The EU Regulation on Digital Operational Resilience in the Financial Sector (DORA) has been in force since January 17, 2025, and must be implemented by the companies it regulates. Even more than seven months after its enactment, not all legal issues arising from DORA have been clarified. The competent authority for most German financial companies is the Federal Financial Supervisory Authority (BaFin). The term “financial institution” as defined by DORA covers a wide range of different companies in the financial sector, including credit institutions, payment institutions, account information service providers, e-money institutions, investment firms, crypto service providers, insurance and reinsurance companies, data provision services, and many more. This makes DORA the central legal act for strengthening the digital operational resilience of the financial sector when using information and communication technologies (ICT). One of the cornerstones of DORA is the obligation for financial companies to establish, maintain, and continuously improve an ICT risk management framework. The risks to which a financial company is exposed in individual cases can be as diverse as the number of regulated companies that qualify as financial companies. DORA therefore relies on the principle of proportionality. This is expressly enshrined in Article 4 of DORA and requires, among other things, that the size and overall risk profile of the financial company as well as the nature, scope, and complexity of its services, activities, and transactions be taken into account when fulfilling the ICT risk management requirements. The principle of proportionality is further reflected in the distinction between the generally applicable ICT risk management framework and the simplified risk management framework, which applies only to certain, mostly smaller financial institutions. BaFin has now provided some helpful guidance on the simplified ICT risk management framework described in Article 16 of DORA in a new supervisory notice dated August 21, 2025.
Which Financial Companies Are Covered by the Simplified ICT Risk Management Framework?
The companies to which the simplified ICT risk management framework applies in Germany are determined directly by DORA on the one hand and by national laws on the other. According to Article 16 DORA, small, non-interconnected investment firms and small occupational pension institutions are covered in Germany. In addition, the simplified ICT risk management framework has been extended at national level to other financial companies in the banking and insurance sectors by the Act on the Digitization of the Financial Market (FinmadiG). For example, a revision of the Insurance Supervision Act (Section 293 (5) VAG) now also subjects certain insurance holding companies to the requirements of Article 16 DORA. Furthermore, an amendment to the Banking Act (Section 1a (2a) KWG) requires all institutions not already covered by DORA to apply the regulation from January 1, 2027. For the latter institutions, which include, for example, guarantee banks and financial services institutions such as leasing and factoring companies and crypto-securities registrars, the BAIT will continue to apply until the end of 2026.
What Specific Advice Did BaFin Give, and What Do Financial Companies Need to Pay Attention to Going Forward?
The BaFin supervisory notice includes an overview of the documentation requirements for financial companies in accordance with Art. 16 DORA. This overview indicates which documentation, security measures, procedures, plans, processes, and guidelines BaFin considers necessary to meet the requirements of Article 16 DORA and the supplementary technical regulatory standards (RTS) for specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework. In this context, BaFin emphasizes that this is non-binding guidance and that the overview does not represent a binding interpretation by BaFin. Nevertheless, the overview ultimately reflects how BaFin, as the competent supervisory authority, interprets the DORA Regulation and thus provides the financial companies concerned with a concrete roadmap on the path to DORA compliance. However, the overview leaves open how the content of the listed documents should be structured. This makes sense, as the requirements in each individual case must be determined in accordance with the principle of proportionality. Furthermore, even if they fall under the simplified ICT risk management framework, it is important for financial companies to bear in mind that, despite the simplifications provided by the ICT risk management framework, there are no simplifications with regard to the other requirements of DORA. For example, the companies concerned must still comply with the principles for sound management of third-party ICT risk set out in Articles 28 to 30 of DORA.
Attorney Anton Schröder
subscribe to Newsletter-
Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW. -
Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm. -
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.
