Category: blog EN

The lawyer responsible for questions relating to DORA and IT law at our law firm is Attorney Lutz Auffenberg LL.M. (London) with assistance of Attorney Anton Schröder.

Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW.
Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.

Nov 25, 2024

No Tied Agents Under MiCAR – How Do Liability Umbrellas and Contractually Tied Agents Have to Prepare for MiCAR?

From 30 December 2024, the provisions of the Markets in Crypto Assets Regulation (MiCAR) will be legally effective throughout the European Union. From that date, crypto-asset service providers within the scope of the new regulation will no longer be allowed to provide their services without the required MiCAR authorization. MiCAR does not recognize the tied agent model, a concept known from other areas of financial market regulation, in which activities requiring a license can be provided under the responsibility of a sufficiently authorized institution without a license of one’s own. In this regard, ESMA already clarified in September 2024 that crypto-asset services under the MiCAR may only be provided by companies that are either authorized as crypto-asset service providers or that have successfully completed a notification procedure in accordance with the MiCAR as a credit institution or securities institution that is already supervised. Since, under the current regulation in Germany according to the Investment Firm Act (WpIG), crypto securities are considered financial instruments and the law allows liability umbrella solutions for business models in which companies in Germany exclusively provide investment brokerage, investment advice or placement services, the transition to the MiCAR regime for correspondingly tied agents potentially represents a real showstopper. What can tied agents and their liability umbrellas with crypto-related business models do before 30 December 2024 to seamlessly continue business under MiCAR?

Can Tied Agents be Covered by the MiCAR Transitional Provision?

MiCAR provides for a transitional regime for providers of crypto-asset services that have provided their services in accordance with the law applicable to them, i.e. in accordance with the applicable national provisions. Such providers may continue to provide their services after 30 December until 1 July 2026, or until a MiCAR license is granted or refused, whichever event occurs first. However, member states have the option of shortening the timeframe until 1 July 2026. The German legislator has not yet enacted any implementing legislation for MiCAR, so a shortening of the timeframe is not to be counted in for the time being. According to the wording, tied agents would in principle be able to make use of the transitional regulation, since they have legally provided crypto value services prior to 30 December 2024 under the applicable national regulations. However, it must be taken into account in any case that the permissibility under supervisory law of the provision of services by tied agents is derived from the investment firms acting as a liability umbrella. In view of this, it can be assumed that reliance on the transitional regulation for tied agents can only be considered if the liability umbrella solution used continues to exist under the applicable law from 30 December 2024 and the liability umbrella continues to fulfill the relevant requirements. In contrast, BaFin has contacted the institutions under its supervision that have tied agents and pointed out that the involvement of tied agents will be inadmissible under MiCAR. Tied agents who therefore wish to invoke the transitional provisions of MiCAR should in any case clarify this approach in advance with their liable institution and BaFin.

The Alternative to the Liability Umbrella is Either an Outsourcing Solution or a MiCAR Authorization

If tied agents are not eligible or unwilling to rely on the MiCAR transitional provisions, they need an alternative solution. It is possible to apply to the competent authority for an own MiCAR license, but such an application requires thorough and time-consuming preparation, as well as patience until the BaFin approval process is complete. A so-called outsourcing solution can be implemented more quickly, in which the previous tied agent acts as an outsourcing company for the provider authorized to provide crypto-asset services. As in the liability umbrella model, the provider of crypto-asset services is then responsible under supervisory law. The outsourcing company then provides technical services to the provider, such as the provision of a technical platform, support services and distribution. However, caution is advised with regard to outsourcing solutions in which outsourcing to crypto companies from non-EU countries is to take place. In ESMA’s view, outsourcing must not lead to a situation in which the third-country company ultimately provides crypto-asset services in Europe without an own authorization through a European special-purpose entity, while the service itself is actually provided in a third country.

The lawyer responsible for all questions relating to the regulation of tied agents under MiCAR at our law firm is Lutz Auffenberg, LL.M. (London).

Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW.
Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.

Nov 11, 2024

MICAR Transition Without National Framework Legislation – What Happens if the German Parliament Does Not Pass the KMAG by the End of the Year?

The governing coalition in the German Parliament consisting of the SPD, the Green Party and FDP is history. All that is left of the so-called “traffic lights coalition” that started about three years ago is a pedestrian light without a yellow phase. For the federal government, this means that majorities must be sought and formed in parliament for all legislative proposals still to be passed. The support of the opposition parties in the parliament, which have not themselves helped to shape draft legislations that are ready to be voted on, is likely to be granted only in a few cases, particularly in view of the election campaign that began immediately after the end of the governing coalition. The fate of the draft legislation under the Financial Markets Digitization Act (FinmaDiG), which has been on the table for many months, and the associated draft regulations on the MiCAR transition, namely the MiCAR Application Regulation and the MiCAR Transit Regulation, is therefore more than uncertain. It seems very unlikely that the proposals can still be adopted by 30 December 2024. From this date, the provisions of MiCAR will have direct legal effect in their entirety in EU member states. For companies with crypto-related business models, this means that they must have an authorization or notification under the new Regulation on the basis of which they are allowed to provide their crypto services. But what is the legal situation for the German crypto industry if the German legislator does not manage to enact national framework legislation by the time the new regulatory regime under MiCAR comes into force?

