DORA & IT Security Archives | PAYMENT.TECHNOLOGY.LAW.

9. MaRisk-Novelle und DORA: Digitale Resilienz wird Chefsache 9th MaRisk Amendment and DORA: Digital Resilience Becomes a Board-Level Responsibility

5 minute read

9th MaRisk Amendment and DORA: Digital Resilience Becomes a Board-Level Responsibility

bySebastian Glaab,Nadja Reiß
12. May 2026

The draft of the 9th MaRisk amendment systematically integrates the requirements of DORA into the existing MaRisk governance framework without creating a separate national regime. As a result, digital operational resilience is becoming a core management responsibility: ICT risks are no longer viewed solely as an IT security issue but as part of overall bank management, risk strategy, and institution-wide governance.

DDORA & IT Security

6 minute read

Escrow Agreements under DORA: Requirements for an Effective Resilience Instrument

byJosefine Spengler
9. April 2026

Escrow agreements under DORA are considered a key instrument for mitigating critical ICT dependencies. But when are they truly effective? This article explains why standard solutions often fall short and what really matters in practice.

BBanking

BaFin konsultiert 9. MaRisk-Novelle: mehr Proportionalität, weniger Komplexität BaFin consults on the 9th MaRisk amendment: enhanced proportionality, reduced complexity

3 minute read

BaFin consults on the 9th MaRisk amendment: enhanced proportionality, reduced complexity

bySebastian Glaab,Nadja Reiß,Sophie Eiles
2. April 2026

The 9th MaRisk amendment signals a paradigm shift in banking supervision: less detailed regulation, stronger risk orientation and enhanced proportionality. New institutional categories and consolidated requirements increase flexibility but require robust risk assessment and documentation.

DDORA & IT Security

IT-Anforderungen an Finanzunternehmen in Deutschland – ein Überblick über den regulatorischen Rahmen IT Requirements for Financial Institutions in Germany – an overview of the regulatory framework

7 minute read

IT Requirements for Financial Institutions in Germany – an overview of the regulatory framework

byValesa Krasniqi
24. February 2026

IT regulation in the financial sector is becoming increasingly complex. With DORA, the FinmadiG, the NIS 2 Implementation Act, GDPR, the Cyber Resilience Act, the Data Act and the AI Act, financial institutions face far-reaching requirements regarding digital resilience, third-party risk management and governance. This article provides a structured overview of the current regulatory framework in Germany and at EU level.

PPodcast

KI-Regulierung in der Praxis: Was die Aufsicht zu KI im Finanzsektor wirklich sehen will | ALLES LEGAL #126 AI Regulation in Practice

2 minute read

AI Regulation in Practice: What Supervisors Really Expect to See from AI in the Financial Sector | ALLES LEGAL #126

byJosefine Spengler
18. February 2026

Annerton partner Josefine Spengler explains how supervisory authorities assess AI systems in the financial sector in practice. AI is not treated as a regulatory special case but as an ICT system embedded within existing frameworks, particularly DORA. The focus lies on governance, accountability, traceability and ongoing monitoring. The interaction between DORA and the EU AI Act adds further complexity. The key takeaway: AI is not merely an IT issue – it is a management responsibility.

BBanking

KI im Finanzsektor: Warum Aufsicht und Governance jetzt entscheidend werden | ALLES LEGAL #125 ai-in-financial-sector-supervision-and-governance-alles-legal-125

2 minute read

AI in the Financial Sector: Why Supervision and Governance Are Now Crucial | ALLES LEGAL #125

byJosefine Spengler
11. February 2026

Artificial intelligence is fundamentally reshaping the financial sector – yet its growing use also raises pressing questions around governance and supervision. Find out what this means in the latest episode of “Alles Legal – Fintech-Recht kompakt”. Tune in now!

FFinTech

8 minute read

AI in the Financial Sector – Key Findings of the new OECD Paper

byJosefine Spengler
3. February 2026

The OECD paper “Supervision of Artificial Intelligence in Finance” analyses supervisory practices related to the use of AI in the financial sector. This article outlines the key findings and assesses them in light of the recent BaFin guidance.

DData Protection

Datenschutzrechtliche Zulässigkeit verpflichtender Nutzerkonten im E-Commerce EDPB

7 minute read

Data Protection Law Permissibility of Mandatory User Accounts in E-Commerce

byJosefine Spengler
8. January 2026

On 3 December 2025, the European Data Protection Board (EDPB) published its “Recommendations 2/2025 on the legal basis for requiring the creation of user accounts on e-commerce websites”. The recommendations are currently still in the phase of public consultation, which runs until 12 February 2026.

AArtificial Intelligence

Illustration zum Artikel KI im Finanzsektor

13 minute read

AI in the financial sector: Classification and practical significance of the new BaFin guidance on the use of AI

byJosefine Spengler
18. December 2025

With the ongoing integration of artificial intelligence into the business models, processes and decision-making structures of financial companies,…

DDORA & IT Security

Illustratives Bild zu: ESAs Liste kritischen IKT-Dienstleister

1 minute read

European Supervisory Authorities publish list of critical ICT third‑party providers

byJosefine Spengler
21. November 2025

On 19 November 2025, the European Supervisory Authorities (EBA, EIOPA, ESMA) for the first time designated 19 critical ICT third‑party providers under Article 32(1)…

DDORA & IT Security

EZB-Leitfaden zur Auslagerung von Cloud-Diensten: Tipps zur Umsetzung von DORA ECB Guide on Cloud Outsourcing: Implementation Tips for DORA Compliance

7 minute read

ECB Guide on Cloud Outsourcing: Implementation Tips for DORA Compliance

byNiklas Olschewski
18. November 2025

In July 2025, the ECB published a non-binding guide on cloud outsourcing, aiming to align financial institutions with DORA’s resilience standards. It addresses supervisory findings and offers actionable best practices.

FFinTech

Von Outsourcing zu Third Party Arrangements: Die neuen EBA-Leitlinien zum Drittparteienmanagement • Teil 1: Überblick über die wichtigsten Neuerungen

5 minute read

From Outsourcing to Third Party Arrangements: The New EBA Guidelines on Third-Party Risk Management 2/2

byJosefine Spengler
23. October 2025

The new EBA Guidelines significantly expand the approach to third-party risk. In this second part, we explore what this means in practice for banks, payment and e-money institutions – from new organisational requirements to integration with DORA. What are the biggest challenges and where do opportunities arise?

LLegal

7 minute read

From Outsourcing to Third Party Arrangements: The New EBA Guidelines on Third-Party Risk Management 1/2

byJosefine Spengler
9. October 2025

On 8 July 2025, the European Banking Authority (EBA) published a new consultation paper on the EBA Guidelines for third-party risk management. The draft goes well beyond the previous Outsourcing Guidelines from 2019. The objective is to establish a harmonised European framework for managing third-party risks, aligned in particular with the Digital Operational Resilience Act (DORA). Part 1 of the analysis highlights the key innovations and main content; a practical assessment will follow in Part 2.

FFinTech

Neues Buch: Das Recht der digitalen Zahlungsdienstleistungen

2 minute read

PayTechLaw – now available as a book!

byPayTechLaw-Team
18. September 2025

With the title “PayTechLaw – The Law of Digital Payment Services”, a new handbook has been published by C.H. BECK. It is dedicated entirely to the regulatory and civil law framework of digital payments. The editors: Prof. Dr. Carsten Herresthal, LL.M., and Annerton partners Dr. Matthäus Schindele and Frank Müller, LL.M. – all recognized experts in payment services and financial regulatory law. They were supported by a top-class team of authors – including many familiar names from the Annerton environment and beyond.