BaFin
Erscheinung:12.08.2025 | Topic Digitalisierung, Risk management Documentation requirements under DORA – made easy (or easier)
What documentation requirements do companies have to fulfil under DORA? The Federal Financial Supervisory Authority (BaFin) has published an overview to help companies navigate these requirements.
The Digital Operational Resilience Act (DORA) contains numerous documentation requirements for companies in the financial sector. BaFin has compiled a detailed overview of these requirements. The overview is not mandatory and does not constitute an interpretation of the law, but is designed to serve as a guideline.
Background
Companies have had to apply the European DORA Regulation since 17 January 2025. DORA aims to make the European financial market more secure against cyber risks and incidents affecting information and communication technology (ICT). The documentation requirements that supervised companies must fulfil have a supporting role in achieving this aim. The requirements are set out in various articles of DORA and in the regulatory and implementing technical standards (RTS and ITS).
The overview and guidance on the requirements under DORA are available for download on the BaFin website. The two-page document can be used for an enlarged printout of the overview.
In an interview, Melanie Land and Sandra Leitterstorf from BaFin’s IT Supervision unit explain the benefits of the overview – and how it came about.
