With Regulation (EU) 2022/2554 (the Digital Operational Resilience Act, or DORA), the European Union has set out comprehensive requirements for digital operational resilience throughout the financial sector. This European Regulation will take immediate effect in Germany as of 17 January 2025. In view of this, the Federal Financial Supervisory Authority (BaFin) intends to repeal the Supervisory Requirements for IT in Financial Institutions, Payment and E-money Institutions, Insurance Undertakings, and Asset Managers (BAIT, ZAIT, VAIT and KAIT) that are currently in place in order to prevent double regulation.

DORA comprises, in particular, requirements for the ICT risk management framework, reporting of major ICT-related incidents, digital operational resilience testing and ICT third-party risk management at financial entities. In addition, DORA establishes an EU-wide Oversight Framework for critical ICT third-party service providers. DORA (Level 1) is supplemented by numerous regulatory and implementing technical standards (RTS/ITS; Level 2), which will also take effect as from 17 January 2025.

The Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die IT – BAIT; BaFin Circular 10/2017) are mainly addressed to the management boards of credit institutions. They provide a flexible and practical framework for institutions’ technical and organisational resources on the basis of Section 25a(1) of the German Banking Act (Kreditwesengesetz, or KWG) – in particular for IT resource management, IT risk management and IT security management. Moreover, they specify the requirements laid down in Section 25b of the German Banking Act (outsourcing of activities and processes).

The revised circular 10/2017, dated 16 August 2021, implements the “EBA Guidelines on ICT and Security Risk Management” of November 2019. Furthermore, the revised circular takes into account experiences from supervisory practice.