The financial entities in the banking and insurance sectors supervised by BaFin are currently applying Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die IT – BAIT) and Supervisory Requirements for IT in Insurance Undertakings (Versicherungsaufsichtliche Anforderungen an die IT – VAIT). From 17 January 2025, most of these entities will be obliged to apply the standard risk management framework set out in the Digital Operational Resilience Act (DORA). They will thus be obliged to manage their information and communication technology (ICT) risks according to DORA’s requirements. The guidance notes on implementation in the supervisory statement are addressed to these entities.

BaFin’s supervisory statement serves as non-mandatory guidance. It is intended to support entities to implement the DORA requirements for standard ICT risk management and ICT third-party risk management. It also considers the relevant regulatory technical standards. In addition, the guidance notes on implementation include an overview of the minimum contractual contents which supervised entities must agree with ICT third-party service providers.

These guidance notes on implementation only refer to the BAIT and VAIT. However, the requirements examined are frequently similar to those in the Supervisory Requirements for IT in Asset Management Companies (Kapitalverwaltungsaufsichtliche Anforderungen an die IT – KAIT) and the Supervisory Requirements for IT in Payment Services and Electronic Money Institutions (Zahlungsdiensteaufsichtliche Anforderungen an die IT von Zahlungs- und E-Geld-Instituten – ZAIT). The guidance notes are thus generally relevant in these fields as well.

Result of close cooperation with the industry

These guidance notes on implementation are based on the findings of six working groups consisting of representatives of the financial industry, the Deutsche Bundesbank and BaFin. BaFin set up these working groups in 2023. These mixed teams spent more than 30 sessions comparing DORA’s requirements with those of the BAIT and VAIT. They identified key differences and determined areas where action is required.

Background: With DORA, the European Union has established a European regulation in the areas of digital operational resilience, ICT risks and cybersecurity across the whole financial sector. Many of DORA’s requirements match those in BaFin’s BAIT, VAIT, ZAIT and KAIT circulars. BaFin therefore intends to abrogate these circulars.

In an interview, Ira Kosche-Steinbrecher from BaFin’s IT Supervision provides further information on the origins and context of this supervisory statement.