Mr Obermöller, as head of BaFin’s IT Supervision Directorate, you are involved in the implementation of the Digital Operational Resilience Act (DORA) at BaFin. What were the most significant developments of the past year?

The year 2024 was the most intense stage of the DORA implementation work – not just for companies, but for BaFin as well. We have a number of new tasks, and we spent this last year taking further steps to prepare for them. We built up additional expertise – through dialogue with companies and with other authorities and by recruiting new staff. I would say we are now in good shape.

In getting ready for DORA, we have had the advantage of being able to play an active role right from the beginning, which is to say since 2018. First on a small scale, later on a larger scale. We contributed our expertise at the various stages of the European legislative process, doing what we could to stay somewhat ahead of the wave ourselves.

But there were also some very practical projects on the agenda in 2024. For example, we had to prepare the technical solutions for the DORA reporting obligations and adapt our internal inspection guidelines for supervisory IT inspections.

One particular challenge was the fact that not all of the detailed European specifications had been finalised by the beginning of 2024. In some cases, we only had assumptions to work with.

Another major facet of 2024 was that we comprehensively informed companies and institutions in the German financial sector about the DORA requirements. From the very beginning, it was important to us to quickly pass on our DORA knowledge to the financial industry. In 2024, we stepped it up a notch.

What did you do?

We provided a lot of up-to-date information and a number of technical articles about DORA on our website – something we will also continue to do. In addition, we set up a special DORA subpage on our website to gather the relevant information together.

But we also engaged in intensive direct dialogue with the financial industry and held many discussions, workshops and events in an attempt to support companies in their DORA preparations. Early on, we identified topics that companies still seemed to need more information about. We then published implementation instructions for DORA; we published FAQs on our DORA subpage, which we have been updating on an ongoing basis. And in December we published an overview of the minimum documents required under DORA. These are just a few of many examples.

There are obviously a number of challenges that companies will have to deal with.

That’s right. Overall, however, we have observed that those financial companies that complied with our sector-specific supervisory requirements for IT in the past realise that many aspects of the DORA requirements are familiar. DORA is therefore not completely new territory for the companies under BaFin’s supervision. That is a relatively comfortable starting position.

DORA has turned the BaFin circulars on the supervisory requirements for IT into a thing of the past.

That’s correct. We want to avoid duplicative regulation and reduce complexity. For this reason, we abrogated our Supervisory Requirements for IT in Insurance Undertakings (VAIT), Payment and E-money Institutions (ZAIT) and German Asset Managers (KAIT), effective at the end of 16 January 2025. BaFin’s Supervisory Requirements for IT in Financial Institutions (BAIT) will continue to apply until 31 December 2026. However, the BAIT no longer apply to those institutions obliged to apply DORA from 17 January 2025.

Why are you taking this step-by-step approach for the BAIT?

There is a transitional period that applies to some institutions. They do not have to apply DORA in full until 1 January 2027. This is regulated by the German Banking Act (Kreditwesengesetz – KWG). After the transition period, we will completely abrogate the BAIT, too. The German Financial Market Digitisation Act Finanzmarktdigitalisierungsgesetz specifies exactly who is affected, what DORA requirements must be met and when they are to be met. This law was adopted at the end of 2024, and the KWG is now being amended accordingly.

Let’s talk briefly about the issue of duplicative regulation. Parts of DORA overlap with other regulation. What’s BaFin’s line of approach here?

We have overlaps, for example, with the notification requirements for outsourcing arrangements set out in the sectoral specifications. We have designed our supervisory practice in such a way as to ease the burden on institutions and companies. Details can be found in an article by my colleague Benedikt Queng on the BaFin website.

Even if German companies are already familiar with many of the requirements from BaFin’s supervisory requirements for IT: DORA is a paradigm shift.

That is indeed what it is. In my view, we are talking about three fundamental changes in particular.

Firstly, DORA is not focused primarily on preventing incidents. It centres on the question of whether companies are prepared for an emergency. It’s about resilience. That is a new perspective.

Secondly, it is clear that DORA now sets requirements that are standardised across all sectors. In light of the close interconnectedness of the financial sector, this is absolutely a positive development. For the heterogeneous German financial sector, however, it is rather a tall order. DORA poses a number of challenges, particularly for the many small and medium-sized financial companies. But the good thing is that DORA, in my opinion, provides sufficient flexibility to enable implementation in line with the principle of proportionality. And, as I have just described, we are managing the overlaps with sectoral regulation by means of our supervisory practice.