Draft of the KMAG is to Create a Legal Basis for the Application for Approval in Accordance with MiCAR

With the Crypto Markets Supervision Act (KMAG), the German legislator plans to create the national legal framework for the implementation of the MiCAR regulations. In particular, the KMAG is intended to define BaFin’s responsibility for supervising compliance with the provisions of the new regime. In particular, BaFin is to be responsible for processing applications for authorization under MiCAR and the ongoing supervision of crypto-asset service providers. Additionally , the KMAG is to establish BaFin’s competence for, e.g. acquisition control proceedings under the new regime and the prosecution of crypto services operated without required authorization under MiCAR. The draft legislation also contains a number of other special rules, such as supplementary provisions to the regulations set out in MiCAR and a comprehensive catalogue of administrative offenses for cases in which it or the KMAG are violated. However, the actual procedures for submitting an application for a MiCAR license or for using the notification option for existing institutions with an existing license under national financial supervisory law are defined by the MiCAR itself, with the exception of a few detailed questions. It is therefore only imperative that the German legislator legally regulates which national authority will be the competent authority within the meaning of MiCAR by the time it comes into force. Without this definition, there will be no legal basis for submitting applications to BaFin under MiCAR, with the result that BaFin will not be able to process such applications.

What Applies to Existing Institutions and Institutions with a Provisionally Granted License in Accordance with Section 64y KWG?

If the German Parliament does not pass the KMAG in time before 30 December 2024, only the MiCAR will apply to existing institutions and crypto service providers already operating legally. The transitional provisions therein stipulate that providers of crypto-asset services that provided their services under current law before 30 December 2024 may continue to do so until 1 July 2026 at the latest or until the date on which they receive an authorization or denial under the provisions of MiCAR. The starting point for the deemed approval is therefore solely the question of whether the company in question provided crypto-asset services under applicable law prior to 30 December 2024. In particular, the wording makes no distinction as to whether a company had a provisional or final license to provide crypto asset services before 30 December 2024. As a result, if the German legislator fails to act on national framework legislation for the MiCAR transition, crypto custodians with a provisional KWG license could also continue to operate their business for the time being. It is true that MiCAR provides national legislators with the option of deciding not to make use of the transitional regulation for crypto asset service providers. However, such a decision is likely to require an active legislative act, which has not yet taken place and is unlikely to be adopted by 30 December 2024.

The lawyer responsible for questions relating to MiCAR, the transition to the MiCAR regime and related transitional provisions at our law firm is Attorney Lutz Auffenberg, LL.M. (London).

Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW.
Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.

Nov 04, 2024

Getting Ready for DORA (Part VI) – Only a Financial Company or Already ICT Third-party Service Provider?

From 17 January 2025, companies will be required to comply with the new requirements introduced by DORA. This regulation specifically addresses the challenges of digital transformation and increasing interconnectedness in the financial industry. In this context, DORA aims to minimize risks such as cyberattacks and operational disruptions. Financial institutions and their ICT service providers must take comprehensive measures to improve their digital resilience and thereby promote the security and stability of the entire industry. DORA is an extremely complex set of rules. The regulation comprises 64 articles, which are supplemented by a series of Regulatory Technical Standards (so-called RTS). The RTS are intended to create uniform standards throughout the EU, so that all affected financial institutions throughout the Union must meet the same requirements. RTS specify and clarify the general requirements of DORA. They are being developed jointly by the relevant European Supervisory Authorities (ESA), EBA, EIOPA and ESMA. Even though many of these RTS have now been published or are available as drafts, DORA still raises a number of questions of interpretation. This is particularly precarious as the time until DORA comes into force is getting shorter and shorter and the affected companies need to prepare for the regulation. One of these questions concerns the applicability of DORA to a financial company that provides services for another financial company. When can we assume that this is an ICT service that makes the providing financial company an ICT third-party service provider within the meaning of DORA? Do the requirements of DORA now also have to be met between two companies that are already regulated by the supervisory authorities? This question has significant consequences, since classifying a financial company as an ICT third-party service provider would, among other things, have far-reaching consequences for the contractual relationship between the ICT third-party service provider financial company and the client financial company.

Unclear Provisions in DORA Regarding the Term ICT Third-Party Service Provider

DORA defines ICT third-party service providers as companies that provide ICT services. In addition, recital 63 states that financial institutions that provide ICT services to other financial institutions should also be considered ICT third-party service providers under the regulation. Thus, it is clear that financial institutions can in principle also be ICT third-party service providers if they provide ICT services to other financial institutions. According to the DORA, third-party ICT services are digital and data services that are provided on a permanent basis to one or more internal or external users via ICT systems, including hardware as a service and hardware services, which also includes technical support provided by the hardware provider by means of software or firmware updates, with the exception of traditional analog telephone services. This definition is, as intended by the regulator, very broad. This is clarified in recital 35 of the DORA, which emphasizes that it is intended to address all risks arising from all types of ICT services. To this end, the definition of ICT services in the context of DORA should be interpreted broadly to include digital services and data services provided on an ongoing basis to one or more internal or external users via ICT systems. Furthermore, recital 79 mentions examples of ICT services as the use of cloud computing services, software solutions and data-related services. Assuming that a financial company regulated under MiFID II or MICAR provides a regulated financial service to another financial company and makes the financial service available to it on a permanent and digital basis, this raises the question of whether the requirements of DORA would have to be met in addition to the existing requirements for the financial service. The definition would readily allow for such a view, which would mean increased bureaucracy and additional costs for financial companies – all for the benefit of the digital operational resilience of the financial market. However, it remains questionable whether traditional financial services should automatically be classified as ICT third-party service providers just because they are provided digitally.

