With Regulation (EU) 2022/2554 (the Digital Operational Resilience Act, or DORA), the European Union has set out comprehensive requirements for digital operational resilience throughout the financial sector. In particular, DORA comprises requirements for the ICT risk management framework, reporting of major ICT-related incidents, digital operational resilience testing and ICT third-party risk management at financial entities. In addition, DORA establishes an EU-wide oversight framework for critical ICT third-party service providers. DORA (‘Level 1’) is supplemented by eight Delegated Regulations, two Implementing Regulations, two Delegated Acts (all ‘Level 2’) as well as two Guidelines (‘Level 3’).

As a European Regulation it applies directly in Germany since 17 January 2025. Against this background, the Federal Financial Supervisory Authority (BaFin) repealed the Supervisory Requirements for IT in Payment and E-money Institutions, Insurance Undertakings, and Asset Managers (ZAIT, VAIT and KAIT) with expiry of 16 January 2025 in order to prevent double regulation.

The Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die IT – BAIT; BaFin Circular 10/2017 in the version of 16.December 2024) provide a flexible and practical framework for institutions’ technical and organisational resources on the basis of Section 25a(1) of the German Banking Act (Kreditwesengesetz – KWG) – in particular for IT resource management, IT risk management and IT security management. Moreover, they specify the requirements laid down in Section 25b of the German Banking Act (outsourcing of activities and processes). All institutions, which must have a risk management for information and communication technology (ICT risk management) according to Sections 5‑15 or 16 DORA in place were excluded from the scope of the BAIT. Furthermore, Chapter 11 (Managing relationships with payment service users) was repealed in the last BAIT revision. The German Act on the Digitization of the Financial Market (Finanzmarktdigitalisierungsgesetz –FinmadiG) was adopted in December 2024 and subjects further KWG-regulated non-CRR institutions to DORA (e.g. ‘Förderinstitute’ since 17 January 2025, financial service institutions by 1 January 2027). The BAIT will be repealed completely with expiry of 31 December 2026.