In addition to the topic of cloud outsourcing, the expert panel discussed the Digital Operational Resilience Act (DORA), which is scheduled for publication at the end of the year. High implementation efforts are to be expected in the 24 months between its publication and its entry into force, and should be anticipated now. BaFin is making efforts to avoid duplicate regulation at the national level, but must first await the publication of DORA to do so.
The proposal for DORA of the European Commission can be found here on the website of the EUR-Lex. The minutes of the IT expert committee can be found here on the BaFin website.
In March 2022, the special expert committee Cloud of BaFin’s expert committee IT, mentioned in the December minutes, met regarding the topic of Configuration Management Database (CMDB). The panel addressed the proportionality principle in relation to the inventory for components of the IT systems and their relationship to each other. In addition, the panel discussed the operational responsibility in the context of 8.2 BAIT on the part of cloud service providers (CSP) and institutions, as well as for interfaces and their documentation.
According to the panel, the abstraction boundary is formed by the jointly operated layers. Above the limit, the institute is responsible, so full mapping and documentation is required. Below the abstraction limit, the CSP is responsible, therefore mapping is usually not required. At the abstraction boundary, the parameterization of the services and the service description of the CSP must be included.
The minutes of the Special Expert Panel Cloud of the Expert Panel IT can be found
here on the BaFin website.
Source: © German Federal Financial Supervisory Authority / www.bafin.de