The Industry Calls for Binding Clarification

In their FAQ as part of the “DORA 2024 Dry Run Exercise on Reporting of Registers of Information”, the ESAs comment on the interpretation of ICT services to the effect that if a financial entity requires authorization, licensing or registration as a financial entity to provide a service, then that service is a regulated financial service and not an ICT service for the purposes of DORA. This interpretation would make it possible to exclude purely financial services that are not traditional cloud computing services, software solutions or data-related services from the scope of the DORA. On October 1, 2024, the trade and interest associations FIA, AFME, EACH, ECSDA and FESE issued a joint statement on this topic in which they call on the ESAs to adhere to the view from the Dry Run for the upcoming DORA and to determine as quickly as possible that financial services should not be treated as ICT services for the purposes of the DORA. They also call for clarification that regulated financial services include all services and activities subject to the supervision of a financial services regulator, including any ancillary or delegated services. This call is to be welcomed. Clarification is urgently needed to create legal certainty in the implementation of DORA. Regulated financial firms are already subject to extensive obligations and meticulous supervision with regard to their supervised business activities. Any application of DORA going beyond this would mean additional work and expense, with only a negligible added value in terms of financial market security. However, it remains to be seen how the ESAs will position themselves.

Attorney Anton Schröder

The lawyer responsible for questions relating to DORA and IT law at our law firm is Attorney Lutz Auffenberg LL.M. (London) with assistance of Attorney Anton Schröder.

Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW.
Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.

Oct 28, 2024

MiCAR and Non-EU CASPs – How Can Crypto Service Providers from Third Countries Do Business in Europe?

The European market is also interesting for crypto service providers that are not based in the European Union. Market-leading crypto trading venues from the US or Asia in particular cannot afford not to offer their services to European customers if they do not want to lose their dominant position in the global crypto market in the future. Against this background, crypto service providers from the USA and Asia, but also from Switzerland and the UK, are faced with the question of which opportunities arise for them to be able to offer their crypto services to European customers in the future under MiCAR. In the summer of this year, the European Securities and Markets Authority (ESMA) commented on this topic and further narrowed down the options for crypto exchanges from third countries in particular. Unless a pure reverse solicitation business is to be conducted, in which the crypto service provider must not take any initiative to initiate a business relationship, ESMA recommends to the competent supervisory authorities of the EU member states – in Germany BaFin – that trading platforms for crypto assets from third countries should be required to establish independent European companies under MiCAR, apply for MiCAR authorization with these companies and then run the entire European business through these companies. It shall not be allowed that crypto services be offered in such a way that the European entity merely acts as an intermediary between European customers and companies from a country outside the European Union and the actual service is ultimately provided outside the EU.

MiCAR License Not for Mere Brokerage Entities of Crypto Service Providers from Third Countries

According to the MiCAR regulations, only applicants from the EU that are based in the European Union can receive authorization for crypto asset services. In this way, the legislator aims to ensure that crypto services in Europe can only be provided in compliance with the MiCAR rules. In this respect, ESMA sees the risk that crypto service providers from third countries could set up a mere shell company in Europe in order to use this company to apply for MiCAR authorization for brokerage services such as the execution of orders for crypto assets for clients or the acceptance and transmission of orders for crypto assets for clients. This company would then broker or transmit business with European clients to a trading venue for crypto assets for clients operating outside the scope of MiCAR once the requested MiCAR authorization has been granted. The strict compliance obligations for trading platforms for crypto assets under MiCAR could thus be circumvented, which in ESMA’s opinion would have significant disadvantages for consumer protection in the European Union’s crypto market. ESMA therefore advises BaFin and the competent supervisory authorities to examine in the MiCAR authorization procedure whether such a constellation exists and, if necessary, not to grant the requested authorization.

ESMA Advises Careful Case-by-Case Examination and Cites Indications of Unlawful Client Solicitation

Ultimately, ESMA advises the competent national supervisory authorities, including BaFin, to carry out a careful case-by-case examination to clarify whether a case constellation should ultimately be interpreted in such a way that crypto services subject to authorization under MiCAR are ultimately offered to European clients from a third country. However, it must be taken into account in this examination that MiCAR itself does not prohibit crypto service providers from executing customer orders on trading platforms or other traders in third countries. Only if the overall design suggests that the provider from the third country is targeting European customers in violation of the MiCAR authorization requirements in order to circumvent the strict supervisory obligations of MiCAR should, in ESMA’s opinion, a refusal of authorization be considered. Even if it is always a case-by-case assessment, ESMA formulates a number of constellations that may indicate an unlawful arrangement in individual cases. In particular, competent national supervisory authorities should examine whether a broker authorized in the EU systematically routes client orders to a company outside the EU for execution. It should also be taken into account whether an EU broker analyzes client orders before forwarding them and checks whether other suitable execution venues could be considered. According to ESMA, a further indication may exist if an EU broker uses the brand of a non-EU provider to attract clients, provided that it is difficult for clients to differentiate that the broker’s services are being used and not those of the non-EU provider. Finally, according to ESMA, it is an indication of an abusive arrangement if the broker authorized in the EU receives remuneration for its services that is not in line with the market and is too low.

The lawyer responsible for the application for MiCAR authorization and opportunities for crypto service providers from third countries to enter the European market in our law firm is Attorney Lutz Auffenberg, LL.M. (London).

Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW.
Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.

Oct 21, 2024

Cyber Resilience Act – What Obligations Will Manufacturers of Products with Digital Elements have in Future?

The topic of cybersecurity is increasingly becoming the focus of European legislators. On 10 October 2024, the Council of the European Union adopted the Regulation on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020. This so-called Cyber Resilience Act (CRA) is intended to establish a uniform legal framework for basic cybersecurity requirements for placing products with digital elements on the Union market. To this end, vulnerabilities resulting from a low level of cybersecurity and the inadequate provision of security updates are to be remedied. It also aims to address users’ lack of understanding and limited access to information to enable them to select and safely use products with appropriate cybersecurity features. Unlike other directives and regulations that have recently been adopted to strengthen IT security – such as the DORA Regulation – the Cyber Resilience Act is not sector-specific in its scope of application, but horizontal and is intended to cover all products with digital elements. The regulation will apply from November 2027. Reporting obligations for vulnerabilities and security incidents will already apply from August 2026. The obligations imposed on manufacturers, importers and retailers are extensive and the penalties for non-compliance with the legal requirements are severe. According to the motto ‘trust is good, control is better’, market participants will be forced by the GDPR, as they were years ago, to initiate all measures necessary to comply with the obligations under the CRA. What should the addressees of the regulation, such as manufacturers, be prepared for?

Who is Considered a Manufacturer Under the CRA?

A manufacturer within the meaning of the CRA is a natural or legal person who develops or manufactures products with digital elements or who has products with digital elements designed, developed or manufactured and markets them under his own name or brand, whether in return for payment or free of charge. A product with digital elements is a software or hardware product and its remote data processing solutions, including software or hardware components, which are to be marketed separately. This includes products with digital elements whose intended or reasonably foreseeable use involves a direct or indirect logical or physical data connection to a device or a network. This can be anything from software, PCs and smartphones to robotic vacuum cleaners that can communicate with other devices or networks. For the manufacturers of such products, the range of new obligations is extensive and can therefore only be mentioned in part here. Among other things, before placing a product with digital elements on the market, they must prepare technical documentation in accordance with the CRA and carry out a conformity assessment procedure or have one carried out in accordance with the requirements of the regulation. An EU declaration of conformity must then be issued and a CE marking affixed to the product. After placing the product on the market and during the expected lifetime of the product or for a period of five years from placing a product with digital elements on the market, whichever is shorter, manufacturers must ensure that the product remains CRA compliant (updates). In addition, the manufacturer must notify the European Union Agency for Cybersecurity (ENISA) of any actively exploited vulnerability contained in the product with digital elements without undue delay and in any event within 24 hours of becoming aware of it.

What Sanctions do Manufacturers Face if they Violate the CRA?

For the imposition of sanctions, the CRA provides that member states must adopt provisions on sanctions and take all measures necessary for the enforcement of the sanctions. The fines provided for by the CRA range from EUR 15,000,000 or – in the case of companies – up to 2.5% of the total worldwide annual turnover of the previous financial year, whichever is higher, for non-compliance with essential requirements or the above-mentioned producer obligations. Fines of up to EUR 10,000,000 or, in the case of companies, up to 2 % of the total worldwide annual turnover in the preceding financial year, whichever is higher, may be imposed for infringements of other obligations under this Regulation. If false, incomplete or misleading information is provided to notified bodies and market surveillance authorities in response to their request for information, fines of up to EUR 5,000,000 or – in the case of companies – up to 1% of the total worldwide annual turnover of the previous financial year, whichever is higher, will be imposed. It is therefore strongly advisable to comply with the requirements of the CRA and to implement them in a timely and conscientious manner.

Attorney Anton Schröder

The lawyer responsible for questions relating to the Cyber Resilience Act, DORA and IT law at our law firm is Attorney Lutz Auffenberg, LL.M. (London). He is supported by Attorney Anton Schröder.

Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW.
Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.

Oct 14, 2024

Getting Ready for DORA (Part V) – Contract Negotiations After DORA Comes Into Force – Who Will Have the Upper Hand?

Brussels is not sleeping either and regulation in the European Economic Area is constantly increasing. The area of IT security is not spared. More and more new compliance requirements are being added, affecting an increasing number of companies. One example of this is the NIS2 Directive, which must be implemented by October 2024 and further develops the NIS Directive from 2016. In addition, the Cyber Resilience Act (CRA), which aims to protect consumers and companies that buy or use products or software with digital components, is currently in the draft phase. Another comprehensive regulation to strengthen IT security is the Digital Operational Resilience Act (DORA). DORA primarily affects financial companies such as banks, credit institutions, investment firms, payment institutions, management companies and insurance companies, as well as companies that provide them with information and communication technology (ICT) (so-called ICT third-party service providers). From January 17, 2025, these companies will have to comply with the new regulations. DORA is intended to meet the challenges of advancing digitalization and increasing networking in the financial sector. The aim of the regulation is to effectively counter risks such as cyberattacks and business interruptions. Financial companies and third-party ICT service providers are obliged to take far-reaching measures to strengthen their digital resilience and thus ensure greater security and stability in the sector. In practice, it is now common for IT infrastructure or even entire work processes/business processes to be outsourced to specialized service providers. DORA brings with it new challenges in the area of compliance, which also have a concrete impact on the scope for negotiation in contracts between financial companies and third-party ICT service providers. Will the DORA regulation shift the balance of power in favor of financial companies?

