DORA is a law that imposes new requirements on companies in the financial sector, as well as their IT service providers. Today’s banks, insurance companies and trading exchanges are largely IT service providers in any case. Whether banking online, settling claims or performing trades – all these services have one thing in common: they only work with IT.
All the more devastating, then, if the IT ceased to function… as a result of, for example, a malware-based cyberattack, ransomware being the most obvious example. The press carries reports of companies that have succumbed to such attacks on an almost daily basis. And from an attacker’s perspective, banks, insurance company and exchanges are particularly enticing victims. Despite this attraction, it is precisely these companies that have been most successful in fending off attacks.
This is no coincidence. For years, Germany’s Federal Financial Supervisory Authority (BaFin) has been imposing minimum standards on financial institutions’ IT operations and information security. To ensure that all regulated organisations are implementing appropriate measures, BaFin defined minimum requirements for IT and infosec in Germany back in 2017 (BAIT, VAIT, KAIT and ZAIT). Since then, the rules have been extended and made more specific on multiple occasions. Now the time has come for the next step: a standardised, top-level IT regulatory regime for all financial institutions across Europe as a whole. This is being implemented as a “lex specialis”, i.e. a European law that is applied immediately, so does not first have to be implemented by the individual member states.
The new DORA legislation has been in force since January 2023, and all relevant organisations in EU member states must comply with it by 17 January 2025. For the first time, the law applies not just to financial institutions, but also directly to their major IT service providers – a genuinely novel situation for companies like Microsoft, AWS, Google and the rest.
In DORA, the European Commission has defined a standardised framework for managing cybersecurity risks, hardening IT operations against cyberattacks, and reporting cyber incidents. The law also obliges companies to make suitable preparations. While Germany already had regulations in place covering many of these areas, DORA adds a number of new requirements.
Apart from banks, insurance companies and payment processors, which were already subject to German IT and infosec regulations such as BAIT, VAIT and ZAIT, the range of organisations affected by the new regulatory framework has been hugely extended and now includes (among others):
As already mentioned, the legislation now also applies, for the first time, to the main providers of IT services to financial institutions. The act describes them as third-party ICT service providers; the full list of service providers affected is still being drawn up. It is also important to be aware that the first version of the Act also applied to auditors of financial institutions, although auditors were removed from consideration during the consultation phase.
All institutions affected should immediately start taking a close look at DORA and carrying out their own gap analysis. This will provide the basis for the next step – implementing the changes imposed by the new provisions. But beware: although the legislation is already in force, certain details have yet to be finalised. The Act will be supplemented by further requirements in the form of regulatory technical standards (RTS) and implementing technical standards (ITS).
For finance companies, as well as their suppliers and service providers, it is more important than ever to take a proactive approach and identify the relevant target areas for action. The onus is on specialists and senior management to analyse any gaps, assess the extent of the internal adjustments required, set up implementation projects and carry them through to completion. A one-day seminar at Frankfurt School will provide staff working in the relevant departments with a clear overview of the contents of DORA, as well as suggestions for and examples of knowledge transfer in practice.