BaFin Issues Guidance on Simplified DORA Requirements for ICT Risk Management

Key Takeaways

• BaFin’s Second Supervisory Statement: Provides non-binding guidance on implementing DORA’s simplified ICT risk and third-party risk management requirements.
• Targeted Entities: About 1,100 smaller and less complex financial entities in Germany, including small investment firms, occupational retirement institutions, insurance holding companies, and certain non-CRR financial institutions.
• Proportionality in Practice: Simplified framework removes obligations such as having a digital resilience strategy, appointing an ICT risk control function, or maintaining redundant ICT capabilities.
• Transition Period: Insurance holding companies already apply the new framework; other institutions will switch by end-2026, with BaFin’s BAIT still applying until then.
• Guidance Value: BaFin stresses that its notes are optional but aim to clarify overlaps between BAIT, VAIT, and DORA, offering added value for firms preparing for compliance.

Deep Dive

Germany’s financial watchdog BaFin has released its second supervisory statement on the EU’s Digital Operational Resilience Act (DORA), offering guidance to financial entities eligible for simplified requirements on ICT risk and third-party risk management.

The statement, aimed particularly at smaller and less complex firms, outlines how around 1,100 financial entities in Germany can benefit from lighter compliance measures under Article 16 of DORA. BaFin emphasizes that its guidance notes are not mandatory but are intended to make supervisory expectations transparent and support firms in their implementation efforts.

BaFin distinguishes between two categories of financial entities eligible for the simplified ICT risk management framework. Under DORA, small and non-interconnected investment firms and small institutions for occupational retirement provisions qualify. In addition, under Germany’s Financial Market Digitalisation Act, insurance holding companies and certain financial institutions outside the scope of the Capital Requirements Regulation (CRR) are also included.

Insurance holding companies have already been subject to these requirements since the start of 2025, while other institutions will transition later. Until the end of 2026, BaFin’s own BAIT (Supervisory Requirements for IT in Financial Institutions) remains applicable.

Differences Between BAIT, VAIT, and DORA

BaFin’s guidance notes map the relationship between its BAIT and VAIT circulars and the DORA framework. According to BaFin expert Silke Brüggemann, entities already aligned with BAIT or VAIT are well prepared, with DORA offering simplifications in ICT risk management and ICT third-party oversight.

Compared to the existing German circulars, DORA shifts the emphasis from information security towards broader digital operational resilience. For example:

• DORA does not mandate an information security officer.
• It avoids detailed prescriptions on system changes or backup concepts, though data backup remains a requirement.
• Business continuity objectives must be explicitly presented in ICT continuity plans, whereas BAIT and VAIT tie these to broader continuity management processes.

Proportionality in action

BaFin underlines that the simplified ICT risk management framework directly reflects DORA’s principle of proportionality. Unlike the regular framework, smaller entities are not required to:

• Develop a comprehensive digital operational resilience strategy.
• Assign ICT risk oversight to a control function.
• Annually document and review the ICT framework.
• Maintain redundant ICT capabilities or an ICT business continuity policy.

These exemptions, BaFin stresses, are designed to reduce compliance burdens for smaller players while still reinforcing resilience in critical ICT functions.

The second supervisory statement builds on BaFin’s earlier guidance for the standard ICT framework under DORA, which was well received by the market. By clarifying overlaps and differences with national circulars, BaFin aims to smooth the transition for affected entities and reduce uncertainty around the new EU regime.

Brüggemann noted that while not binding, the supervisory guidance offers “considerable added value” by clearly illustrating how proportionality applies in practice, ensuring smaller and non-complex institutions can strengthen resilience without unnecessary administrative overhead.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.