In future, most supervised financial entities will be obliged to comply with DORA. What does this mean for banks and insurers? A supervisory statement from BaFin on IT risk management and IT third-party risk management provides detailed information.

The financial entities in the banking and insurance sectors supervised by BaFin are currently applying Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die IT – BAIT) and Supervisory Requirements for IT in Insurance Undertakings (Versicherungsaufsichtliche Anforderungen an die IT – VAIT). From 17 January 2025, most of these entities will be obliged to apply the standard risk management framework set out in the Digital Operational Resilience Act (DORA). They will thus be obliged to manage their information and communication technology (ICT) risks according to DORA’s requirements. The guidance notes on implementation in the supervisory statement are addressed to these entities.

BaFin’s supervisory statement serves as non-mandatory guidance. It is intended to support entities to implement the DORA requirements for standard ICT risk management and ICT third-party risk management. It also considers the relevant regulatory technical standards. In addition, the guidance notes on implementation include an overview of the minimum contractual contents which supervised entities must agree with ICT third-party service providers.

From: BAFIN –> Full article