DORA

From basic testing to threat-led penetration testing—since January 2025, financial companies have been required to test their digital resilience in accordance with strict EU regulations. But what does this mean in concrete terms for testing programs, and who is affected by the demanding TLPTs?

DORA clearly distinguishes between threats, incidents, and attacks—but what reporting obligations do they trigger? An overview of the new requirements.

ICT contracts under DORA: Between minimum standards and power shifts. The regulation not only sets high requirements for digital resilience, but also changes the dynamics of contract negotiations. Financial companies must now enforce strict requirements—but which services actually fall under DORA, and how can exit strategies, audit rights, and risk management be regulated in a contractually watertight manner?

DORA implementation: BaFin specifies requirements for simplified ICT risk management framework: BaFin provides financial companies with an overview of documentation, security measures, and processes for the simplified ICT framework, but emphasizes that the content must be tailored to each individual case in accordance with the principle of proportionality.

DORA aims to minimize risks from digital transformation, but implementing its complex requirements remains a hurdle for many financial enitites. Further interpretation guidance and practical tools are urgently needed.

Artificial intelligence (AI) is penetrating more and more areas of life and the economy. AI-as-a-Service (AIaaS) as a cloud-based service is subject to its own legal peculiarities, not least due to the European AI Act. An overview:

Die DORA gilt seit dem 17. Januar 2025 und schon bis zum 11. April 2025 müssen Finanzunternehmen ihre Informationsregister gemäß DORA-Vorgaben bei der BaFin einreichen. Finanzunternehmen sollten sich frühzeitig vorbereiten und sicherstellen, dass die Register formgerecht eingereicht werden.

From January 2025, DORA will introduce uniform requirements for ICT security, but exceptions for smaller financial institutions will provide a degree of relief. Nevertheless, differences between EU member states will remain due to national implementation leeway.

DORA places new demands on the digital resilience of financial companies, while the distinction between financial and ICT services raises questions in detail. Clear principles for interpreting the regulations are urgently needed to create legal certainty for the industry.

The DORA significantly restricts the contractual freedom of financial companies and ICT third-party service providers by imposing a number of mandatory requirements on the drafting of contracts. This could put medium-sized financial companies in particular in a stronger negotiating position, while even large ICT providers will be obliged to implement the new requirements.

DORA obliges financial institutions to manage the ICT third-party risk through appropriate contract design. To this end, DORA specifies minimum content that is intended to strengthen the position of the financial institution and increase security. But what consequences does this have for future and existing contracts?

DORA requires the financial companies affected to carry out regular tests of their digital operational resilience. But what do these tests actually involve and do all financial firms have to carry out the same tests?