What is the difference between DORA and MaRisk, BAIT, NIS 2 and Supply Chain Act?

In the previous article about DORA “When do financial and ICT companies have to be DORA compliant?” I took a look on what is DORA and what system capabilities do you need to enable and support the regulatory requirements of the Digital Operational Resilience Act.

DORA establishes detailed rules for operational risk management. But how does it fit into existing regulations? Does it replace them? Not really. It perfectly incorporates existing regulatory guidelines into the new framework.

If you look into the articles of that act, you will see that (at least in Germany), many components have already been implemented due to legislative amendments and updates to the corresponding directives. In following, I will distinguishes the DORA regulatory framework from the previous German regulatory framework for financial companies in risk management (MaRisk), the Banking Supervisory Requirements for IT (BAIT) and NIS 2 and Supply Chain Act.

Specifications of BAIT and MaRisk Clarified

BAIT was updated in 2021, introducing new regulations for the banking sector that have adopted many elements of DORA. Additionally, the MaRisk amendment created detailed extensions for IT emergency management.

The requirements in DORA are more concrete and now anchored at the legislative level, no longer just in administrative regulations of BaFin. The regulations for ICT risk management of financial companies state that the use of ICT must be integrated into the company’s strategy. The overall responsibility for risk management fundamentally lies with the respective financial company. Additionally, DORA obliges financial service providers to ensure that ICT systems are continuously monitored, controlled, and kept up to date.

While DORA, MaRisk, and BAIT all aim to enhance the resilience and security of financial institutions, DORA provides a more comprehensive and legally binding framework at the EU level, whereas MaRisk and BAIT offer detailed supervisory guidelines specific to Germany.

DORA stipulates that downtime of ICT systems must be minimised. Therefore, the affected financial companies and their service providers must also establish strategies for data backup and recovery procedures.

Service Providers Bear More Responsibility

New to DORA is that the burden of improving IT security and its documentation is shifted to the service providers. They must provide a multitude of additional information to the institutions or, in extreme cases, be directly monitored by supervisory authorities. IT service providers should therefore consider which appropriate and current standards they must adhere to for information security. Certifications such as ISO 27001 and audits according to the standards of IDW or ISA can be useful here.

Financial service providers must anticipate higher administrative expenses, particularly when redesigning contractual agreements with service providers, as the depth of regulation is significantly greater than with MaRisk and BAIT.

Financial companies and ICT service providers should start preparing for the implementation of the DORA directive and assessing liability risks. You can start with assessing the current maturity and identifying the GAP. Afterwards, you need put missing parts into an execution plan and document details and requirements for implementation. As next, you can implement with you internal resources or involve implementation partners that will help.

NIS 2

The Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive) includes legal measures to enhance the level of cybersecurity across the EU. NIS 2 provides the basis for risk management measures and reporting obligations in the field of cybersecurity across various sectors, such as energy, transport, health, and digital infrastructure. The 2022 revised directive aims to harmonise cybersecurity requirements and the implementation of cybersecurity measures among different member states.

The DORA regulation complements the NIS 2 Directive as a lex specialis with a clear sectoral focus. To create legal clarity and ensure coherence between NIS 2 and other legal acts, the regulation has been adapted to the sector-specific legal provisions of DORA.

Supply Chain Act

The Supply Chain Due Diligence Act, or Supply Chain Act, came into force on January 1, 2023. The law regulates corporate responsibility for the observance of human rights in global supply chains. This includes, for example, protection against child labor, the right to fair wages, and environmental protection. The law also provides for a supply chain risk management system to monitor due diligence obligations.

The Supply Chain Act applies to companies with 1,000 or more employees. With the trends toward consolidation in the banking sector, this number can quickly be reached through mergers. For this reason, it is sensible to examine the regulations and clarify whether significant contents of the Supply Chain Act are already covered by other regulatory requirements.

With an established IT risk management system, the prerequisites for implementing the Supply Chain Act are largely in place. When outsourcing IT services, this applies to the direct contractual partner and all subcontractors involved in providing the services.

Teiva Systems can help you implementing requirements related to ServiceNow platform and relevant for DORA, NIS2 and Supply Chain Act incl. risk management, incident management, business continuity management, security operations, vendor management etc.

Kostya Bazanov, Managing Director, Aug 19, 2024