With the draft of the 9th MaRisk amendment published for consultation on 1 April 2026, digital operational resilience (Regulation (EU) 2022/2554 on digital operational resilience for the financial sector – DORA) is becoming more firmly embedded within the MaRisk framework.
Table of Contents
However, the draft does not establish a national substitute regime for DORA. Instead, it aligns the directly applicable European DORA requirements with the existing framework for organisational governance, risk management, contingency planning and third-party oversight.
This continues the shift in perspective already initiated by DORA: ICT risks are no longer merely a technical issue of IT security. They are becoming a matter of overall bank management, management body responsibility and institution-wide governance.
From IT Security to Digital Resilience
DORA requires institutions to organise their resilience against ICT-related incidents holistically — ranging from governance and risk management to ICT third-party risks, incident reporting obligations and digital operational resilience testing. The 9th MaRisk amendment integrates these requirements into the existing MaRisk framework without creating a parallel “DORA rulebook”.
ICT risks are expressly embedded as part of operational risks and must be systematically considered within the institution’s risk inventory. At the same time, the previously rather technical view of IT systems is being expanded into a strategic resilience perspective. Digital resilience thereby becomes a core element of overall governance: structures, processes and decision-making are expected to demonstrably contribute to the management of ICT-related risks — rather than merely fulfilling regulatory minimum requirements.
ICT and Digital Operational Resilience Strategy: Anchoring at the Highest Level
A key element is the revised provision in AT 4.2. Management bodies must establish a sustainable ICT strategy consistent with the business strategy. New is the explicit reference to DORA. Institutions may combine the ICT strategy and the digital operational resilience strategy in one document or maintain them separately; the decisive factor is substantive consistency.
This shifts the focus from a predominantly technical IT strategy towards an institution-wide resilience strategy. Management bodies must not only ensure the existence of corresponding documentation but, above all, its steering effect. In practice, this means, for example:
ICT risk appetite, critical and important functions, and the handling of ICT third parties must be strategically defined and aligned with the business and risk strategy.
The DORA perspective must be integrated into business model analysis, capital planning and risk management instead of remaining confined to separate IT concepts.
The responsibility of management bodies therefore shifts from a rather formal responsibility towards an active and transparent positioning regarding the institution’s digital resilience.
ICT Risks as Part of the Overall Risk Profile
Under AT 2.2, ICT risks are expressly addressed as part of operational risks. Management bodies must regularly obtain an overview of all material risks and visibly consider ICT risks in this context. This includes, in particular:
- ICT risks relating to outsourcing arrangements, end-user computing applications and data aggregation,
- dependencies on service providers and platforms,
- ICT outages as drivers of other risk types, such as liquidity or reputational risks.
At the same time, the amendment emphasises proportionality. Smaller institutions may rely on more qualitative approaches but must provide comprehensible reasoning for their assessment and classification decisions. Practical efforts therefore shift away from standardised documentation towards risk-oriented reasoning explaining why certain ICT risks are considered material or non-material. In practice, the focus is therefore less on whether ICT risks should be considered as a risk category at all, but rather on the risk-oriented assessment of their manifestations, concentrations, scenarios and management intensity.
Technical Infrastructure and Contingency Management
AT 7.2 and AT 7.3 further specify expectations regarding technical and organisational infrastructure as well as contingency management. AT 7.2 intentionally remains principles-based. The provision does not require a detailed IT security architecture but rather a technical and organisational setup appropriate to the institution’s business and risk situation, as well as reliable data and information processes for material risk types. The requirements concerning IT systems (e.g. ensuring integrity, availability and confidentiality) are not fundamentally new but are more strongly linked to the question of whether they genuinely contribute to risk mitigation.
This is particularly evident in contingency management. Impact analyses (business impact analyses) should not merely be prepared as a formality but should form the basis for realistic business continuity and recovery plans. Scenarios such as the failure of central IT systems, communication infrastructure or key service providers must be explicitly covered. Where outsourced activities or processes support critical or important functions, a coordinated contingency concept between institution and service provider is expected.
As a result, the effectiveness of these concepts moves to the forefront. Institutions must plausibly demonstrate how their contingency planning contributes to digital resilience — particularly in light of DORA requirements relating to ICT incident management, communication, recovery and third-party oversight.
ICT Third Parties: A Clear Interface Between MaRisk and DORA
AT 9 contains a particularly practice-relevant interface. According to the draft, outsourced or externally sourced ICT services within the meaning of Article 3(21) DORA that are subject to ICT third-party risk management under Articles 28 to 30 DORA do not fall within the scope of AT 9. This is not deregulation but rather a delineation of regimes: the governance of such ICT services shifts into the directly applicable DORA framework.
For traditional outsourcing arrangements, however, the MaRisk rules continue to apply. In practice, this means that the outsourcing register under MaRisk and the DORA information register must not exist independently alongside one another; institutions require a consistent taxonomy for outsourcing arrangements, other external sourcing and DORA ICT services.
Institutions must therefore structure their third-party inventory carefully:
- Which relationship constitutes a MaRisk outsourcing arrangement?
- Which relationship qualifies as other external sourcing?
- Which relationship constitutes a DORA ICT service?
And which of these supports critical or important functions? The practical challenge lies less in additional obligations and more in establishing a coherent governance design across both regimes. Risk analyses, exit strategies, contingency concepts, as well as audit and information rights, must be designed consistently — regardless of whether the relevant relationship falls under MaRisk or DORA.
Control and Compliance Functions: Integrating DORA Roles
The 9th MaRisk amendment also follows an “integration rather than silo thinking” approach in the DORA context. DORA introduces new roles in ICT risk management, such as the ICT risk control function pursuant to Article 6(4) DORA. AT 4.4.2 allows these roles to be combined with existing functions — such as the compliance function — provided conflicts of interest are addressed and independence is maintained.
In practice, this means institutions may integrate individual DORA roles into existing governance structures but do not receive any substantive regulatory relief as a result. They must demonstrate that responsibilities, information flows and control powers are structured in such a way that a consistent view of ICT risks is achieved and responsibilities are clearly allocated.
Conclusion: Digital Resilience as a Management Responsibility
The draft of the 9th MaRisk amendment incorporates DORA references, removes overlaps and integrates the DORA framework into the existing MaRisk structure. It complements the European DORA requirements within the established MaRisk system and distributes them across strategy, risk organisation, technical infrastructure, contingency management and third-party oversight.
Institutions that consistently align their MaRisk requirements with the amendment will simultaneously establish a structural basis for sustainable DORA compliance. Digital resilience thus becomes an integral part of sound governance — and a benchmark for a future-proof business organisation within the financial sector.
