The German Federal Financial Supervisory Authority Issues Guidelines for DORA Implementation

On 8 July 2024 the German Federal Financial Supervisory Authority (BaFin) published guidelines to aid financial companies in implementing the Digital Operational Resilience Act (DORA). Effective 17 January 2025, DORA mandates comprehensive ICT risk management for financial entities. The guidelines address the banking and insurance sectors supervised by BaFin and provide detailed sections to ensure compliance with DORA’s requirements.

Key Areas Covered

1. Governance and Organization:

   • Development of a digital operational resilience strategy.
   • Establishment of an internal governance and control framework specific to ICT risks.
   • Enhanced responsibilities for the management board.
     
     

2. Information Risk and Information Security Management:

   • Shift from information security to a broader ICT risk management approach.
   • Emphasis on continuous risk assessment and mitigation.
   • Strengthening of training and communication protocols.
     
     

3. IT Operations:

   • Maintenance of stable and up-to-date ICT systems.
   • Classification and comprehensive documentation of ICT assets.
   • Broader scope for change management in IT systems.
     
     

4. ICT Business Continuity Management:

   • Detailed guidelines for business continuity plans specific to ICT.
   • Inclusion of diverse scenarios such as climate change and insider threats.
   • Regular testing and updating of continuity plans.
     
     

5. IT Project Management and Application Development:

   • Detailed requirements for project methodologies and risk assessments.
   • Emphasis on secure implementation and rigorous testing of ICT systems.
   • Elimination of materiality thresholds for change management.
     
     

6. ICT Third-Party Risk Management:

   • Broader definition and scope for managing ICT third-party risks.
   • Extensive mandatory contractual provisions for ICT services.
   • Requirements for due diligence and ongoing risk assessment.
     
     

Context

The guidelines result from extensive collaboration between industry representatives, the German Federal Bank, and BaFin. They align the existing BAIT (banking) and VAIT (insurance) IT requirements with the new DORA framework. The aim is to provide a non-binding aid for companies transitioning to DORA, ensuring they meet the standards for digital operational resilience, ICT risk management, and cybersecurity. The guidelines also include a comprehensive overview of the necessary contract elements for agreements with third-party ICT service providers.

By 17 January 2025, most BaFin-supervised companies must fully integrate DORA’s ICT risk management framework, replacing BAIT and VAIT where applicable.

The press release is available here and you can get a translation into English of the guidance on my blog here (it does not include the minimum contract content).