DORA enters into force – the implementation by authorities and companies continues

Today, on 17 January 2025, the EU regulation DORA (Digital Operational Resilience Act in the Financial Sector) entered into force throughout the EU. A two-year implementation period thus comes to an end, after DORA was published in the Official Journal of the EU at the beginning of 2023.

In the light of widespread digitalisation in the financial sector and increasing cyber threats, the resilience of digital systems in finance is more important than ever. DORA creates an EU-wide uniform framework for strengthening operational resilience and for creating effective management of cyber security and IT risks in the finance industry, a topic so far handled heterogeneously by EU member states.

Companies within the scope of DORA

Article 2 (1) and (2) DORA lists the companies that fall within the scope of DORA and defines them as ‘financial entities‘. These include, for example, credit institutions and payment institutions, insurance and reinsurance companies, insurance intermediaries, e-money institutions, investment firms, crypto-asset service providers, but also institutions for occupational retirement provision, trading venues and rating agencies – in short: practically the entire financial industry.

However, DORA goes beyond applying to financial entities. A key aspect of DORA is that it also holds companies accountable who themselves do not provide financial services but who support institutions in the area of information and communication technologies (so-called ‘ICT third-party service providers’, cf. Art. 3 No. 19 DORA). The regulation thus applies to a wide range of third-party service providers, including cloud service providers, software providers, data analysis services and data centres.

ICT third-party service providers classified as ‘critical’ by DORA are subject to a particularly strict monitoring regime. The classification as a ‘critical ICT service provider’ is based on distinct objective criteria relating to the service provider as well as to the recipient. Both the substitutability of the third-party service provider and the dependency of the service recipient on the third-party service provider are relevant to determine the concept. BaFin gives an example of a critical ICT service provider on its website: the US company CrowdStrike which provides cyber security technology to many security-critical sectors such as emergency services, hospitals, airports and the financial industry. A faulty update in the summer of 2024 caused worldwide IT failures. Not only had numerous flights to be cancelled, causing turmoil at airports. There were also outages of payment systems and ATMs. BaFin has announced to publish a comprehensive list of critical ICT service providers in the second half of 2025.

As important as ICT security regulations may be, there is also recognition that DORA entails a considerable administrative burden for companies. DORA is therefore subject to the principle of proportionality (Art. 4 DORA): the size and overall risk profile as well as the nature, scope and complexity of the respective company’s services must be taken into account when applying DORA. In addition, various exceptions apply, e.g. for microenterprises (Art. 3 No. 60 DORA) as well as for so-called small and non-interconnected investment firms such as small asset managers or investment brokers (Art. 16 (1) DORA).

Identifying ICT services: Implementation of digitalisation projects in multipolar contractual settings

Services in the ICT sector are often provided in the context of multipolar relationships, which, in addition to the provider of an ICT service in the narrower sense (e.g. a provider of technical services) and the recipient (e.g. a financial entity), may involve various other players. One constellation that is likely to be relevant in practice is where a project manager in a primarily commercial role centrally manages the implementation of complex digitalisation projects for a multitude of beneficiaries (e.g. a number of financial entities).

It does not seem adequate to require that every contractual relationship in such constellations is regarded as falling under the DORA requirements. The wording of the relevant provisions listing the services that are considered ICT services (see the overview of types of ICT services in Annex III of the report prepared by the European supervisory authorities EBA, EIOPA and ESMA, available online here) is very broad: in principle, any provision of services in the field of ICT could therefore be considered an ‘ICT service‘ within the meaning of DORA. However, the intent and purpose of the relevant DORA provisions also gives leeway for appropriate differentiation: the focus is on the ‘ongoing provision’ of ‘digital and data services’ ‘through ICT systems’ (Art. 3 No. 21 DORA). From this perspective, there are good reasons not to classify as being subject to DORA companies that are involved in ICT-related projects in a primarily rationalising, commercially oriented and – from a technical point of view – ICT-detached function. In particular, this should apply if (1) the project manager itself never comes into contact with the relevant data through its systems, and (2) the contractual relationship between the technical provider of digital or data services and the financial entity already falls within the scope of DORA and meets the relevant requirements – frequently already satisfied under outsourcing agreements stipulated in that context.

On a case-by-case basis taking specific relevant circumstances into account, a comprehensive analysis of specific interrelated contractual relationships and the respective roles of the parties involved, e.g. in connection with digitalisation projects, may open up possibilities for determining the applicability of DORA appropriately, thereby avoiding excessive compliance work and expense.

