In the previous article about DORA “When do financial and ICT companies have to be DORA compliant?” I took a look on what is DORA and what system capabilities do you need to enable and support the regulatory requirements of the Digital Operational Resilience Act.
DORA establishes detailed rules for operational risk management. But how does it fit into existing regulations? Does it replace them? Not really. It perfectly incorporates existing regulatory guidelines into the new framework.
If you look into the articles of that act, you will see that (at least in Germany), many components have already been implemented due to legislative amendments and updates to the corresponding directives. In following, I will distinguishes the DORA regulatory framework from the previous German regulatory framework for financial companies in risk management (MaRisk), the Banking Supervisory Requirements for IT (BAIT) and NIS 2 and Supply Chain Act.
BAIT was updated in 2021, introducing new regulations for the banking sector that have adopted many elements of DORA. Additionally, the MaRisk amendment created detailed extensions for IT emergency management.
The requirements in DORA are more concrete and now anchored at the legislative level, no longer just in administrative regulations of BaFin. The regulations for ICT risk management of financial companies state that the use of ICT must be integrated into the company’s strategy. The overall responsibility for risk management fundamentally lies with the respective financial company. Additionally, DORA obliges financial service providers to ensure that ICT systems are continuously monitored, controlled, and kept up to date.
DORA | BAIT | MaRisk | |
Target Organisations | Financial companies and their ICT service providers | Financial institutions, specifically banks | Financial institutions, including banks and insurance companies |
Type of Regulation | Legislative regulation anchored at the EU level | Administrative regulation by BaFin | Administrative regulation by BaFin |
Processes Covered | – ICT risk management – Continuous monitoring and control of ICT systems – IT security improvements – Data backup and recovery strategies | – IT risk management – IT emergency management – Continuous monitoring and control of IT systems | – General risk management – Integration of risk management into business strategy – IT emergency management through recent amendments |
Data Covered | – ICT system data – Security documentation – Data backup and recovery information | – IT system data – Security documentation | – Risk management data – IT system data through recent amendments |
While DORA, MaRisk, and BAIT all aim to enhance the resilience and security of financial institutions, DORA provides a more comprehensive and legally binding framework at the EU level, whereas MaRisk and BAIT offer detailed supervisory guidelines specific to Germany.
DORA stipulates that downtime of ICT systems must be minimised. Therefore, the affected financial companies and their service providers must also establish strategies for data backup and recovery procedures.
New to DORA is that the burden of improving IT security and its documentation is shifted to the service providers. They must provide a multitude of additional information to the institutions or, in extreme cases, be directly monitored by supervisory authorities. IT service providers should therefore consider which appropriate and current standards they must adhere to for information security. Certifications such as ISO 27001 and audits according to the standards of IDW or ISA can be useful here.
Financial service providers must anticipate higher administrative expenses, particularly when redesigning contractual agreements with service providers, as the depth of regulation is significantly greater than with MaRisk and BAIT.
Financial companies and ICT service providers should start preparing for the implementation of the DORA directive and assessing liability risks. You can start with assessing the current maturity and identifying the GAP. Afterwards, you need put missing parts into an execution plan and document details and requirements for implementation. As next, you can implement with you internal resources or involve implementation partners that will help.
The Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive) includes legal measures to enhance the level of cybersecurity across the EU. NIS 2 provides the basis for risk management measures and reporting obligations in the field of cybersecurity across various sectors, such as energy, transport, health, and digital infrastructure. The 2022 revised directive aims to harmonise cybersecurity requirements and the implementation of cybersecurity measures among different member states.
The DORA regulation complements the NIS 2 Directive as a lex specialis with a clear sectoral focus. To create legal clarity and ensure coherence between NIS 2 and other legal acts, the regulation has been adapted to the sector-specific legal provisions of DORA.
The Supply Chain Due Diligence Act, or Supply Chain Act, came into force on January 1, 2023. The law regulates corporate responsibility for the observance of human rights in global supply chains. This includes, for example, protection against child labor, the right to fair wages, and environmental protection. The law also provides for a supply chain risk management system to monitor due diligence obligations.
The Supply Chain Act applies to companies with 1,000 or more employees. With the trends toward consolidation in the banking sector, this number can quickly be reached through mergers. For this reason, it is sensible to examine the regulations and clarify whether significant contents of the Supply Chain Act are already covered by other regulatory requirements.
DORA | NIS 2 | Supply Chain Act | |
Target Organisations | Financial companies and their IKT service providers | Various sectors including energy, transport, health, and digital infrastructure | Companies with 1,000 or more employees involved in global supply chains |
Type of Regulation | Legislative regulation anchored at the EU level | Legislative directive at the EU level | National law in Germany |
Processes Covered | – ICT risk management – Continuous monitoring and control of IKT systems – IT security improvements – Data backup and recovery strategies | – Cybersecurity risk management – Reporting obligations- Implementation of cybersecurity measures | – Human rights due diligence – Fair wages – Environmental protection – Supply chain risk management |
Data Covered | – IKT system data – Security documentation – Data backup and recovery information | – Cybersecurity incident data – Risk management data | – Human rights compliance data – Environmental protection data- Risk management data |
With an established IT risk management system, the prerequisites for implementing the Supply Chain Act are largely in place. When outsourcing IT services, this applies to the direct contractual partner and all subcontractors involved in providing the services.
Teiva Systems can help you implementing requirements related to ServiceNow platform and relevant for DORA, NIS2 and Supply Chain Act incl. risk management, incident management, business continuity management, security operations, vendor management etc.
Kostya Bazanov, Managing Director, Aug 19, 2024
ServiceNow Xanadu: Release Notes, New Applications, Platform Capabilities, Hidden Features
ServiceNow Xanadu: Release Notes, New Applications, Platform Capabilities, Hidden Features Shangdu, more popularly known as Xanadu, was the summer capital of the Yuan dynasty of China. Shangdu is located in the present-day Zhenglan Banner, Inner Mongolia. The city was a cultural melting pot that played host to visitors from throughout Asia and even further afield. […]
read moreA better Compliance Management with GenAI and ServiceNow (Webinar)
Lately, we’ve been diving deep into a new use case we developed leveraging Generative AI (GenAI) within Compliance Management. Understanding the challenges of a industry and having an experience of solving complex problems is the key, when your goal is to help clients transforming their operations and business. Companies in Energy and Utility sector face […]
read moreWhen do financial and ICT companies have to be DORA compliant? (In short: January 17th 2025)
The closer 2025 gets, the more often you hear about DORA. And it’s not just about a new compliance act that was introduced by EU. Indeed, this is a framework that aims to help organisations in financial and ICT sectors becoming more resilient against any kind of breaches, outages, and unforeseen events. Let’s take cyber […]
read more