In the previous article about DORA “When do financial and ICT companies have to be DORA compliant?” I took a look on what is DORA and what system capabilities do you need to enable and support the regulatory requirements of the Digital Operational Resilience Act.
DORA establishes detailed rules for operational risk management. But how does it fit into existing regulations? Does it replace them? Not really. It perfectly incorporates existing regulatory guidelines into the new framework.
If you look into the articles of that act, you will see that (at least in Germany), many components have already been implemented due to legislative amendments and updates to the corresponding directives. In following, I will distinguishes the DORA regulatory framework from the previous German regulatory framework for financial companies in risk management (MaRisk), the Banking Supervisory Requirements for IT (BAIT) and NIS 2 and Supply Chain Act.
BAIT was updated in 2021, introducing new regulations for the banking sector that have adopted many elements of DORA. Additionally, the MaRisk amendment created detailed extensions for IT emergency management.
The requirements in DORA are more concrete and now anchored at the legislative level, no longer just in administrative regulations of BaFin. The regulations for ICT risk management of financial companies state that the use of ICT must be integrated into the company’s strategy. The overall responsibility for risk management fundamentally lies with the respective financial company. Additionally, DORA obliges financial service providers to ensure that ICT systems are continuously monitored, controlled, and kept up to date.
DORA | BAIT | MaRisk | |
Target Organisations | Financial companies and their ICT service providers | Financial institutions, specifically banks | Financial institutions, including banks and insurance companies |
Type of Regulation | Legislative regulation anchored at the EU level | Administrative regulation by BaFin | Administrative regulation by BaFin |
Processes Covered | – ICT risk management – Continuous monitoring and control of ICT systems – IT security improvements – Data backup and recovery strategies | – IT risk management – IT emergency management – Continuous monitoring and control of IT systems | – General risk management – Integration of risk management into business strategy – IT emergency management through recent amendments |
Data Covered | – ICT system data – Security documentation – Data backup and recovery information | – IT system data – Security documentation | – Risk management data – IT system data through recent amendments |
While DORA, MaRisk, and BAIT all aim to enhance the resilience and security of financial institutions, DORA provides a more comprehensive and legally binding framework at the EU level, whereas MaRisk and BAIT offer detailed supervisory guidelines specific to Germany.
DORA stipulates that downtime of ICT systems must be minimised. Therefore, the affected financial companies and their service providers must also establish strategies for data backup and recovery procedures.
New to DORA is that the burden of improving IT security and its documentation is shifted to the service providers. They must provide a multitude of additional information to the institutions or, in extreme cases, be directly monitored by supervisory authorities. IT service providers should therefore consider which appropriate and current standards they must adhere to for information security. Certifications such as ISO 27001 and audits according to the standards of IDW or ISA can be useful here.
Financial service providers must anticipate higher administrative expenses, particularly when redesigning contractual agreements with service providers, as the depth of regulation is significantly greater than with MaRisk and BAIT.
Financial companies and ICT service providers should start preparing for the implementation of the DORA directive and assessing liability risks. You can start with assessing the current maturity and identifying the GAP. Afterwards, you need put missing parts into an execution plan and document details and requirements for implementation. As next, you can implement with you internal resources or involve implementation partners that will help.
The Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive) includes legal measures to enhance the level of cybersecurity across the EU. NIS 2 provides the basis for risk management measures and reporting obligations in the field of cybersecurity across various sectors, such as energy, transport, health, and digital infrastructure. The 2022 revised directive aims to harmonise cybersecurity requirements and the implementation of cybersecurity measures among different member states.
The DORA regulation complements the NIS 2 Directive as a lex specialis with a clear sectoral focus. To create legal clarity and ensure coherence between NIS 2 and other legal acts, the regulation has been adapted to the sector-specific legal provisions of DORA.
The Supply Chain Due Diligence Act, or Supply Chain Act, came into force on January 1, 2023. The law regulates corporate responsibility for the observance of human rights in global supply chains. This includes, for example, protection against child labor, the right to fair wages, and environmental protection. The law also provides for a supply chain risk management system to monitor due diligence obligations.
The Supply Chain Act applies to companies with 1,000 or more employees. With the trends toward consolidation in the banking sector, this number can quickly be reached through mergers. For this reason, it is sensible to examine the regulations and clarify whether significant contents of the Supply Chain Act are already covered by other regulatory requirements.
DORA | NIS 2 | Supply Chain Act | |
Target Organisations | Financial companies and their IKT service providers | Various sectors including energy, transport, health, and digital infrastructure | Companies with 1,000 or more employees involved in global supply chains |
Type of Regulation | Legislative regulation anchored at the EU level | Legislative directive at the EU level | National law in Germany |
Processes Covered | – ICT risk management – Continuous monitoring and control of IKT systems – IT security improvements – Data backup and recovery strategies | – Cybersecurity risk management – Reporting obligations- Implementation of cybersecurity measures | – Human rights due diligence – Fair wages – Environmental protection – Supply chain risk management |
Data Covered | – IKT system data – Security documentation – Data backup and recovery information | – Cybersecurity incident data – Risk management data | – Human rights compliance data – Environmental protection data- Risk management data |
With an established IT risk management system, the prerequisites for implementing the Supply Chain Act are largely in place. When outsourcing IT services, this applies to the direct contractual partner and all subcontractors involved in providing the services.
Teiva Systems can help you implementing requirements related to ServiceNow platform and relevant for DORA, NIS2 and Supply Chain Act incl. risk management, incident management, business continuity management, security operations, vendor management etc.
Kostya Bazanov, Managing Director, Aug 19, 2024
Implementation of NIS-2 directives on the ServiceNow Platform
The European economies depend on functioning and resilient infrastructures – both in the physical and digital areas – tremendous. Essential services in every aspect of our life have been digitised already. This means that the attack vector and the number of vulnerabilities increased as well. Particularly in critical facilities that supply utilities like electricity and […]
read moreBecome DORA ready with applications on ServiceNow
The Digital Operational Resilience Act (DORA) will be applicable for financial institution starting 2025. There are less than half a year to make sure you establish you organisation, processes, tools and data, that comply with the requirements for “strengthening the IT security of financial entities such as banks, insurance companies and investment firms and making […]
read moreFeel the power of AI. At the ServiceNow World Forum 2024 in Munich.
Are you ready for the ServiceNow World Forum? A conference fully packed with AI-driven workflows to service people. Meet ServiceNow clients, partners, developer advocates in one place. We will be there as well. So let us know, if you wish to meet and greet! 📍 Location: Messe München, Am Messesee 2, 81829 München, Germany📅 Date: […]
read more