Ms Kosche-Steinbrecher, what are the objectives of BaFin’s supervisory statement on DORA, the Digital Operational Resilience Act?

In this supervisory statement, we provide guidance notes on how financial entities can comply with DORA’s requirements relating to information and communication technology (ICT) risk management and ICT third-party risk management. Importantly, these guidance notes on implementation are not mandatory. Financial entities are free to use them – or to choose not to.

Requirements of this nature have been included in BaFin circulars up to now.

Precisely, for example in BaFin’s Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die IT – BAIT) and Supervisory Requirements for IT in Insurance Undertakings (Versicherungsaufsichtliche Anforderungen an die IT – VAIT). In these circulars, BaFin has long clarified its expectations of banks, insurers and pension funds in terms of IT risk management.

How did you produce this supervisory statement?

We compared the BAIT and VAIT with DORA’s requirements relating to ICT risk management and ICT third-party risk management. These requirements are key components of DORA. There are large areas of overlap between our circulars and the DORA requirements. Financial entities that have fully complied with our circulars are therefore generally well positioned.

…but?

There are of course differences between these sets of regulations. We analysed those differences. The outcome is our guidance notes on implementation for the financial entities under our supervision. As I said, they are not mandatory. But in practice, I expect that they will offer considerable added value – not least because the industry was intensively involved in their preparation.

Could you be more specific?

Last year we set up six working groups. They included industry representatives, the Deutsche Bundesbank and BaFin. Each working group dealt with a given set of issues – which is why our supervisory statement comprises six different sections. These working groups determined the differences between the BAIT and VAIT on the one hand and DORA on the other, and established the implications for affected financial entities.

What was the next step?

My IT Supervision team compiled the results of this work. The working groups had operated independently of one another. We therefore needed to align their findings and remove some duplications and contradictions. Finally, we offered everyone involved the opportunity to comment on our supervisory statement. By doing this, we established even greater transparency. We were delighted to receive highly positive feedback.

Legal expert Ira Kosche-Steinbrecher has been the head of Division GIT 3 in BaFin’s IT Supervision Directorate since 2018. Together with her team, she has organised workshops with the industry and overseen development of the supervisory statement. (c) Armin Hoehner/BaFin

How did you select the industry representatives?

We didn’t. We’ve had ongoing discussions with the financial industry on various IT topics for quite some time: with representatives of credit institutions and associations in our IT technical committee, and with the insurance industry and institutions for occupational retirement provision in our IT expert committee. We asked the members of these two committees to select representatives for the working groups themselves.

How much input did you receive from industry?

Our sparring partners from industry invested an incredible amount of time and provided a wealth of input. We had over 30 joint workshops alone! That meant weeks and months of very hard work for all of us. But our cooperation was very, very valuable.

Why did you go to all this effort?

We didn’t want to develop guidance notes that merely reflect the perspective of BaFin. The aim was instead to craft practical guidance together with the companies affected. And that means the financial entities under our supervision. Another benefit is that there should now be no discussions after the fact as to whether or not BaFin has a realistic view of certain points.

Did BaFin also benefit from this?

We hope that our supervisory statement is also helpful for our supervision colleagues and for our inspectors. Above all, however, the outcome was hugely important for us. We saw that the BAIT and VAIT requirements largely match DORA’s requirements relating to standard ICT risk management and ICT third-party risk management, including the relevant regulatory technical standards. That was the basis for our decision to abrogate our supervisory requirements for IT. We are now working on the implementation side of things. DORA also means letting go of familiar ways.

Your analysis is based on the BAIT and VAIT. Do your findings also apply to BaFin’s Supervisory Requirements for IT in Asset Management Companies (Kapitalverwaltungsaufsichtliche Anforderungen an die IT – KAIT) and Supervisory Requirements for IT in Payment Services and Electronic Money Institutions (Zahlungsdiensteaufsichtliche Anforderungen an die IT von Zahlungs- und E-Geld-Instituten – ZAIT)?

In principle, yes. We only looked at the BAIT and VAIT, since those are the key circulars for the industry representatives who participated in the process. Practically all of them came from the banking and insurance sectors. But asset management companies and payment services and electronic money institutions can also use our supervisory statement for guidance, since the requirements applicable to them are often similar.

What are your key findings?

As I mentioned, the BAIT and VAIT requirements largely match those arising from DORA. But there are differences, and sometimes there is also a change of emphasis. To take one example: under DORA, the management body of a financial entity is assigned far more tasks. Or to provide you with another example: DORA places a greater emphasis on a financial entity’s ICT risk management rather than on information security. We have summarised the key differences relating to each topic. Bit by bit, supervised entities can thus identify the responsibilities that may arise from DORA in our view.