Regulation (EU) 2022/2554, also known as DORA, has come into force and presents new challenges for financial entities. This regulation aims to minimize the risks arising from digital transformation and increasing interconnectedness in the finance and insurance industry. DORA focuses on managing threats such as cyberattacks and business interruptions in order to strengthen operational resilience. The requirements that DORA places on financial enteties are complex and involve a considerable amount of red tape. Nevertheless, the regulation promotes important minimum standards in the area of digital operational resilience. DORA is supplemented by regulatory technical standards (RTS) and implementing technical standards (ITS), which are developed by the European Supervisory Authorities (EBA, EIOPA and ESMA) in collaboration with national supervisory authorities and adopted by the Commission. Many of these RTS have already entered into force and provide financial companies with specific guidelines for implementing the DORA requirements. However, despite the broad applicability of DORA and the RTS, uncertainties remain in the interpretation and implementation in individual cases. The lack of binding interpretation guidelines makes it difficult for financial enteties to fulfill the numerous new obligations. In many areas, there is still a great deal of uncertainty among financial companies. A concrete example of the existing difficulties faced by financial companies can be found in the supposedly simple task of creating a register of information, filling it out correctly and then providing it to BaFin in a timely manner. Aside from the technical difficulties, the biggest problem here is that the preceding question must be answered, whether a function provided by a third-party ICT service provider is important or critical.
Important or Critical Function – Why is Classification Practically Relevant?
So what are critical or important functions in the sense of the DORA regulation? The regulation does not define what a function is in the sense of DORA. It is possible that the European legislator took for granted what is meant by this and therefore refrained from providing a definition. From the context and the objectives of the regulation – namely to strengthen the digital operational resilience of business operations – it can be concluded that functions in the sense of DORA means operational and business functions of a financial entity. DORA defines in Art. 3 no. 22 a critical or important function as a function whose failure would materially impair a financial entities financial performance or the soundness or continuation of its operations and services, or whose interrupted, defective, or omitted performance would materially impair a financial entites continued compliance with the licensing conditions and obligations or its other obligations under applicable financial services law. In short, these are functions whose failure would have a significant adverse effect on: financial performance, business continuity or regulatory compliance. This classification is of practical relevance for ICT third-party service providers that provide such critical or important functions or support significant parts of them. Among other things, this means that the requirements for the design of the contract are much more extensive. Furthermore, only the direct ICT third-party service provider has to be specified in the register of information for non-critical functions. For critical or important functions, on the other hand, all subcontractors in the ICT service chain must also be recorded.
The Register of Information and Initial Guidance from BaFin
Pursuant to Article 28 (3) DORA, financial entities must maintain a register of information (RoI) that covers all contractual agreements on the use of ICT services provided by third-party ICT service providers. The register is to be made available to the competent authorities on an annual basis. Initially, the registers are to be submitted to the BaFin on April 11, 2025. The requirements for the registers of information are set out in Commission Implementing Regulation (EU) 2024/2956 (RTS RoI). On March 6, 2025, the BaFin hosted a workshop on the submission of the registers of information to provide guidance and assistance to the financial entities concerned. BaFin is visibly endeavoring to support financial entities in implementing DORA. The registers of information must be created as structured files according to the ESAs taxonomy. The BaFin provides an Excel template for this purpose and also accepts registers that have been created using this template. In order to make it easier for smaller financial entities in particular to submit the information, BaFin will convert the completed Excel templates into the target format. During the workshop, BaFin also addressed the question of how to determine whether a subcontractor in the ICT service chain is to be included in the register of information. BaFin has proposed three orientation questions for this purpose:
- Is there a direct dependency between the ICT service and the subcontractor?
- Does the subcontractor ensure the provision of essential parts of the ICT service to support a critical or important function?
- Could a disruption at the subcontractor affect the security or continuity of the ICT service?
BaFin also pointed out that the principle of proportionality and a risk-based approach must be taken into account. The interpretation proposed by BaFin is to apply subject to any later conflicting interpretations by the ESAs. Despite the proposed systematic questions, uncertainties remain for financial entities. After all, they have to decide on a case-by-case basis whether or not to include a subcontractor in the chain of subcontractors. The effort required to identify all subcontractors in the chain is a major undertaking in itself. In addition, each subcontractor must be considered.
Attorney Anton Schröder
The lawyer responsible for questions relating to DORA and IT law at our law firm is Attorney Lutz Auffenberg LL.M. (London) with assistance of Attorney Anton Schröder.
subscribe to Newsletter-
Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW. -
Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm. -
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.