The third new development that I consider a big step forward is the fact that DORA now enables us to explicitly supervise critical third-party service providers in information and communication technology (ICT) on a cross-border basis. These are ICT service providers that supply services to a high number of financial companies. If there is a possibility that this concentration on individual providers will result in a systemic risk for the financial market, we take a closer look. It is for this purpose that the launch of DORA will involve establishing a European monitoring function. My colleague Dr Sibel Kocatepe recently explained this in her article on the BaFin website.

Are the companies all really ready to go at this point?

They should all be ready – DORA application became mandatory on 17 January 2025. Our impression is that the majority of companies are well prepared. But since DORA does not provide for any grace periods, certain topics will still pose challenges when it comes to implementing the new requirements. I am thinking here in particular of third-party ICT risk management.

What does that mean specifically?

For example, DORA sets out a whole range of new requirements regarding the organisation of contractual relationships. It’s possible that not all companies have yet made the necessary adjustments to all their contracts with third-party ICT service providers – although they are actually already obliged to apply DORA. In such cases, we expect the companies to present us with a sensible, risk-based timeline for making these contract adjustments.

Where does DORA go from here?

For one thing, unfortunately, not all of the regulatory technical standards for DORA have been published yet. I am referring in particular to the regulatory standards on threat-led penetration testing and sub-service providers. However, I assume that the European Commission will take care of this in the near future. We will then need to examine in detail the potential consequences for companies and for our work.

And then, of course, there will also be questions of interpretation regarding DORA, the regulatory technical standards and the guidelines. We will be playing an active role in the relevant European processes, contributing our perspective and expertise.

Finally, a fundamental review of the DORA framework at the EU level is planned for 2028. That’s still a few years away, but we need to bear it in mind now.

As supervisors, of course, we will be checking on the progress companies have made in implementing DORA. I expect our first findings to be available some time near the end of 2025.
And we will be changing the way we communicate with companies.

In what way?

So far, we have mainly interacted with banks and insurance companies in the context of our IT technical and IT expert committees. This dialogue has been extremely valuable, but it has taken place with the individual sectors of the financial market. With the advent of DORA, this no longer makes sense.

From now on, we will be exchanging ideas in the context of a cross-sector committee. We want to use this format to talk regularly with the financial industry about a number of topics, including digital operational resilience. We will also be using the committee to address other topics that are strategically important for BaFin’s IT supervision.

DORA is a European framework. Is that going to help with a topic that has global relevance?

No matter what, DORA is going to be an important building block for helping companies become more resilient across borders in terms of information and communication technology. And DORA is definitely an international benchmark in this respect. There will be no way around addressing the issue of cybersecurity at the global level as well.

Is BaFin going to have a part in that?

Yes, BaFin has been part of the G7 Cyber Expert Group for a number of years, for example. This is a forum for the authorities relevant to the financial sector. But companies from the G7 countries are also represented in the Group.

This work and the ongoing dialogue with our G7 partners have made significant contributions towards ensuring more convergent cybersecurity supervisory practices in the G7 countries. At the same time, the Group is providing input that extends beyond the G7 and towards globally standardised regulation.

Together with our G7 partners, BaFin has also been making operational preparations for handling a major cyber incident in the financial sector. We also regularly carry out joint crisis exercises for this purpose. In April 2024, for example, we practised for two days how to respond in a coordinated manner to a large-scale cyberattack on financial market infrastructures and institutions in all G7 countries.

Are there any other transnational campaigns?

Another current example is the Financial Stability Board’s FIRE project. FIRE defines global standards for reporting cyber incidents. An effective and rapid exchange of information is essential – and not just in the event of a crisis. The experience gained from developing the DORA standards for incident reporting has been incorporated into the FIRE project. This has ensured that FIRE, as a global initiative, is also compatible with DORA. In view of the global dimension of cyber threats and the dynamic nature of the threat situation, this is immensely important.

What new threats can you see on the horizon? Can you give us an idea of what is coming?

This is rather like looking into a crystal ball, but it really goes without saying that the threat posed by new technologies such as artificial intelligence is on the rise. As we know, such technologies are not only used by the good guys. Attackers also use AI, for example to develop highly efficient attack methods and malicious code.

And it’s not just AI. Quantum computing is also a powerful technology that we need to prepare for today. Quantum computers threaten IT security by overcoming traditional encryption methods. Many companies underestimate this threat. Companies in the financial sector should therefore begin considering appropriate protective measures now. There are clear post-quantum cryptography standards – companies can use these as a guide. Here, too, nobody has to start from scratch.