IT Security Regulatory Update | September 2023

Focus: Timeline on DORA, consultation on ZAG-MaRisk and INput on ICT third-party service providers.

Highlight from September 2023

BaFin and Bundesbank comment on DORA

As part of BaFinTech 2023, Bundesbank and BaFin took the opportunity to comment on the current status and a potential timeline around the Digital Operational Resilience Act.

Pia Streicher

“Stay up to date with our monthly regulatory update on IT Security Management!”

DORA from a regulatory perspective

At 19th and 20th September, BaFinTech took place in Berlin with BaFin and Bundesbank as hosts. The main topics were the digitalization of the financial industry, innovations, but also crypto assets and digital ecosystems. Among other things, the hosts addressed the Digital Operational Resilience Act (DORA) and considered the consequences for the financial industry.

First, the speakers went into the objective and background of the regulation, which will apply in all EU member states from January 2025, showing the focus topics. In their document, the authors next addressed the timeline around the act, which reveals what is to be expected in the future.

Ancillary to the outstanding RTS and ITS of the second wave, the finalization of the first wave is still pending. In addition to these upcoming legal acts, Bundesbank and BaFin announced laws and regulations regarding the national implementation between the end of 2023 and mid-2024. Moreover, the revision of national and European sub-legislative requirements is anticipated between mid-2024 and mid-2025. This means that revisions to MaRisk, BAIT and the EBA guidelines as well as their sister regulations are not to be expected until after the DORA becomes applicable. This will leave some open questions, whose answers would have been helpful for the implementation of DORA.

A man with a microphone in his hand sits facing a screen with his face turned away from the camera. In front of him is a computer and a bottle of water on a wooden table.

Moreover, the speakers presented two key areas in more detail: the risk management framework and the European monitoring of critical ICT third-party service providers.

The two speakers recommend that in the course of implementation, financial institutions familiarize themselves with the requirements and identify gaps, as well as identifying and assessing the need for action only after the publication of the pending legal specifications.

You can find the presentation document of BaFin and Bundsbank here on the website of the Bundesbank.

Source: © German Federal Financial Supervisory Authority and /. www.bafin.de and Deutsche Bundesbank – bundesbank.com

BaFin consults ZAG-MaRisk

With this consultation, BaFin is addressing institutions within the meaning of the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG) with dedicated minimum risk management requirements. The draft specifies the requirements for proper business organization in accordance with the ZAG.

In comparison with the last published seventh MaRisk amendment to KWG-regulated institutions, there are two main changes in addition to the different levels of detail:

  1. In the general risk management requirements of AT 4 , AT 4.1 refers to the “shielding of risks” instead of “risk-bearing capacity”. A section on risk management at Group level is not provided.
  2. BTO and BTR differ in their requirements due to the different characteristics of the business models.

BaFin will accept feedback on the consultation until December 6.

The BaFin consultation can be found here.

Source: © German Federal Financial Supervisory Authority / www.bafin.de

ICT third-party providers targeted by ESAs

The three European financial supervisory authorities EBA, EIOPA and ESMA (together: the ESAs) have published an indicative overview of third-party services in the context of information and communication technology (ICT) as part of their preparations for DORA. As part of an analysis, the authorities identified and mapped relevant ICT third-party providers. This analysis is intended to assist the ESAs in developing a recommendation for defining indicators to identify critical ICT third-party providers. Entities classified as critical ICT third-party providers are subject to supervisory oversight under the DORA, which also results in a monitoring fee.

The ESAs’ report refers to a first-of-its-kind data collection that included ICT-related contracts from financial firms across the breadth of the industry. Around 15,000 ICT third-party providers working directly for companies were identified. The most commonly used service providers each support critical/important functions at the companies and were rated as not replaceable.

Two side effects of this survey are of interest for the implementation of DORA: First, the relevance of clear identification characteristics for service providers was revealed and, second, the need for a clear taxonomy of the term “ICT service”. The ESAs recently received criticism from the industry for a first attempt to do so under Annex IV of the ITS on the information register.

You can find the ESAs report here on the EBA website.

Source: Joint Committee of the European Supervisory Authorities – JC of the ESAs, esas-joint-committee.europa.eu

The specific requirements under DORA are becoming increasingly clear. As more legal texts are published under the regulation, as well as the increasing presence of regulators at industry events, the details are becoming known. Use this input and incorporate it into the implementation of DORA at your facility.

We at ADWEKO will be happy to assist you with the implementation of the DORA and other projects.

talk to
Pia Streicher!

Pia Streicher