From 17 January 2025, affected companies will have to comply with the new requirements introduced by DORA. The main objective of DORA is to fully and consistently harmonize digital operational resilience and ICT security. The need for this arises, among other things, from the fact that legal differences and varying national regulatory and supervisory approaches to ICT risk create obstacles to the functioning of the internal market for financial services. This makes it considerably more difficult for financial companies operating across borders to exercise their freedom of establishment and freedom to provide services without hindrance. Furthermore, competition between the same types of financial companies operating in different member states has also been severely distorted by these differences. DORA addresses ICT risks through targeted requirements for ICT risk management capabilities, incident reporting, operational resilience testing, and monitoring of ICT third-party risk. When dealing with DORA, the principle of proportionality must be taken into account. This means that the size, overall risk profile, nature, scale and complexity of the financial services must be taken into account when implementing the requirements. This is also reflected in the requirements for ICT risk management: DORA provides for a so-called simplified ICT risk management framework for certain financial firms. But to whom exactly does this apply?

Which Companies Can Implement a Simplified ICT Risk Management Framework?

The simplified ICT risk management framework is significantly scaled back compared to the general framework otherwise provided by the DORA and places fewer specific requirements on the implementation of ICT risk management. To put it bluntly, ICT risk management is reduced from fifteen articles to one. This simplified framework applies exclusively to the financial institutions explicitly named by DORA. These include, for example, small and non-interconnected investment firms, small institutions for occupational retirement provision, and institutions excluded under the Capital Requirements Directive (CRD IV). These exclusions are particularly welcome in light of the considerable effort involved in implementing the DORA requirements. Smaller companies that fall under the exemption can thus operate an ICT risk management system that is appropriate in relation to their size and overall risk profile. An adequate level of protection is ensured by the requirements of the simplified ICT risk management framework in conjunction with the regulatory technical standards (RTS RMF). These standards define the tools, methods, processes and guidelines for ICT risk management and for the simplified framework. The simplified ICT risk management framework should also apply to payment institutions and e-money institutions that have been excluded from the respective member states’ implementation under the Payment Services Directive (PSD2) or the E-Money Directive. However, there is inconsistent implementation here by the individual member states.

Unequal Requirements for Payment Institutions in Different Member States

Despite DORA’s harmonization efforts, gaps still exist. These are particularly evident in the case of payment institutions and e-money institutions. This is because the member states had a certain amount of leeway when implementing the PSD2 and the E-Money Directive. It is therefore possible that when transposing the directive into national law, the option of “exempting” certain payment institutions or e-money institutions and subjecting them to simplified requirements in national law will be used. Consequently, in these cases, the DORA refers to an exemption that only applies to financial companies if the respective member state has implemented this exemption in its national law. However, this is in strong contrast to the DORA’s objective of creating a level playing field for all market participants. Recital 42 of the DORA shows that the European legislator has recognized this problem and ultimately accepted the unequal treatment of comparable financial companies. One example of this is that a payment institution regulated in Germany must comply with the general ICT risk management framework, while a comparable payment institution in another member state that has made use of the exemption may apply for the simplified ICT risk management framework. It is therefore necessary to check in each individual case whether and to what extent the simplified ICT risk management framework can be applied for. Even if this is not the case, the general ICT management framework must still be implemented proportionately.

Attorney Anton Schröder

I.  https://fin-law.de

E. info@fin-law.de

The lawyer responsible for questions relating to DORA and IT law at our law firm is Attorney Lutz Auffenberg LL.M. (London) with assistance of Attorney Anton Schröder.