BaFin publishes guidance for DORA implementation

Germany's Federal Financial Supervisory Authority (BaFin) released supervisory guidance on July 8, 2024, concerning the implementation of the Digital Operational Resilience Act (DORA), focusing on IT risk management and third-party IT risk management.

The guidance is specifically aimed at financial institutions supervised by BaFin that fall under the scope of BAIT (IT requirements for banks) and VAIT (IT requirements for insurance companies). These entities will need to comply with DORA's requirements for IT risk management, outlined in Articles 5 to 15. The publication aims to assist these financial firms in adopting DORA and preparing for its application starting January 17, 2025.

The guidance is based on the findings of six working groups, comprising representatives from industry, BaFin, and the Deutsche Bundesbank. These groups compared the DORA requirements for IT risk management and third-party risks, along with related draft regulatory technical standards (RTS), against the existing BAIT and VAIT requirements during 2023.

BaFin's notice also includes a comprehensive list of minimum contractual contents that financial institutions must agree upon with IT third-party service providers, as mandated by DORA and relevant RTS. These specified contractual clauses are essential for managing relationships with critical or important suppliers.

Key differences highlighted by BaFin's guidance compared to BAIT/VAIT include DORA's emphasis on making digital operational resilience and IT risk management an explicit responsibility of the management body. The act introduces stricter requirements for identifying, analyzing, and managing IT and resilience risks, and significantly expands the scope of risk considerations for third-party dependencies and supply chains. While some areas like identity and access management may require fewer adjustments, DORA's requirements are generally more specific and potentially extensive than the previous principle-based BAIT/VAIT regulations.