The German financial supervisory authority, BaFin, is abolishing previous requirements on IT security and strategies for institutions for occupational retirement provision (IORPs), replacing them with the Digital Operational Resilience Act (DORA), it said.

With a focus on digital operational resilience, DORA includes requirements not reflected in the VAIT – Supervisory Requirements for IT in Insurance Undertakings – circular, the regulator said in a report with instructions to implement the new DORA requirements.

In its latest version published in 2022, the VAIT circular, aimed at insurance companies and Pensionsfonds, addressed issues relating to risk management of information,  IT operations, outsourcing of IT services, and IT strategy.

DORA’s requirements on information and communication technology (ICT) risk management cover the topics addressed by BaFin via the VAIT circular, but the methodological approach differs, which can lead to challenges when implementing the DORA’s requirements, the regulator said.

“We compared the BAIT [the IT supervisory requirements for banks], and VAIT with DORA requirements for ICT risk management and ICT third-party risk management, and there are large overlaps between our circulars and the requirements,” said Ira Kosche-Steinbrecher, head of IT supervision policy Unit at BaFin. 

This means that the companies that “have fully implemented our circulars are well positioned” to face the challenges, she said.

However, BaFin analysed the differences between the sets of rules at both national and European Union levels to draft instructions for the implementation of the rules for the supervised companies, she noted.

The instructions are not mandatory, but offer “great added value in practice”, not least because the industry has worked intensively on them, Kosche-Steinbrecher said.

BaFin’s guidelines for implementing DORA requirements point at topics including governance and organisation, information risk and information security management, ICT business continuity management, IT project management and application development, ICT third-party risk management, operational information security and identity, and rights management.

The new EU rules call to shift strategies for digital operational resilience, focusing on ICT risk management, which also includes ICT third-party risk management, BaFin said.

The latest digital edition of IPE’s magazine is now available