Ms Land, Ms Leitterstorf, you analysed the Digital Operational Resilience Act (DORA) in depth in 2024. The overview of the documentation requirements is the result of your work. What is the story behind the overview?

Melanie Land: DORA contains many documentation requirements for companies. These requirements are found in the Regulation itself, but also in the associated regulatory technical standards (RTS) and implementing technical standards (ITS). The requirements became applicable on 17 January 2025. Since then, BaFin has been checking whether the companies are fulfilling the requirements.

Sandra Leitterstorf: We realised that the DORA documentation requirements vary extensively, and they are scattered throughout the various legal texts. We wanted to present the requirements in such a way that they can be grasped at a glance – to make it easier for the financial entities, but also for us as supervisors, to work with the legal texts. This is why we have created a structured overview. I would say it offers added value for all the parties involved.

How did you go about it?

Leitterstorf: DORA has a specific structure and sets out a number of requirements. When it came to the regulatory and implementing technical standards, we looked carefully to determine what exactly they call for. We then assigned these requirements to the topics addressed in DORA.

Land: There is one other aspect of our approach that is also important for understanding the overview – some requirements that are more detailed are derived from overarching topics. For example, the ICT business continuity policy required under DORA is to be an integral part of the company’s general business continuity policy. In the overview, the relationship between the two documents is indicated by a blue box within a brown box.

Are the documentation requirements all new?

Land: No, not all of them are new. Many documentation requirements have been around for a long time, for example in the BaFin circulars – the supervisory requirements for IT at banks, insurers and other supervised entities. In these circulars, BaFin established a clear direction early on by harmonising IT security requirements for the individual financial sectors. BaFin has largely abrogated these circulars in order to avoid complexity and duplicative regulation. For some requirements, DORA merely uses terminology other than that used in our circulars; other requirements have been added. Obviously, however, some topics are completely new.

Leitterstorf: A good example of this is the ICT business continuity policy, which we were just talking about. Previously, companies had to document that they had an (IT) contingency management system in place. Among other things, they had to describe this system in an (IT) contingency plan. Under DORA, we are now talking about ICT business continuity management. This is similar to business continuity management (BCM), which many companies are likely familiar with, but the focus here is on ICT aspects.

Do companies have to submit all these documents to BaFin?

Leitterstorf: No. For the documents that we have listed in the overview, there are generally no obligations to submit anything to BaFin – with the exception of the register of information. Of course, there are also reporting requirements under DORA, but these are not the subject of the overview. It is important that the companies prepare the documentation – and that they put DORA into practice. For ultimately, what matters is that they actually implement the requirements under DORA.

Land: When companies prepare these documents, however, they should also take into account the proportionality principle, i.e. Article 4 of DORA. In other words, the structure and especially the scope of the documentation should match the company’s size and overall risk profile.

Is use of the overview mandatory?

Land: No, it simply provides non-mandatory assistance. However, we hope it will enable financial entities to quickly obtain a basic understanding of the documentation requirements under DORA.

Leitterstorf: The overview does not address any special rules, for example for microenterprises or regarding threat-led penetration testing. BaFin has also not designed the overview to provide a binding interpretation. The overview is simply intended to be a guide for all the parties involved.