DORA and the Management of ICT Third Party Risks

The DORA obliges financial companies to manage ICT third party risk. Financial companies may only enter into contractual agreements with ICT third-party service providers that comply with appropriate information security standards. Two basic principles are established to manage ICT third party risk: First, financial companies remain fully responsible at all times for complying with and fulfilling all obligations under DORA and applicable financial services law. Secondly, financial undertakings must comply with the principle of proportionality. Accordingly, DORA prescribes mandatory contractual content that must be agreed between financial companies and ICT third-party service providers. This includes the right to continuously monitor the performance of the ICT third-party service provider, which includes unrestricted access, inspection and audit rights for the financial company, a commissioned third party or the competent authority. The frequency of inspections must be determined on a risk basis. In addition, termination rights must be agreed for the cases provided for in DORA. For example, detailed service descriptions are required for ICT services that affect critical or important functions. In addition, the third-party ICT service provider must be required to implement and test contingency plans and have measures, tools and ICT security policies and guidelines in place that provide an appropriate level of security for the provision of services by the financial undertaking in accordance with its legal framework. In addition, exit strategies with binding appropriate transition periods must be agreed.

Little Room for Negotiation

The requirements of DORA basically leave the contracting parties little leeway. They simply have to be fulfilled by the financial companies. Supervisory law exerts a strong influence on the contracting parties’ private autonomy. The requirements are extensive and are primarily aimed at enabling financial companies to audit ICT services and ensure their stability and security. For medium-sized financial companies in particular, this can lead to them being able to assert themselves against ICT third-party service providers with strong negotiating power. The ICT third-party service providers will often simply have no choice but to accept the requirements and implement them accordingly. It remains to be seen whether DORA will also have an impact on the largest ICT third-party service providers, such as Google, Amazon and Microsoft. To this end, critical third-party ICT service providers are obliged by DORA to cooperate with the supervisory authority and are subject to special monitoring, whereby the latter has been given far-reaching powers. It remains to be seen to what extent the DORA will achieve its stated objectives and whether it will be beneficial for Europe as a business location. It is to be feared that the numerous compliance requirements will place an additional burden on companies and that it will become increasingly difficult for the companies concerned to meet all requirements. In addition, the regulation is still new and there is therefore no extensive literature, established administrative practice or case law to guide practice.

Attorney Anton Schröder

The lawyer responsible for questions relating to DORA and IT law at our law firm is Attorney Lutz Auffenberg LL.M. (London) with assistance of Attorney Anton Schröder.

Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW.
Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.

Sep 23, 2024

Getting Ready for DORA (Part IV) – Are Agreements on Audit Rights also Mandatory Outside of Outsourcing Agreements?

With the Digital Operational Resilience Act (DORA), the European Union has introduced a groundbreaking regulation that aims to standardize and strengthen digital resilience in the financial sector across the Union. From January 17, 2025, affected companies will have to meet the new requirements. DORA is intended to meet the challenges posed by advancing digitalization and increasing networking in the financial sector, which has been massively driven by the use of information and communication technologies (ICT) in recent years. DORA aims to effectively combat risks such as cyber threats and operational disruptions by requiring financial companies and specialized ICT service providers to implement comprehensive measures to improve their digital resilience. Relevant players include banks, investment firms, payment institutions, cryptocurrency providers and issuers of value-referenced tokens. These companies must analyze their internal processes and adapt them to the new regulatory requirements, which includes the introduction of contingency plans, robust security measures and regular risk analyses. The implementation of DORA requires significant investment in IT infrastructure and risk management, but at the same time offers the opportunity to strengthen the security and resilience of the financial sector in the long term. Good ICT risk management also involves companies structuring their contracts with third-party ICT service providers in such a way that the risks can be adequately countered. But what consequences does this have for future and existing contracts between financial companies and ICT third-party service providers?

Better Handling of ICT Third-Party Risk Through Minimum Contractual Content

DORA requires financial firms to manage ICT third party risk as part of the ICT risk management framework. This includes ensuring that financial businesses that have entered into contractual arrangements for the use of ICT services in the conduct of their business remain fully responsible at all times for compliance and fulfillment of all obligations under DORA and applicable financial services law. Financial companies may only conclude contractual agreements with ICT third-party service providers that comply with appropriate information security standards. To this end, the regulation sets out requirements for the essential contractual provisions, i.e. certain minimum contents that must be included in a contractual agreement with an ICT service provider. To give just one example, there is an obligation to provide a clear and complete description of all functions and ICT services to be provided by the third-party ICT service provider, indicating whether subcontracting of ICT services supporting critical or important functions or essential parts thereof is permitted. If this is the case, there is also an obligation to state which conditions apply to this subcontracting. At this point, DORA once again codifies the importance of a complete and accurate service description, which is essential for IT contracts anyway. In addition to many of the typical requirements for IT contracts, the ICT third-party service provider must, for example, also agree to cooperate fully with the authorities and resolution authorities responsible for the financial company.

