IT Security Regulatory Update | January 2024

Focus: Final reports on DORA, BaFin supervisory notice on cloud outsourcing and risks in the BaFin focus

Highlight from January 2024

Final drafts of the first wave of RTS & ITS for DORA published

The ESAs have forwarded their final drafts of the first Level 2 legal acts under DORA to the European Commission. A number of suggestions from the consultation feedback have been incorporated, including on the proportionality principle.

Pia Streicher

“Stay up to date with our monthly regulatory update on IT Security Management!”

DORA: Final drafts of the first wave RTS & ITS submitted to the Commission

The ESAs have now published the final drafts of the first wave of Level 2 legal acts under DORA on the EIOPA website. These were sent to the European Commission, which is now responsible for publishing the final version of the legal acts.

The four legal acts deal with ICT risk management, the classification of ICT incidents, ICT third-party service providers that provide support for critical and important functions and the information register. One of the main points of criticism from the consultation was addressed in all legal acts: the principle of proportionality. Accordingly, some changes were made to the individual legal acts. These are addressed and listed at the end of each legal act.

DORA checklist

The ESAs have made a number of simplifications to the information register, including harmonizing the templates for the register at company level and the (partially) consolidated register so that only one register needs to be filled.

A text passage has been added to the RTS on risk management that specifically addresses the proportionality principle. It emphasizes that the risk-based approach should not only make it possible to tighten requirements, but also to ease them.

Further details about DORA can also be found on our websites. We look forward to your visit!

You can find the final drafts here on the EIOPA website.

Source: European Insurance and Occupational Pensions Authority – EIOPA,

BaFin replaces information sheet on cloud outsourcing with supervisory notice

In its communication, BaFin updates its requirements in the context of governance, the introduction of cloud outsourcing and minimum contractual standards. They also address cloud development, cloud operation, cyber security aspects and monitoring the service provider.

The supervisory communication is to be understood as supplementary to existing requirements in the various sectors. According to BaFin’s understanding, the communication is only an explanation of the existing regulation, similar to the information sheet published in 2018.

The supervisory regulations of DORA are addressed in the form of an outlook. It addresses relevant content that financial companies should consider when implementing DORA.

You can find the supervisory notice hereon the BaFin website.

Source: © German Federal Financial Supervisory Authority /

BaFin presents focus risks for 2024

In a press conference, Marc Branson presented the risks that BaFin will be focusing on in 2024. It assesses the risks according to the potential threat to financial stability and the integrity of the financial markets in Germany.

Among other things, an increase in risks from cyberattacks and concentration risks in IT service procurement is forecast. Financial institutions should therefore not lose sight of these issues in future audits, and especially in the implementation of DORA. In this context, BaFin is planning to draw up a cyber situation report for the financial sector, national exercises on crises and emergencies. Additionally, they aim to enhance the utilization of the outsourcing database for mitigating concentration risks and intensify audits of service providers.

You can find the focus risks here on the BaFin website.

Source: © German Federal Financial Supervisory Authority /

The time for implementing DORA is running out. In various events, the supervisory authorities are calling on financial companies to stop waiting with the implementation. Especially with the publication of the second wave of RTS & ITS, institutions should now take action.

Would you like an initial indication of the implementation in your company?
Take advantage of our limited special offer for a free DORA Quick Check!

We at ADWEKO are happy to assist you with the implementation of DORA.

talk to
Pia Streicher!

Pia Streicher