Significant last-minute specifications

Shortly before DORA came into force, BaFin issued a supervisory notice clarifying with effect of today the interrelation between DORA and the previous sector-specific BaFin circulars on IT requirements. These BaFin publications include the circulars on supervisory requirements for IT in funds management (‘KAIT’), supervisory requirements for IT in insurance undertakings (‘VAIT’) and the supervisory requirements for IT in payment and e-money institutions (‘ZAIT’). BaFin intends to avoid double regulation in these fields. These circulars therefore cease to apply as of today. They are being replaced by DORA and its delegated regulations.

However, in its above mentioned supervisory notice BaFin points out that this must not result in supervised financial institutions not falling within the scope of DORA no longer being required to take any measures at all to adequately deal with ICT and cyber risks. These institutions are still obliged to take appropriate measures as part of their proper business organisation.

There are also changes to the BaFin circular on supervisory requirements for IT in financial institutions (‘BAIT’).

In a first step, financial entities falling within the scope of DORA will with immediate effect cease to be subject to BAIT provisions. Furthermore, Chapter 11 BAIT ‘Managing relationships with payment service users’ is abrogated. BAIT in the amended form comes into force as of now. The requirements of BAIT will initially continue to apply to financial entities who so far do not fall under DORA. This is likely to affect only few financial entities, e.g. German branches of banks from non-EU countries who as such do not fall under DORA but who are subject to BaFin supervision in accordance with Section 53 of the German Banking Act (KWG). To these financial entities, the new BAIT will continue to apply.

The information security officer (ISO) under DORA

In its supervisory notice, BaFin left some issues unresolved. One of these questions is to what extent the office of the information security officer (‘ISO’) continues to exist with the entering into force of DORA. BAIT contains some key points regarding this office in para. 4.4 et seq. According to these provisions, the ISO supports the management in defining and adapting the information security guidelines and the emergency concepts, monitors compliance with these policies, investigates information security incidents and reports to the management about those incidents. The function of the ISO needs be organised and structured in a way guaranteeing the ISO’s independence, in order to avoid possible conflicts of interest (No. 4.5 BAIT). The ISO reports directly to the management board through recurring – at least quarterly – status reports on information security (No. 4.10 BAIT). The ISO carries responsibility for handling all information security concerns within the institution and vis-à-vis third parties. DORA, on the other hand, contains only rudimentary regulations in this regard. Article 6 (4) DORA merely states that responsibility for managing and overseeing ICT risks must be assigned to a ‘control function’, and that an adequate level of independence of such function must be ensured in order to avoid conflicts of interest.

In our understanding, it is likely that BaFin will determine the tasks of the control function under DORA in line with the ISO’s duties under BAIT, the only difference being that the function of the ‘DORA ISO’ is focussed on ensuring compliance with the requirements set up by DORA.

Outsourcing: preventing double reporting of ICT third-party service providers

By means of the Financial Market Integrity Strengthening Act (FISG), enacted in 2021 and with effect as of 1 January 2022, the German legislator ordered a significant intensification of the supervision by BaFin of outsourcing of important functions (“wesentliche Auslagerung”, Section 25b KWG, Section 40 WpIG) by requiring financial institutions to notify the intention and execution of such outsourcings. BaFin has set up a reporting portal specifically for this purpose; Institutions had to adapt their reporting systems accordingly. At the same time, under DORA, information registers on third-party ICT service providers need to be prepared and submitted to BaFin annually pursuant to Article 28 (3) DORA. This requirement needs to be complied with for the first time by 11 April 2025, reflecting the status as of 31 March 2025. Since recourse to the services of an ICT third-party service provider frequently also qualifies as an outsourcing activity, double reporting duties might arise – an unnecessary bureaucratic burden, especially since both reporting requirements serve the same purpose, namely to provide the competent authorities with data to identify concentration risks in the relevant markets. Furthermore, supervisory authorities intend to use the data in the registers to better assess the impact of IT incidents on service providers, in order to identify and alert potentially affected service providers at an early stage.

BaFin has recognised that duplicate reports are being submitted here. In a recent article published on 15 January 2025 on the BaFin website, it is announced that the existing BaFin reporting portal is to be adapted accordingly. Financial companies that would otherwise have to fulfil two reporting obligations should then primarily report the outsourcing via the BaFin reporting portal and check a newly created “DORA box” in order to declare that they have fulfilled both reporting obligations. However, the details of this process are yet unknown. It seems that this process is unlikely to avoid a double administrative burden for financial institutions who need to report both via the BaFin reporting portal and via the DORA information register.

In any event, BaFin explicitly concedes on its website that the information register and the further reporting requirements of Art. 28 DORA do present a challenge. BaFin writes that it is aware of this and that it will continue to support companies with information and assistance. This may be an indication that a certain amount of leniency is called for when auditors (internal or external) carry out compliance audits in the coming one to two years, if they discover difficulties in adapting to the new DORA requirements for financial institutions.

Further articles