BaFIN’s guidance notes on the implementation of DORA provide:
- More detail on the DORA regulatory technical standards and their interpretation by the regulator; and
- An overview of the minimum contractual contents to be agreed with ICT third-party service providers.
The regulator is keen to point out that firms in the financial and insurance sector are already subject to information technology supervisory requirements (BAIT and VAIT). And while the guidance notes specifically compare DORA to these, the regulator also explains that there are broad similarities to the supervisory requirements for asset managers and payment services providers. The guidance notes are therefore relevant to most financial services firms subject to DORA.
The detailed comparison of DORA requirements to BAIT and VAIT may be less helpful to entities outside of Germany, but the broad themes highlighting key differences are useful to note. According to BaFIN DORA:
- Requires a new strategy for digital operational readiness;
- Has at its core a focus on ICT governance and control frameworks;
- Significantly expands the responsibilities of the management body of the firm:
- Requiring it to define, approve, oversee and assume responsibility for safeguards in connection with ICT risk management;
- Introduces new requirements in connection with the review of ICT risk, new technologies, legacy systems, incidents, tests and reporting obligations related to these;
- Involves a stronger focus on analytical and control activities;
- Shifts the emphasis from IT security to ICT risk management more broadly;
- Places more emphasis on training obligations, communication strategies, policies and plans as well as information sharing;
- Shifts the focus to operational stability and including crisis and business continuity management;
- Includes detailed stipulations connected with the acquisition, development and maintenance of ICT systems;
- Widens the scope of contractual requirements to be agreed with third-party service providers;
- Includes extensive risk analysis and due diligence requirements;
- Involves a stronger focus on operational information security including:
- Stronger network security;
- Encryption of data even while in use;
- Timely identification and handling of vulnerabilities;
- Identity and access management; and
- New “need-to-use” principle.
The guidance note Annex contains a very helpful and detailed table outlining the minimum contractual clauses that must be agreed between the financial institution and the third-party service provider.
It’s worth noting that this table is based in part on the draft RTS for the subcontracting of ICT services supporting critical or important functions and so may be subject to change because this technical standard has not been finalized.