The European Union has adopted the Digital Operational Resilience Act (DORA) to standardize and strengthen digital resilience in the financial sector. From 17 January 2025, affected companies must comply with this regulation. The reason for this measure is the increasing digitalization and networking, which has resulted in the widespread use of information and communication technologies (ICT), including in the financial sector. DORA aims to effectively counter risks from cyber threats and operational disruptions. The regulation obliges financial companies and certain ICT service providers to take comprehensive measures to strengthen their digital resilience. Numerous players in the financial sector are affected, including credit institutions, investment firms, payment institutions, crypto service providers and issuers of value-referenced tokens. These companies must thoroughly review their internal processes and procedures and adapt them to the new legal requirements. This includes implementing robust security measures, conducting regular risk analyses and developing contingency plans in order to be able to react quickly and effectively in the event of cyber-attacks or IT disruptions. The introduction of DORA represents a challenge for many companies, as it requires significant adjustments and investments in IT infrastructure and risk management. Nevertheless, the regulation also offers opportunities, as it improves the resilience and security of the entire financial sector. What requirements are already being placed on the companies affected and will this even result in advantages for these companies in Germany?

Which Requirements Already Apply and How Do They Differ from DORA?

DORA has its sights set on the European and therefore also the German financial sector, with the aim of harmonizing the handling of ICT risks across Europe. Financial companies are to be put in a position to deal with ICT risks appropriately. The German financial supervisory authority BaFin has not been idle in the past and is already keeping an eye on ICT risks, while imposing far-reaching requirements on the German financial sector. These apply, for example, to the IT of banks, insurers, capital management companies and payment service providers. To this end, BaFin has issued a series of circulars that regulate the IT requirements for the aforementioned financial players. The circulars published under the more or less catchy names BAIT, VAIT, KAIT and ZAIT – to name just a few examples – impose comprehensive requirements on the financial players concerned with regard to the governance and organization of IT, information risk and information security management and the stability of IT operations. Some of these requirements are also reflected in DORA. Part of the information security management required by the circulars is that the management must establish the function of the Information Security Officer (ISO). The function of the ISB includes responsibility for all information security matters within the institution and vis-à-vis third parties. DORA does not recognize the function of the ISB. However, the function and independent position of the ISB is similar to the introduction of an ICT risk control function required by DORA, which is to be responsible for the management and monitoring of ICT risk. However, the different areas of responsibility make it clear that DORA places a stronger focus on the monitoring and management of ICT risk compared to the circulars. This is just one example of how BAIT, VAIT, KAIT and ZAIT in many respects already cover the basic requirements for the ICT risk management framework and the key principles for sound management of ICT third party risk under DORA. A financial company that already meets the requirements of BAIT, VAIT, KAIT or ZAIT will therefore have a good starting position for the implementation of DORA. This could be the locational advantage for such financial companies.

Is There Still a Need for Action?

However, the comparison between the ISB and the ICT control function makes it clear that the purposes of DORA differ from or go beyond those of the BaFin circulars. DORA is intended to strengthen the digital operational resilience of the financial sector. In order to achieve this goal, DORA goes beyond the requirements of BAIT, VAIT, KAIT and ZAIT in many areas. It is therefore not enough to rest on existing strategies, processes, functions, etc. BaFin is also aware of this and has already announced that it will repeal the BAIT, VAIT, KAIT and ZAIT circulars. For the financial institutions concerned, this means that an adjustment to the requirements of DORA is unavoidable and should be implemented before DORA comes into force. BaFin has already published implementation information on this topic to facilitate the transition from the circulars to DORA.

Attorney Anton Schröder

I.  https://fin-law.de

E. info@fin-law.de

The lawyer responsible for questions relating to DORA and IT law at our law firm is Attorney Lutz Auffenberg LL.M. (London) with assistance of Attorney Anton Schröder.