Extended Scope of Application of DORA and its Impact on Contract Drafting

An important new feature of DORA, which goes beyond the requirements previously set out by BaFin in its circular, is that the scope of application of DORA is broader than the previous regulation. While the minimum content required in the previous circulars primarily relates to outsourcing relationships, DORA covers all contracts with third-party ICT service providers in its scope of application. A third-party ICT service provider is a company that provides ICT services. In this respect, ICT services are digital services and data services that are permanently provided to one or more internal or external users via ICT systems, including hardware as a service and hardware services, which also includes technical support from the hardware provider by means of software or firmware updates, with the exception of conventional analog telephone services. Thus, an outsourcing relationship does not necessarily have to exist in order to trigger DORA’s contract design requirements. In principle, DORA applies its requirements for the essential contractual provisions to all contracts with ICT third-party service providers. Nevertheless, the principle of proportionality runs throughout DORA and stricter requirements are placed on contractual arrangements for the use of ICT services to support critical or important functions. Among other things, the financial institution must contractually grant itself the right to continuously monitor the provision of services, which also includes unrestricted access, inspection and audit rights of the financial institution or a commissioned third party and the competent authority. If a critical or important function is affected, a corresponding agreement may therefore be necessary. This example shows that once DORA comes into force, it will also be necessary for existing contracts to be examined for their compatibility with the new requirements and renegotiated if necessary.

Attorney Anton Schröder

The lawyer responsible for questions relating to DORA and IT law at our law firm is Attorney Lutz Auffenberg LL.M. (London) with assistance of Attorney Anton Schröder.

Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW.
Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.

Sep 16, 2024

Market Abuse and Insider Trading in Crypto Assets – Who Will be Affected By the New MiCAR Rules?

30 December 2024 marks a historic moment for the European crypto market. This is when the new EU regulation on Markets in Crypto Assets (MiCAR) will become fully legally effective. In addition to the provisions on the obligation of crypto service providers to obtain authorization from BaFin or the supervisory authority responsible for them in the individual case before commencing business and the provisions already in force with regard to the issuance of E-Money Tokens and Asset Referenced Tokens, the provisions on the prevention and prohibition of market abuse and insider trading in the European crypto market provided for in MiCAR will also apply from 30 December 2024. The introduction of regulations to prevent possible price manipulation, market abuse or the exploitation of insider information prior to public disclosure represents a very important milestone for the crypto market and makes it even easier for traditional financial players to enter the world of digital assets. But what specific obligations will MiCAR impose on market participants and who are the new rules aimed at? Which market participants will have to comply with market abuse regulation under MiCAR when trading crypto assets in future?

MiCAR Market Abuse Rules Affect All Market Participants

An effective fight against market abuse requires comprehensive, market-wide and binding rules. The scope of the new MiCAR regulations to combat market abuse is therefore comprehensive and covers actions by all persons in connection with crypto assets that are authorized for trading or for which authorization to trade has been applied for. Addressees of MiCAR’s market abuse regulation are therefore both issuers of crypto assets and crypto service providers, but also investors and even persons who may not even be involved in specific transactions relating to crypto assets, such as rating agencies, specialist media or influencers with a focus on crypto assets. The text of the MiCAR clarifies that the rules apply to all transactions, orders and actions concerning crypto assets that are authorized or to be authorized for trading. In this context, it is irrelevant whether the action in question was actually carried out or omitted on a trading platform for crypto assets. The market abuse rules under MiCAR are therefore relevant for all market participants. For professional market participants such as issuers of crypto-assets and crypto-asset service providers, but also and especially publicly communicating influencers, this means that they must be aware of their obligations and should set them out in writing in the form of carefully drafted codes of conduct and apply them in their business operations.

Obligation to Maintain Effective Arrangements, Systems and Procedures

For all persons who professionally arrange or execute transactions in crypto assets, MiCAR also provides for a specific obligation to have effective arrangements, systems and procedures in place at all times for the prevention and detection of market abuse. This group of persons includes, in particular, crypto asset service providers that arrange or execute transactions with crypto assets (PPAET), whereby the term PPAET is borrowed from the EU Market Abuse Regulation. However, according to the draft interpretative guidance and technical standards published by ESMA in March 2024 in relation to the MiCAR abuse provisions, operators of trading platforms for crypto assets should also be considered PPAETs. The aforementioned crypto service providers therefore have an explicit obligation to create and maintain effective arrangements, systems and procedures to prevent and detect market abuse. The measures must of course focus on the way in which they conduct their own business. However, it may also be necessary in individual cases for companies to monitor their own employees with regard to transactions with crypto assets in the private sphere, particularly if they have access to insider information.

The lawyer responsible for all questions relating to the regulation of market abuse and insider trading under MiCAR at our law firm is Lutz Auffenberg, LL.M. (London).

Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW.
Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.

Sep 09, 2024

Lost in Translation Copy and Paste – The Problem with Translated Contracts

Drafting suitable contracts for own software products in Germany can be time-consuming and costly. Regardless of whether both the provider and the customer are German companies or only the customer, the latter will regularly insist on the agreement being governed by German law. Many providers of software products therefore repeatedly resort to supposedly suitable sample contracts from the Internet or translate existing contracts from other jurisdictions into German and subject them to German law. This often leads to extensive contracts – especially from Anglo-American jurisdictions – finding their way into contractual relations that are subject to German law. Caution is required here: Just because something is in the contract and sounds advantageous for the provider does not automatically mean that the contract is fully effective. The German legal practice with regard to the law of general terms and conditions is stricter than many other legal systems. In addition, problems can arise if the contract incorrectly classifies the underlying legal relationship and inappropriate provisions are made as a result. Such contracts are often largely ineffective and, in the event of a dispute, the statutory provisions must be used, which is usually not in the interests of the parties.

