Objectives of DORA (as of 02/2024, source: BaFin presentation DORA for ICT service providers):

• Strengthening the security and operational resilience of the entire European financial sector
• Establishing uniform and consistent requirements for the entire financial sector
• Introduction of proportional requirements (principle of proportionality)

In recent years, BaFin has already created a serious and increasingly practicable basis by defining minimum requirements for risk management (MaRisk) on the basis of Section 25a of the German Banking Act (KWG) and, in greater depth, in the banking supervisory requirements for IT (BAIT). The increased audit activities of the supervisory authorities in recent years with a focus on the outsourcing management of financial institutions was already an initial preview of the necessary measures that will be introduced with DORA.

If one compares the known requirements from BAIT with DORA, the following five core contents can be identified:

1. Broader scope of DORA: While the MaRisk BAIT amendment was mainly focused on banks and financial institutions, DORA extends the scope to a broader range of companies that can benefit from digitalization and outsourcing.
2. More flexible compliance requirements: DORA focuses on making compliance requirements more flexible compared to the requirements of the MaRisk BAIT amendment. This allows companies to better adapt their outsourcing practices to their individual needs and the rapidly changing digital landscape.
3. Greater emphasis on risk management aspects: In comparison, DORA places a stronger focus on integrating risk management practices throughout the outsourcing process. This includes a more thorough risk assessment, the identification and monitoring of risks throughout the outsourcing lifecycle and the development of risk mitigation and control measures.
4. Consideration of international standards and best practices: DORA is more aligned with international standards and best practices in outsourcing and digitalization, which can lead to increased comparability and interoperability with companies from other countries.
5. Greater involvement of supervisory authorities: DORA provides for increased cooperation and communication between companies and regulators to ensure effective monitoring and enforcement of outsourcing regulations.

Within the framework of DORA, finone and the necessary test situations with existing and future customers / users of finstreet, fintus and finted products will focus in particular on the following three topics:

1. Risk management and assessment in outsourcing: A detailed analysis of the risks associated with the outsourcing of software and services and the development of effective risk mitigation and control measures.
2. Compliance and governance in digital transformation: The design and implementation of compliance strategies and governance mechanisms to ensure that all outsourcing activities comply with legal requirements and standards.
3. International collaboration and standardization: The integration of international standards and best practices into outsourcing practices to ensure smooth interoperability and comparability with companies from different countries.

As of today, finone does not define itself as a “Critical ICT Service Provider” (Art. 31 para. 2 DORA) – DORA currently sets lower standards than BaFin via the MaRisk amendment. The extended requirements for outsourcing agreements (in particular performance measurement of the service, mandatory termination support and effective monitoring – see also Art. 30 (3) DORA) are already the standard for finone customers and will probably not require extensive revision. On the customer side, we expect increased documentation in outsourcing management in this context, including the consideration of exit scenarios following a critical incident or termination.

Overall, DORA once again offers the opportunity to excel as a service provider and supplier in the financial sector. The supervisory authorities will increasingly tighten their grip on smaller providers. With the existing certifications in accordance with ISO 9001 (quality management), ISO 27001 (information management), IASE 3402 (internal control system) and the established processes for risk monitoring and reduction, finone considers itself well prepared for the stricter upcoming requirements. By carefully analyzing and implementing the requirements of DORA, companies can gain a competitive advantage and support their long-term growth.