.png)
.png)
Germany’s financial regulator, BaFin, has issued new guidance to help banks comply with the EU’s forthcoming Digital Operational Resilience Framework (DORA). The framework, which outlines the requirements for financial institutions to protect against and manage cyber threats, will officially take effect on 17 January 2025.
BaFin’s new guidance, published in detailed notes, is described as "non-mandatory," but the regulator emphasized that the information could be valuable for banks seeking to better understand DORA's requirements, such as those related to ICT risk management. The guidance provides advice on how financial institutions can strengthen their digital controls to meet the new standards.
One of the key points BaFin highlighted is the expectation that management-level staff in banks will need to possess "sufficient knowledge and skills regarding ICT risks." Under DORA, management teams will also bear the responsibility for “setting clear tasks and responsibilities for all ICT-related functions” within their organizations.
In an article on BaFin’s website, Ira Kosche-Steinbrecher from the regulator’s IT supervision division confirmed the expanded role of senior management in overseeing technology-related risks under DORA. “Under DORA, the management body of a financial entity is assigned far more tasks,” Kosche-Steinbrecher noted, encouraging companies to utilize the published notes to gradually familiarize themselves with the new requirements “bit by bit.”
BaFin had previously announced in July that it would "support companies on their way" to implementing DORA. This aligns with the approach of other European regulators, who have also pledged to help banks adjust to the upcoming rules. For instance, Ireland’s Central Bank stated it would take a "pragmatic approach" to DORA compliance, focusing on assisting firms rather than immediately penalizing them for non-compliance.
By fLEXI tEAM
Comments