Typical Problem with SaaS, ASP and Cloud Computing

In today’s digital economy, business models such as Software-as-a-Service (SaaS) and Application Service Providing (ASP), in which the provider’s software applications are made available to the customer via the internet (Cloud Computing), are particularly widespread. Typically, for example, standardized software is made available to a large number of customers via the Internet. These customers usually pay a “subscription fee” and can use the software for as long as the contractual relationship exists. This offers a number of advantages for providers and customers: The provider can easily scale its software and reduce costs, while customers generally do not need any special hardware or personnel resources to use the software. As already mentioned, the contracts typological classification, i.e. the question of which of the contract types regulated in the special law of obligations of the German Civil Code (BGB) the contract is assigned to, plays a decisive role in assessing the effectiveness of the individual contract clauses. The classification has a legal impact in many respects. For example, it has an influence on the assessment of the content of general terms and conditions. It also determines which provisions must be applied if the contract is (partially) invalid. Finally, it determines which warranty rights the recipient of the service is entitled to. Even if the contracting parties have not regulated a specific issue, the statutory provisions are used to close the regulatory gap. The allocation to one of the contract types in the special law of obligations can be difficult in individual cases. These are often so-called mixed-type contracts, which can be assigned to more than one type of contract depending on the obligation to perform. Contracts that are merely translated or copied from different sources often do not take these subtleties into account, which can have disastrous consequences for the users of such contracts.

What Should be Taken Into Account and What are the Limitations in German Law?

The parties generally have an interest in agreeing on exclusions of liability and minimizing the liability risk as far as possible. In addition, indemnification clauses and contractual penalties are particularly desirable in the IT sector. As most SaaS or ASP contracts are pre-formulated contractual terms that have not been individually negotiated between the contracting parties, the limits of German law on general terms and conditions must be observed. This is particularly strict for the aforementioned agreements and exclusions of liability. Furthermore, in the case of a contract with consumers, the statutory provisions on contracts for digital products may also become relevant. In addition, it should be borne in mind that many contracts already lack an accurate description of the services owed, i.e. the main performance obligations of the contracting parties, or the description is inadequate. This is particularly disadvantageous, as the main performance obligations – apart from the transparency requirement – are generally not subject to GTC control. It is therefore possible to determine here what exactly is owed and what is not. Thus, a clear definition of the main performance obligations can also lead to indirect exclusions and limitations of liability.

Attorney Anton Schröder

The lawyer responsible for matters relating to IT law at our law firm is Anton Schröder.

Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW.
Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.

Sep 02, 2024

Getting Ready for DORA (Part III) – How Do You Test the Digital Operational Resilience?

With the Digital Operational Resilience Act (DORA), the European Union has introduced a far-reaching regulation that aims to harmonize and strengthen digital resilience in the financial sector across Europe. From 17 January 2025, affected companies must comply with the obligations set out in DORA. The European legislator wants to take account of the ongoing digitalization and increasing networking, which has significantly increased the use of information and communication technologies (ICT) in the financial sector. The DORA aims to counteract the risks posed by cyber threats and operational disruptions. Financial companies and specialized ICT service providers are obliged to take comprehensive measures to strengthen their digital resilience. The affected players include banks, investment firms, payment institutions, cryptocurrency providers and issuers of value-referenced tokens. These companies must thoroughly review their internal processes and procedures and adapt them to the new regulatory requirements before the regulation comes into force. This includes the introduction of robust security precautions, regular risk analyses and the creation of emergency plans in order to be able to react appropriately to cyber-attacks or IT disruptions in the event of an emergency. The implementation of DORA represents a challenge for many companies, as it may require significant adjustments and investments in IT infrastructure and risk management. At the same time, the regulation offers the opportunity to sustainably improve the resilience and security of the entire financial sector. What tests should information and communication technology be subjected to? What do the affected companies need to be prepared for in the future?

Testing ICT Tools and Systems

The fourth chapter of DORA deals with the requirements for testing digital operational resilience. In principle, taking into account the principle of proportionality, a robust and comprehensive digital operational resilience testing program is required to assess preparedness for handling ICT-related incidents, identify weaknesses, deficiencies and gaps in digital operational resilience and implement corrective actions promptly. This is an essential part of the ICT risk management framework to be established by the organizations concerned. The content of the tests can vary in terms of type and scope. When making the selection, the size and overall risk of the financial company as well as the type, scope and complexity of the financial service must be weighed up, taking proportionality into account. Appropriate tests can therefore include vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security checks, questionnaires and scans of software solutions, source code checks (where feasible), scenario-based tests, compatibility tests, performance tests, end-to-end tests and penetration tests. In principle, the tests for all ICT systems and applications that support critical or important functions must be carried out at least once a year. For micro-enterprises, DORA provides for some simplifications in terms of both the frequency of the tests and their implementation, which are strongly characterized by the principle of proportionality.

