ThinkTank_Logo_black
The wait is over
Ailance™ ThinkTank is here!
Learn more

BaFin publishes DORA guidance on documentation requirements

BaFin guidance for DORA documentation requirements
Categories:
, ,

The German Federal Financial Supervisory Authority (BaFin) has published a structured overview of the documentation requirements of the Digital Operational Resilience Act (DORA). With this guidance for DORA, BaFin wants to help financial companies to quickly find their way around the various legal texts.

What BaFin's DORA guidance offers

The EU DORA regulation must be implemented by companies from January 17, 2025. It is intended to strengthen the European financial market against cyber risks and incidents in information and communication technology (ICT). The documentation requirements that supervised companies must fulfill also contribute to this. These are set out in various articles of the DORA and in the regulatory and implementing technical standards.

The guidance published by BaFin in mid-December is intended to support financial companies in implementing the documentation requirements resulting from DORA. The overview provides an initial overview of the minimum documentation specified in DORA and the Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS).

Important: The overview does not represent a binding interpretation by BaFin. It also does not contain any interpretation within the framework of the Q&A processes of the three European supervisory authorities (EBA - European Banking Authority, ESMA - European Securities and Markets Authority and EIOPA - European Insurance and Occupational Pensions Authority).

Reading tip: DORA takes effect from January 2025 - these companies are affected

How the BaFin overview works

In the overview, the required minimum documents are arranged taking into account the structure specified in the legal texts. The individual columns show the chapters, sections and articles of the DORA and the technical regulatory and implementing standards that BaFin considers relevant. The individual documents are presented hierarchically in the rows.

The requirements from the technical regulatory and implementation standards are assigned to the columns on a topic-related basis.

Policies and procedures related to the ICT security policies and procedures referred to in Article 9(2) DORA are marked accordingly.

The DORA orientation aid cannot offer this

However, according to BaFin, the overview does not address the form and content of the listed documents. However, the supervised entities should prepare the documents in a comprehensible manner and taking into account the principle of proportionality in accordance with Section 4 DORA. Content requirements for the minimum documents, such as special procedures, protocols or tools, are also not included in the overview. In addition to these minimum documents, further documents may be required (see Article 6 (2) DORA).

The following chapters or articles are not listed individually in the overview, as they do not contain minimum documents to fulfill the DORA requirements:

  • Chapter I Articles 1-5 DORA as well as Title I Article 1 and Title II Chapter I Section 1 Article 2 RTS RMF: General provisions (subject matter, scope, definition, principle of proportionality, etc.)
  • Chapter II Article 7 DORA: Requirements for ICT systems, protocols and tools
  • Chapter II Article 15 DORA: Further harmonization of tools, methods, processes and guidelines for ICT[1]risk management (explains in particular which technical regulatory standards complement DORA)
  • Chapter V, Section 2 (Articles 31-44) DORA: Monitoring framework of critical third party ICT service providers
  • Chapter VI to Chapter IX DORA: Agreements on the exchange of information, competent authorities, delegated acts, transitional and final provisions

 

In addition, regulations from DORA that are only relevant for a small number of financial companies are not covered by this overview. These include the "Simplified ICT risk management framework" from Article 16 DORA and from Title III RTS RMF as well as the extended tests based on threat-led penetration testing (TLPT, Articles 26 and 27 DORA). Other special regulations (e.g. exemptions for micro-enterprises) are not included in this overview.

Source: DORA documentation requirements of BaFin

Source: DORA documentation requirements of BaFin (two-sided for printout)

Now new: the intelligent Ailance™ chatbot
Answers to your questions about data protection & compliance and Ailance™ solutions at the click of a button. This is now possible thanks to the new Ailance™ chatbot.
To the free trial version
Contact us
Tags:
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts

en_USEnglish
de_DEGerman it_ITItalian fr_FRFrench en_USEnglish