BaFin Unveils Guidance Notes for DORA Compliance

The German Federal Financial Supervisory Authority (BaFin) has issued new guidance notes aimed at helping banks and insurers transition to the requirements set forth by the Digital Operational Resilience Act (DORA). Set to take effect from January 17, 2025, DORA introduces a comprehensive framework for managing ICT risks and third-party risks, marking a significant shift from the existing supervisory frameworks.

The new supervisory statement released by BaFin provides detailed guidance on aligning with DORA's risk management requirements. While these notes are not mandatory, they serve as an invaluable resource for financial entities seeking to adapt to the upcoming regulatory changes. The guidance focuses on two main areas: ICT risk management and ICT third-party risk management.

Ira Kosche-Steinbrecher, Head of BaFin’s IT Supervision Division, explained the purpose behind the new supervisory statement.

“Our guidance notes aim to assist financial entities in navigating the complexities of DORA," Kosche-Steinbrecher stated. "By comparing DORA’s requirements with our existing frameworks, such as BAIT and VAIT, we highlight both overlaps and differences, providing clarity on how to meet the new standards.”

The development of these guidance notes involved extensive collaboration with the financial industry. BaFin formed six working groups, including industry representatives, the Deutsche Bundesbank, and BaFin’s own experts, to analyze and compare DORA with the current BAIT and VAIT frameworks. This rigorous process, which included over 30 joint workshops, was designed to ensure the guidance reflects both regulatory expectations and practical industry needs.

Kosche-Steinbrecher noted, “Our goal was to create practical guidance that is grounded in the real-world experiences of the financial entities we supervise. The feedback we received was overwhelmingly positive, and we believe this collaborative approach has resulted in highly effective guidance.”

Key Differences and Practical Implications

While the BAIT and VAIT frameworks share significant similarities with DORA, Kosche-Steinbrecher highlighted some key differences. For instance, DORA assigns greater responsibilities to the management body of financial entities and emphasizes ICT risk management more strongly compared to previous regulations. These distinctions reflect DORA’s broader focus on digital operational resilience and the evolving threat landscape.

The guidance notes also address practical issues such as minimum contractual requirements for agreements with ICT third-party service providers. This aspect is crucial as financial entities prepare to integrate these new standards into their operational frameworks.

Though the guidance notes primarily address BAIT and VAIT, their insights are also relevant to entities governed by the Supervisory Requirements for IT in Asset Management Companies (KAIT) and Payment Services and Electronic Money Institutions (ZAIT). The similarities in regulatory requirements mean that these entities can also benefit from the guidance provided.

Looking ahead, BaFin plans to phase out the existing BAIT, VAIT, KAIT, and ZAIT circulars in favor of DORA. The supervisory statement marks a significant step in this transition, helping financial entities align with the new regulatory landscape and enhance their resilience against ICT and cybersecurity risks.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.