IT-Security Regulatory Update | December 2022

Focus: DORA, cloud outsourcing and corporate due diligence obligations in supply chains.

Highlight from December 2022

Digital Operational Resilience

On December 27, the Digital Operational Resilience Act was released and will be in effect beginning in January 2025. This means that financial institutions and critical ICT service providers will have to shoulder a considerable amount of work.

“Stay up to date with our monthly regulatory update on IT Security Management!”

Publication of the Digital Operational Resilience Act

Shortly before the end of the year, the Digital Operational Resilience Act (DORA) was published in the European Official Journal. As a regulation, it will be directly effective in the member state and will be effective from January 17, 2025. Primarily, the act deals with information and communication technologies (ICT). DORA is intended to provide a coherent blueprint for digital operational stability, replacing the fragmented regulatory landscape of the member states.

Key elements of the regulation are:

  1. the ICT risk management of financial institutions,
  2. the reporting of significant ICT incidents to the supervisory authority,
  3. a thorough audit of the ICT systems, as well as
  4. a heightened awareness of cyber risks and ICT incidents among regulators.

The scope of DORA is broad and is intended to encompass as many financial institutions as possible. However, the principle of proportionality should be taken into account. The underlying reason to this is the enormous potential scope of an incident due to the high level of interconnectedness and dependency in the ICT sector. In addition to financial institutions, critical ICT service providers are therefore also included in the scope of application.

In the context of ICT risk management, ICT-related incident reporting, testing, and key requirements for robust ICT third party risk monitoring, future regulatory technical standards are expected from the ESAs.

You can find DORA here in the Official Journal of the EU.

© European Union, 1998-2023 / eur-lex.europa.eu

Laptop with lock symbol on screen on world map as background with networks to different countries

At its meeting on June 9, 2022, BaFin’s IT expert committee also dealt with DORA. At that time, the timeline for the development of regulatory technical standards had not yet been finalized. However, it was already clear that consultation on the delegated acts would take place under DORA.

In addition, information was provided on the relationship between DORA and the NIS2 Directive, which was also published on December 27, 2022 and can be found on the website of the Official Journal of the EU here. As can be seen from the recitals of DORA, it is lex specialis. Accordingly, DORA is applied with priority, i.e.: in case of contradictions between DORA and the NIS2 Directive, the requirements of DORA apply.

In addition, adjustments to the various regulatory requirements for IT (so-called XAIT) were discussed. If, at BaFin’s discretion, an adjustment to the XAIT becomes necessary, this will take place after the publication of the regulatory technical standards. Also addressed was the announced revision of the guidance sheet on cloud outsourcing, the revision of which is still somewhat delayed.

The journal of the BaFin IT expert panel of June 9, 2022 can be found here on the BaFin website.

Source: © German Federal Financial Supervisory Authority / www.bafin.de

Will the Supply Chain Act be delayed?

Based on a motion by the Free State of Bavaria, the Bundesrat is discussing whether the Supply Chain Act should be postponed. The law was promulgated in the Federal Law Gazette on July 22, 2021, and has been in effect since January 1 of this year. It defines due diligence obligations along the supply chain for companies with headquarters or branch(es) in Germany that are intended to contribute to the observance of human rights. What is new in particular is that the responsibility of companies exists along the entire supply chain.

On December 13, 2022, Bavaria filed a motion to suspend the law. The reason given by the Bavarian Minister President is that German companies already demonstrate a high sense of responsibility, hence a shift in the binding requirements is conceivable in principle. Due to the current geopolitical situation and the impact of the COVID 19 pandemic, he said, companies are already severely challenged. The application of the Supply Chain Act provides an additional, high burden. In addition, the motion states that a detailing of the requirements in the form of legal ordinances and recommendations for action is still pending, but is necessary for the effective implementation of the requirements.

It is unclear to what extent the application has a chance of success. For example, the German Federal Ministry of Labor and Social Affairs states on its website about the law in its FAQ that “less than one fifth of enterprises with more than 500 employees based in Germany fulfilled their supply chain due diligence obligations. Voluntary commitments are therefore not enough.]”

The application is currently being discussed by the relevant committees.

You can find the application of the Free State of Bavaria here on the website of the Bundestag.
You can find more information about the Supply Chain Sourcing Obligations Act here on the website of the Federal Ministry of Labor and Social Affairs.

Source: © German Bundestag – bundestag.de

BaFin panel addresses cloud suboutsourcings

The topic of cloud outsourcing was addressed in several meetings of BaFin’s special expert panel on cloud outsourcing. The requirements for these constellations are derived from the EBA Guidelines on Outsourcing Agreements or AT 9 MaRisk and are criticized by the industry due to their complexity.

In concrete terms, according to statements by financial institutions, service providers sometimes use a large number of sub-service providers worldwide to cover a wide range of services and risks. In many of these deployments, ensuring transparency and evaluating the services are difficult. Currently, institutions often solve the problem by considering only those subcontractors that are considered to be significant.

BaFin proposes the following procedure in this context:

  1. Contractually agree on clear criteria that make a subcontractor potentially significant. Examples include direct operating services, support services, and risk reduction services.
  2. Report on Service provider’s on potentially significant subcontractors based on the criteria defined in 1. above.
  3. Identification of actual significant sub-service providers by the institution based on the service provider’s report.
  4. Regular risk analysis by the institution for new, changed and potentially significant sub-service providers.
  5. Decision to commence, continue or adjust performance based on the results of the Institution’s risk analysis.
  6. Inclusion of major sub-service providers in the outsourcing register.
  7. Regular and unrestricted review, monitoring and reporting of significant sub-service providers by the institution.

The minutes of the meetings of the Special Expert Panel can be found here on the BaFin website.

Source: © German Federal Financial Supervisory Authority / www.bafin.de

Even though DORA will not take effect for two more years, the effort associated with the act should not be underestimated. Implementation measures are needed not only on the part of the financial institutions, but also by ICT service providers. The sooner you start, the better.

We at ADWEKO are happy to assist you with our expertise in implementing the requirements of the DORA.

talk to

Pia Streicher!