DORA

DORA implementation: BaFin specifies requirements for simplified ICT risk management framework: BaFin provides financial companies with an overview of documentation, security measures, and processes for the simplified ICT framework, but emphasizes that the content must be tailored to each individual case in accordance with the principle of proportionality.

DORA aims to minimize risks from digital transformation, but implementing its complex requirements remains a hurdle for many financial enitites. Further interpretation guidance and practical tools are urgently needed.

Artificial intelligence (AI) is penetrating more and more areas of life and the economy. AI-as-a-Service (AIaaS) as a cloud-based service is subject to its own legal peculiarities, not least due to the European AI Act. An overview:

Die DORA gilt seit dem 17. Januar 2025 und schon bis zum 11. April 2025 müssen Finanzunternehmen ihre Informationsregister gemäß DORA-Vorgaben bei der BaFin einreichen. Finanzunternehmen sollten sich frühzeitig vorbereiten und sicherstellen, dass die Register formgerecht eingereicht werden.

From January 2025, DORA will introduce uniform requirements for ICT security, but exceptions for smaller financial institutions will provide a degree of relief. Nevertheless, differences between EU member states will remain due to national implementation leeway.

DORA places new demands on the digital resilience of financial companies, while the distinction between financial and ICT services raises questions in detail. Clear principles for interpreting the regulations are urgently needed to create legal certainty for the industry.

The DORA significantly restricts the contractual freedom of financial companies and ICT third-party service providers by imposing a number of mandatory requirements on the drafting of contracts. This could put medium-sized financial companies in particular in a stronger negotiating position, while even large ICT providers will be obliged to implement the new requirements.

DORA obliges financial institutions to manage the ICT third-party risk through appropriate contract design. To this end, DORA specifies minimum content that is intended to strengthen the position of the financial institution and increase security. But what consequences does this have for future and existing contracts?

DORA requires the financial companies affected to carry out regular tests of their digital operational resilience. But what do these tests actually involve and do all financial firms have to carry out the same tests?

BaFin already supervises a large number of financial companies and imposes a number of requirements on the IT used. DORA is now about to come into force. In future, the use of information and communication technology (ICT) will be governed by the requirements of DORA. But to what extent does DORA differ in its requirements from those already demanded by BaFin?

DORA imposes a number of new obligations on financial companies. This can be particularly burdensome for small companies. But who actually falls within the scope of the regulation and are the rules the same for everyone affected?

Not only MiCAR will concern the European crypto industry over the next years. DORA will also be directly applicable to crypto service providers and token issuers alike. But what will be the implications for the industry?