BaFin Offers Practical Guide to Navigating DORA’s Documentation Maze

Key Takeaways

• BaFin’s New Overview: Germany’s financial regulator has published a two-page guide mapping DORA’s documentation requirements to relevant topics for easier reference.
• Not Legally Binding: The overview is voluntary and not an official interpretation of the law but aims to help firms and supervisors navigate scattered obligations.
• Mix of Old and New: Many requirements originate from previous BaFin IT security circulars, while others, like the ICT business continuity policy, are new under DORA.
• Submission Not Required: Most documents do not need to be filed with BaFin, except the register of information, though all must be prepared and implemented.
• Proportionality Principle: Documentation should be scaled to a company’s size and risk profile, as outlined in Article 4 of DORA.

Deep Dive

Since the EU’s Digital Operational Resilience Act (DORA) took effect on January 17, 2025, financial entities across Europe have been working to align with its far-reaching operational resilience and ICT security rules. Now, Germany’s Federal Financial Supervisory Authority (BaFin) has stepped in with a tool designed to make one of DORA’s more challenging elements (documentation requirements) easier to grasp.

BaFin has published a structured, two-page overview that distills the many documentation obligations scattered throughout DORA and its accompanying regulatory and implementing technical standards (RTS and ITS). While not legally binding or intended as an interpretation of the law, the document serves as a quick-reference guide for supervised firms and BaFin supervisors alike.

As BaFin’s IT Supervision unit members Melanie Land and Sandra Leitterstorf explained, the idea grew out of an in-depth review of DORA’s provisions in 2024. They found the documentation obligations to be extensive, varied, and embedded in multiple sections of legislative text.

“We wanted to present the requirements in such a way that they can be grasped at a glance—to make it easier for the financial entities, but also for us as supervisors, to work with the legal texts,” said Leitterstorf. The resulting overview maps specific requirements to the relevant DORA topics and visually highlights relationships between overlapping or related documents.

For example, the ICT business continuity policy, a new requirement under DORA, is shown as part of the broader business continuity policy. Under previous BaFin circulars, firms only had to document an IT contingency plan, but DORA’s approach integrates ICT continuity into wider operational resilience frameworks.

Not all documentation requirements are brand new though. Many stem from BaFin’s former sector-specific IT security circulars, which have largely been repealed to avoid duplication. In some cases, DORA simply updates the terminology; in others, it adds entirely new expectations, such as a more explicit focus on ICT continuity management.

BaFin stressed that most of the documents identified in the overview do not need to be submitted to the authority, with the exception of the register of information. However, entities must ensure that all required documentation exists, is proportionate to their size and risk profile under Article 4 of DORA, and is actively implemented in practice.

The authority emphasizes that using the overview is voluntary. It does not cover special rules, such as those for micro-enterprises or threat-led penetration testing, nor does it offer binding interpretations. Instead, it is meant as a practical aid, a way to help firms quickly orient themselves in DORA’s complex documentation landscape.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.