To Author's Page
The objectives of the “Digital Operational Resilience Act (DORA)” of the EU are to strengthen digital resilience by integrating robust security and risk management practices at banks and financial service providers, as well as their ICT service providers. DORA aims to improve and standardise IT processes to ensure greater resilience against cyberattacks and technological malfunctions. It also places a strong emphasis on the use of metrics and regular evaluations to measure progress towards this goal and to ensure sustainable improvements in digital security.
The regulations contained are often detailed additions to the xAIT circulars (BAIT, VAIT, KAIT, ZAIT) published by the German Federal Financial Supervisory Authority ((Bundesanstalt für Finanzdienstleistungsaufsicht – BaFin) and other regulations such as the minimum requirements for risk management (MaRisk) or the minimum supervisory requirements for the business organisation of insurance companies (MaGo).
According to Jan Kiefer from the IT supervisory authority of BaFin, the xAIT circulars will be repealed. This will probably be the case in January 2025, when DORA comes into force. This does not mean that the requirements spelled out in the xAIT will also be repealed. These already apply due to MaRisk, EBA guidelines (or ESMA and EIOPA) and other relevant requirements (BSI, ISO 270xx, NIST, …) that are aimed at ICT risk management and the protection of data and systems.
The safeguarding systems that have been set up on the basis of xAIT so far are therefore still helpful and necessary. However, they must now be complemented by the additional focus areas and detailed requirements from DORA.
To fully understand DORA, it is important to be familiar with the supplementary strategy requirements regarding digital operational resilience and collaboration with third parties. In addition, all “critical” processes (functions) should be identified as the main feature for a risk-based implementation of the DORA requirements.
There is also further responsibility at management levels. This is where the fulfilment of training obligations takes effect, including for senior management, as well as the possibly necessary adjustment of organisational structures, such as the establishment of an ICT risk control function, which is largely covered by existing functions in information risk management in accordance with BAIT.
Corporate IT departments in particular will be faced with changes and new tasks. For example, IT operations and operational information security must be supplemented in accordance with DORA requirements for protective and preventative measures and for testing digital operational resilience (encryption, change management, incident management, network management, testing digital operational resilience, etc.). Additional steps must also be taken to establish an appropriate system for ensuring continuity (emergency planning) and for the communication required in this process.
Another important issue is the expansion of incident handling and the need for more precise guidelines for identifying threats. This includes guidelines for learning from mistakes and identifying vulnerabilities. For the finance industry, this means an increased exchange of information.
It is also important to revise the IT audit plans and update all third-party contracts (which are subject to strict requirements) as well as the processes for assessment, control and monitoring. However, the additional requirements in this regard are less extensive than those of MaRisk or the EBA guidelines. One exception is the change in the basis for assessing criticality.
It should be noted that some of these requirements may already be covered by the proportionality principle, unless they are introduced as a formal minimum standard. Examples include the new requirements for the outsourcing register or the content of third-party contracts. Management has always been required to keep up-to-date on cyber risks, and encryption, network security, etc. may already be in place in line with established market practice, depending on the risks involved. The actual need for action by each institution can only be determined by means of a gap analysis.
Key topics, as formulated in more detail in the xAIT circulars than in DORA, must not be neglected even after these circulars have been repealed. Examples of such topics are:
The principle of proportionality also applies here, i.e. the requirements now explicitly formulated by DORA have to be taken into account and implemented appropriately in any case. Without passing judgement on this, it can be said that the DORA regulations, due to their level of detail, leave less scope than before for determining one’s own degree of appropriateness. Simplifications have therefore been made for smaller institutions in the form of a simplified risk management framework.
Now, the DORA requirements need to be implemented using the same logic as the xAIT requirements: the explicit requirements need to be supplemented with other ICT risk management elements that are necessary and appropriate for the institution, and the resulting package needs to be implemented in line with standard market practice. This is best done by referring to relevant standards such as the EBA ICT and other guidelines, ISO 270xx, NIST, BSI, etc. – and of course xAIT. The seminars offered by the Frankfurt School of Finance & Management on this topic provide a practical context to help understand and ultimately master this challenge.
Frankfurt School gGmbH
Adickesallee 32-34
60322 Frankfurt am Main
