DORA applies with immediate effect – What financial service providers can expect

Financial service providers benefit from the use of a wide range of highly specialized information and communication technologies (ICT). The DORA Regulation harmonizes the regulatory framework for the management of ICT-related risks across Europe. The aim is to make the European financial sector more digitally resilient.

What does DORA mean for financial institutions?

DORA imposes comprehensive requirements on financial institutions for the management of ICT risks, including

1. robust IT governance and risk management frameworks
2. regular testing of digital operational resilience
3. effective management of third-party ICT service providers and risks

It is essential to review and adapt existing IT systems and processes to ensure that the DORA fit is successful. This applies to banks, insurance companies, investment firms, payment service providers – but also to companies that were previously outside the scope of the regulatory IT requirements (such as rating agencies).

Next milestone: Submission of the information register to BaFin

DORA introduces strict requirements for financial institutions to monitor and control third-party ICT providers. The register of third-party provider contracts, which financial institutions must mandatorily keep, plays a central role in this respect. The register serves to control risks arising from the use of third-party ICT providers.

The deadline for submitting the information register to the German Federal Financial Supervisory Authority (“BaFin”) marks the next milestone in the implementation of DORA. German financial companies must submit their information registers to BaFin by April 11, 2025.

Requirements for the register

According to DORA, financial companies must keep a complete and up-to-date register of all contracts with third-party ICT providers. The contents include, among other things:

1. Details of the services: a clear description of the ICT services provided, including identification of critical or important functions.
2. Contract terms: details of terms, exit strategies and audit rights.
3. Locations: regions or countries where the services and data processing take place
4. Subcontracting: transparency about subcontracting and the conditions under which it may take place.

Aim of the register

The register serves not only for internal risk monitoring purposes, but also for supervision by regulatory authorities. It enables improved transparency regarding dependencies on third-party providers and potential concentration risks. Particularly in cases where many financial institutions use the same third-party providers, the register helps to identify risks to the stability of the financial sector at an early stage.

Implications for financial institutions

Maintaining this register requires not only careful recording of contract details, but also continuous updating and review. Financial institutions must ensure that all relevant information is fully and correctly documented. In addition, DORA requires that this data is reviewed at regular intervals for potential risks and considered with strategic measures such as exit strategies.

The information register therefore goes beyond the previous requirements for the outsourcing register. For financial institutions, this means an expansion of their documentation obligations and a closer integration of risk and contract management. IT service providers should be prepared for more intensive audits and greater involvement in resilience programs.

DORA vs. xAIT – What’s next for regulatory requirements?

In Germany, the Digital Operational Resilience Act will apply from January 17, 2025. The previous regulatory requirements (xAIT) for IT will be (gradually) repealed: KAIT (capital management supervisory requirements for IT), VAIT (insurance supervisory requirements for IT) and ZAIT (payment services regulatory requirements for IT) were repealed as of January 16, 2025. Institutions that fall under DORA will be exempt from BAIT (banking supervisory requirements for IT) from January 17, 2025. Chapter 11 of BAIT will also be repealed from this date. With the revision of Art. 1a (2) of the German Banking Act by the Financial Market Digitization Act (FinMadiG), further institutions will have to apply DORA from January 1, 2027. BAIT will therefore be completely repealed as of December 31, 2026.

This replacement of the regulatory requirements has implications for the internal audit of financial service providers in their area of application. Due to the transition to DORA, the audit universe must be reviewed and adapted. This involves mapping the requirements of BAIT against those of the new regulation and filling gaps in the existing audit universe.

Seeing DORA as an opportunity

DORA poses a regulatory challenge, but at the same time offers the opportunity to strengthen stakeholder confidence. A proactive approach not only ensures compliance, but also provides a competitive advantage in the digitalized financial world. 
As experienced specialists, we offer comprehensive services for DORA implementation:

1. Health checks and gap analyses to identify the need for action
2. Simulation of special supervisory audits
3. Support in the development and implementation of DORA-compliant IT risk management frameworks
4. Training and workshops on DORA requirements along the three lines of defense

We support you in the successful implementation of DORA - contact us!