Advanced Testing of ICT Tools, Systems and Processes Based on TLPT

Even if the above-mentioned tests required by DORA are already very extensive, DORA provides for even more extensive tests for certain companies. This so-called Threat-Led Penetration Testing (TLPT) must be carried out every three years. TLPT, also known as threat-led penetration testing, is defined by DORA as a framework that replicates the tactics, techniques and procedures of real attackers who are considered a real cyber threat and provides a controlled, tailored, intelligence-led (red team) test of the financial firm’s critical live production systems. The exact details will be specified by the ESAs in agreement with the ECB and in line with the TIBER EU framework in the form of regulatory technical standards. As a rule, TLPT will only be relevant for financial undertakings supervised by BaFin that have been identified and informed by BaFin in accordance with the requirements of DORA. The criteria for identifying affected entities are: proportionality, impact-related factors, in particular the extent to which the services provided and activities carried out by the financial undertaking have an impact on the financial sector any financial stability concerns, including the systemic nature of the financial undertaking at Union or national level, as appropriate; and the specific ICT risk profile, ICT maturity of the financial undertaking or relevant technological characteristics. The application of these selection criteria shall also be specified by the ESAs, in agreement with the ECB, in the form of regulatory technical standards in accordance with the TIBER-EU framework.

Attorney Anton Schröder

The lawyer responsible for questions relating to DORA and IT law at our law firm is Attorney Lutz Auffenberg LL.M. (London) with assistance of Attorney Anton Schröder.

Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW.
Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.

Aug 26, 2024

Getting Ready for DORA (Part II) – Locational Advantage for Germany?

[et_pb_section fb_built=”1″ _builder_version=”4.27.0″ _module_preset=”default” global_colors_info=”{}”][et_pb_row _builder_version=”4.27.0″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.27.0″ _module_preset=”default” global_colors_info=”{}”][et_pb_button button_url=”/2024/08/26/getting-ready-for-dora-part-ii-standortvorteil-deutschland/” button_text=”Für deutsche Version bitte hier klicken” _builder_version=”4.27.0″ _module_preset=”default” custom_button=”on” button_text_size=”13px” button_border_width=”1px” button_border_radius=”0px” global_colors_info=”{}”][/et_pb_button][/et_pb_column][/et_pb_row][et_pb_row _builder_version=”4.27.0″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.27.0″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.27.2″ _module_preset=”default” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]

The European Union has adopted the Digital Operational Resilience Act (DORA) to standardize and strengthen digital resilience in the financial sector. From 17 January 2025, affected companies must comply with this regulation. The reason for this measure is the increasing digitalization and networking, which has resulted in the widespread use of information and communication technologies (ICT), including in the financial sector. DORA aims to effectively counter risks from cyber threats and operational disruptions. The regulation obliges financial companies and certain ICT service providers to take comprehensive measures to strengthen their digital resilience. Numerous players in the financial sector are affected, including credit institutions, investment firms, payment institutions, crypto service providers and issuers of value-referenced tokens. These companies must thoroughly review their internal processes and procedures and adapt them to the new legal requirements. This includes implementing robust security measures, conducting regular risk analyses and developing contingency plans in order to be able to react quickly and effectively in the event of cyber-attacks or IT disruptions. The introduction of DORA represents a challenge for many companies, as it requires significant adjustments and investments in IT infrastructure and risk management. Nevertheless, the regulation also offers opportunities, as it improves the resilience and security of the entire financial sector. What requirements are already being placed on the companies affected and will this even result in advantages for these companies in Germany?

Which Requirements Already Apply and How Do They Differ from DORA?

DORA has its sights set on the European and therefore also the German financial sector, with the aim of harmonizing the handling of ICT risks across Europe. Financial companies are to be put in a position to deal with ICT risks appropriately. The German financial supervisory authority BaFin has not been idle in the past and is already keeping an eye on ICT risks, while imposing far-reaching requirements on the German financial sector. These apply, for example, to the IT of banks, insurers, capital management companies and payment service providers. To this end, BaFin has issued a series of circulars that regulate the IT requirements for the aforementioned financial players. The circulars published under the more or less catchy names BAIT, VAIT, KAIT and ZAIT – to name just a few examples – impose comprehensive requirements on the financial players concerned with regard to the governance and organization of IT, information risk and information security management and the stability of IT operations. Some of these requirements are also reflected in DORA. Part of the information security management required by the circulars is that the management must establish the function of the Information Security Officer (ISO). The function of the ISB includes responsibility for all information security matters within the institution and vis-à-vis third parties. DORA does not recognize the function of the ISB. However, the function and independent position of the ISB is similar to the introduction of an ICT risk control function required by DORA, which is to be responsible for the management and monitoring of ICT risk. However, the different areas of responsibility make it clear that DORA places a stronger focus on the monitoring and management of ICT risk compared to the circulars. This is just one example of how BAIT, VAIT, KAIT and ZAIT in many respects already cover the basic requirements for the ICT risk management framework and the key principles for sound management of ICT third party risk under DORA. A financial company that already meets the requirements of BAIT, VAIT, KAIT or ZAIT will therefore have a good starting position for the implementation of DORA. This could be the locational advantage for such financial companies.

Is There Still a Need for Action?

However, the comparison between the ISB and the ICT control function makes it clear that the purposes of DORA differ from or go beyond those of the BaFin circulars. DORA is intended to strengthen the digital operational resilience of the financial sector. In order to achieve this goal, DORA goes beyond the requirements of BAIT, VAIT, KAIT and ZAIT in many areas. It is therefore not enough to rest on existing strategies, processes, functions, etc. BaFin is also aware of this and has already announced that it will repeal the BAIT, VAIT, KAIT and ZAIT circulars. For the financial institutions concerned, this means that an adjustment to the requirements of DORA is unavoidable and should be implemented before DORA comes into force. BaFin has already published implementation information on this topic to facilitate the transition from the circulars to DORA.

Attorney Anton Schröder