Mr Kiefer, you participated in the development process for the Regulatory Technical Standard on the ICT risk management framework. The framework is considered the key element of DORA, the Digital Operational Resilience Act. Why?

The use of information and communication technology (ICT) gives rise to specific risks. The ICT risk management framework will enable financial entities to systematically identify, assess and manage these risks. This is necessary in order to ensure that the protective and preventive measures, once implemented, will align well with each other and be adequate and effective.

What exactly will the ICT risk management framework mean for financial entities?

One of the objectives of DORA is to enable financial entities to retain complete control over their ICT risks. In addition, it will harmonise the requirements for ICT risk management in Europe. Companies are required to introduce a comprehensive ICT risk management system. This includes many aspects that are doubtlessly already familiar from BaFin’s circulars – the BAIT, VAIT, KAIT and ZAIT.

Does this mean that there is nothing left for German companies to do, since the requirements under DORA are essentially identical to those of the circulars?

There are large overlaps with the ICT risk management framework described in DORA. Companies that have already fully implemented our circulars are therefore generally well positioned.

What does that mean in concrete terms?

We have been working together with the Deutsche Bundesbank and the industry to identify and analyse the most significant commonalities and differences. We have compiled the results, and they will be published soon. The differences identified show where companies in the financial market need to take action.

One common factor is proportionality. Interestingly, this was always an important point for us in the negotiations with the European and national competent authorities that participated.

What will happen to these BaFin circulars when DORA has to be applied?

We want to avoid duplicative regulation, so we will be abrogating these circulars.

What does “proportionality” mean in practice?

The ICT risk management framework obliges financial entities to meet specific requirements, but it does not specifically stipulate how these requirements are to be met. This will also present companies with an opportunity: they can decide how they will design their ICT risk management in order to achieve the best fit for their organisation.

Proportionality is not a one-way street, of course: when it comes to inspections, for example, “proportionality” means that BaFin can decide what measures it considers to be appropriately implemented.

Not all German companies in the financial sector are required to apply the regular ICT risk management framework, i.e. Articles 5 to 15, are they?

That’s correct: for some companies in the financial market, there will be a simplified risk management framework. This, too, demonstrates the principle of proportionality under DORA.

What companies will this apply to?

The companies affected will include, for example, small and “non-interconnected” investment and financial services institutions. In total, there are about 1,200 of these financial entities that fall under the simplified ICT risk management framework of Article 16 of DORA.

Please explain.

As I mentioned before, the principle of proportionality is an essential component of DORA. This is why there are exceptions for microenterprises and a simplified ICT risk management framework for specific financial entities. The framework under Article 16 of DORA is similar in structure to the general risk management framework but contains significantly fewer requirements. These minimum requirements are intended to ensure the proper operation of ICT risk management systems.

What concessions does the simplified ICT risk management framework make?

I would not call them “concessions”. Rather, the framework sets out fundamental, operational requirements for processes, management and governance. Only specific areas, such as information security, are subject to requirements from the higher levels of the governance pyramid – such as strategies, guidelines, directives and processes. The main focus of the simplified framework is on technical cyber and IT security for IT systems and data.

What advice do you have for financial entities about implementing the ICT risk management framework?

It is very important not to wait. Start getting ready for DORA now. The ICT risk management framework stipulates that you should take certain measures, but not necessarily how you should implement them specifically. This, too, is an opportunity for the companies. And it will serve BaFin as a guide for taking future supervisory actions.

Do you have any practical tips for companies?

It might sound trivial – but when it comes to implementing the ICT risk management framework, I would recommend, for example, having a good look at the headings and keywords in the articles of DORA, particularly those in the related draft of the Regulatory Technical Standard, and thinking about what technologies and processes might cover the requirements. This would provide some initial orientation for the implementation requirements. Companies that do so will certainly be off to a good start.