IT Security Regulatory Update | July 2023
Focus: DORA, IT operations in the context of the cloud, interplay between data protection and antitrust law

Highlight from July 2023

IT expert committee deals with DORA

In April, BaFin’s IT expert committee reflected on the current state of development of DORA, including the monitoring framework for third-party ICT service providers and the current implementation status at institutions.

BaFin is open to a renewed exchange with the industry after the publication of the delegated acts.


Pia Streicher

“Stay up to date with our monthly regulatory update on IT Security Management!”

DORA: Current developments, current implementation status and third-party ICT service providers

In a special session, the IT expert panel addresses the topic of the Digital Operational Resilience Act (DORA). In their meeting, the members of the panel consider various issues surrounding the legal act, which is currently causing movement in the financial industry.

At the beginning, a representative of the supervisory authority explained the current work in the context of the first wave of delegated acts with the involvement of BaFin. At the time of the publication of the protocol, these are already available as a consultation version at the time of publication of the protocol, as reported in our June update.

Hereinafter, the panel addresses critical ICT third-party service providers that are placed under reduced agency oversight under DORA. A representative of the supervisory authority emphasizes that this is not a direct supervision of the service providers, so that, for example, the service providers will not receive direct injunctions.

Slate gray panel with the text "Update" in capital letters and underlined.

Nevertheless, supervisory authorities may issue recommendations to service providers, non-compliance with which may result in a penalty payment. In addition, the supervisor has the authority to request information and documentation directly from the critical third-party ICT service provider and as well as to conduct audits. It is noted that such regulatory audit procedures are not intended to replace those of financial firms.

Furthermore, BaFin presents the results of its survey on DORA with a focus on sector specifics before addressing the current implementation status of DORA in the institutions. The industry picture is homogeneous; DORA has been identified as relevant, planned as a project, and/or scheduled with appropriate capacity. At the time of the discussion in April, however, the institutions were for the most part still waiting for the consultation versions of the RTS and ITS (which have since been published), so that further progress in implementation can already be expected at the current time. the level 2 acts are rated highly relevant to implementation because DORA itself often approaches issues too superficially and detailing is essential for implementation.

In this context, the BAIT and in particular differences between the requirements contained therein and those under DORA were also discussed. Industry representatives express a desire for an analysis of these differences after the Level 2 regulatory acts are published, as well as a renewed exchange with regulators. The supervisor is open to this proposal.

The two discussed future dates in May and June should have already taken place by now, so a new set of minutes from the expert panel can probably be expected soon.

You can find the minutes of the expert panel of April 2023 here on the BaFin website.

Source: © German Federal Financial Supervisory Authority /

Special IT committee looks at IT operations in the context of the cloud

These minutes summarize two meetings of the Special Expert Panel held in December 2022 and May 2023, both of which focused on IT operations and cloud. This protocol can and should act as a guidance framework for financial companies, but its contents should not be considered finalized. New regulatory developments, relevant practical experience and the like may require an adjustment of the previous state of discussion.

The subject of the meetings was the requirements for IT operations for banks and insurance companies. One of the issues in IT operations is that an abstraction boundary is necessary for the provision of cloud services by service providers (ADWEKO reported on this in June 2022 in the context of Cloud Service Provider / CMDB.). This depends on the type of cloud service model and how it is used by the financial company. As a general rule, the processes and procedures of the financial company are decisive above the abstraction limit, those of the service provider below. The issues the industry is facing include insufficient information around the technical details of cloud services, lack of customer-specific reporting, lack of influence on internal process design at the service provider, and the global nature of the service provider’s service.

More generally, in its discussion, the panel refers to its minutes for the “certificates” session, which could also be readily used in the context of IT operations. You can find this in our Regulatory Update from January 2022.

In addition, the protocol at hand addresses the principle of publishing changes to service delivery, etc. via the service provider’s website, rather than direct communication to individual clients. Financial companies must take this into account in their IT operations in terms of processes. To do this, the company must sufficiently understand the services it acquires, obtain information itself, and configure the cloud services appropriately.

To this end, the panel recommends a 4-step approach:

1. Quality of service
The quality of service must be contractually defined and adequately monitored. In the event of deviations, a risk analysis is required to check the (further) use of the service provider.

2. Risk management
A risk analysis on the inherent risks should be carried out in advance and reviewed regularly; depending on the results, the service provider is to be managed.

3. Information obtaining and processing
Obtaining information around the life cycle of services, aligned with own planning. The communication channels used must be known and used accordingly.

4. Configuration of the cloud services
The recommendations of the provider are to be checked and the service adjusted if necessary. The data backup by the cloud provider must be regularly checked, tested and, if necessary, adjusted by the financial company. Leeway in capacity planning should also be used.

The minutes of the December and May meetings can be found here on the BaFin website.

Source: © German Federal Financial Supervisory Authority /

BfDI considers ECJ ruling on Meta in the context of antitrust law

Facebook finances itself through personalized ads based on a user profile. For this purpose, not only data provided by users directly is collected, but also other information about the user, his device and his activities within and outside of Facebook. This includes other social networks of the Meta Group, and links between the various accounts of the users. The data collected in this way allows detailed conclusions to be drawn about individual users and their preferences.

This procedure is regulated in the terms of use, which allow Facebook to collect data about the user outside of Facebook. This also includes data relating to third-party websites outside the Meta Group. The Bundeskartellamt prohibited Facebook from applying these clauses to German users, insofar as they are a condition for using the platform. The Bundeskartellamt sees this as an exploitation of Facebook’s dominant market, which has a negative impact on the voluntary nature of the user’s consent. In opposition to this, Meta Platforms Inc. as well as the Irish and German companies filed complaints.

In its ruling of July 4, the European Court of Justice (ECJ) ruled that the Bundeskartellamt was entitled to make its decision vis-à-vis Meta in this way. You can find the judgment on case C-252/21 here.

In this context, the BfDI emphasizes that close cooperation between antitrust and data protection supervisory authorities is necessary to ensure efficient supervision and adequate protection of user data. In this context, it welcomes the ECJ’s decision that the Bundeskartellamt is justified in examining compatibility with data protection law in addition to protecting competition. However, they welcome that, the ECJ also emphasizes that it is primarily the data protection authorities that decide if there has been a breach of the GDPR.

You can find the statement of the BfDI here on its website.

Source: © BfDI –

DORA is and remains one of the topics currently demanding a lot of attention. By publishing further content, whether as a protocol or delegated act, the supervisor provides valuable information on implementation. Stay up to date with us and our
website on digital operational resilience
up to date!

We at ADWEKO assist you with our expertise with the implementation of DORA in your company as well as with any open questions you may have.

talk to
Pia Streicher!

Pia Streicher