022/2554 on digital operational resilience in the financial sector (DORA, Digital Operational Resilience Act) sets out measures to ensure operational security and risk management, particularly in the event of serious incidents. This paper examines the legal implications of such attacks, with particular emphasis on liability issues in the context of the DORA Regulation and the Payment Services Act (ZaDiG). It analyzes the responsibility of banks and customers, particularly with regard to due diligence and obligations to ensure system security. It examines whether the plundering of individual bank accounts falls under the provisions of this regulation, whether frequent incidents are to be considered serious incidents within the meaning of the DORA Regulation, and what the liability situation is in connection with widespread security mechanisms such as the SMS-TAN system and modern real-time transfers. The analysis is supported by real-life case studies.