DDORA & IT Security

IT Requirements for Financial Institutions in Germany – an overview of the regulatory framework

IT-Anforderungen an Finanzunternehmen in Deutschland – ein Überblick über den regulatorischen Rahmen IT Requirements for Financial Institutions in Germany – an overview of the regulatory framework
Foto: Slowlifetrader/Adobestock
0
Shares
0
0
0
0
0
0

Digital business models and complex outsourcing structures shape the day-to-day operations of banks, insurance undertakings and investment firms. IT has therefore long ceased to be merely a supporting function for financial institutions.
At the same time, the risks of cyberattacks, IT disruptions and dependencies on third-party providers continue to increase. Accordingly, the regulation of IT risks is gaining growing importance at both national and European levels.

This article provides a systematic overview of the key IT-related legal and supervisory requirements applicable to financial institutions in Germany.

At the heart of IT regulation lies Regulation (EU) 2022/2554 on Digital Operational Resilience (DORA). DORA was published in the Official Journal of the European Union on 27 December 2022, entered into force on 17 January 2023 and has been directly applicable since 17 January 2025.
The objective of the Regulation is to strengthen the digital operational resilience of the entire European financial sector, in particular in the areas of ICT risk management, the reporting and handling of ICT-related incidents, digital operational resilience testing and ICT third-party risk management.

Chapter II DORA (Articles 5-16) requires financial institutions to establish a structured ICT risk management framework. Its primary purpose is to ensure the continued operational functioning of financial institutions in the face of cyber threats. The Regulation distinguishes between a standard ICT risk management framework and simplified ICT risk management framework. The latter applies to certain smaller financial institutions – based on their size or the services they provide – and imposes less stringent requirements than the standard framework.

The core of the standard ICT risk management framework is the establishment of a comprehensive and documented governance and control system for ICT risks. This includes both preventive and reactive elements, in particular the identification and detection of ICT risks, response and recovery measures, as well as learning, continuous improvement and communication in dealing with ICT risks and ICT incidents. Financial institutions are, inter alia, required to adopt a digital operational resilience strategy and to expressly assign responsibility for the management and monitoring of ICT risks to a control function. In addition, there is an obligation to document and review the risk management framework at least annually, to maintain a dedicated ICT management function and to ensure redundancy of ICT capacities. These more stringent requirements do not apply under the simplified ICT risk management framework.

Chapter III DORA (Articles 17-23) governs the handling, classification and reporting of ICT-related and payment-related incidents. Financial institutions must implement a management process covering the handling, monitoring, logging and, where required, reporting of ICT-related incidents. In the case of major payment-related operational or security incidents, specific reporting obligations towards the competent supervisory authority apply.

Another central component is the establishment of a risk-based and proportionate testing programme (Chapter IV, Articles 24–27 DORA). This programme must form an integral part of each financial institution’s ICT risk management framework and is intended to ensure preparedness for ICT incidents and to identify weaknesses in digital operational resilience. Certain institutions are required, in addition to general testing requirements, to conduct advanced testing based on threat-led penetration testing (TLPT). The relevant requirements are specified in a technical regulatory standard adopted by the European Commission.

In the cloud era in particular, the management of ICT third-party risk has moved into sharper focus. DORA therefore requires financial institutions to assess and monitor ICT third-party risks throughout the entire lifecycle of the contractual relationship (Chapter V, Articles 28–30 DORA). Contracts with ICT service providers must comply with specific requirements. These are set out in particular in Article 30(2) and (3) DORA and include detailed minimum contractual provisions, such as clear service descriptions, rules on subcontracting, requirements concerning data access, return and deletion, as well as extensive access and audit rights for both the financial institution and supervisory authorities. Furthermore, Article 30 provides for obligations regarding the implementation of contingency plans, as well as reporting and notification duties of ICT third-party service providers vis-à-vis the financial institution.

A key element is to establish appropriate exit strategies for critical or important functions in order to safeguard business continuity in the event of termination of the contractual relationship. To enhance transparency and oversight, DORA requires financial institutions to maintain registers of ICT contractual arrangements and imposes specific notification and reporting obligations towards supervisory authorities, especially in relation to new or planned arrangements supporting critical or important functions.

In addition, BaFin has issued supervisory communications concerning cloud outsourcing and the implementation of DORA under the simplified ICT risk management framework and ICT third-party risk management. These serve as guidance only and do not establish additional requirements.

IT Regulation at National Level

Financial Market Digitalisation Act (FinmadiG)

With the Financial Market Digitalisation Act (FinmadiG), published on 27 December 2024, the German legislator adapted national supervisory law to key European digital legislative acts. In addition to implementing DORA at national level, the Act also serves to implement the Regulation on Markets in Crypto-Assets (MiCAR) and to revise the EU Funds Transfer Regulation.

Furthermore, FinmadiG extends the scope of DORA under national law. BaFin has issued an information notice explaining these amendments and the relevant transitional provisions in detail.

Certain institutions falling under the German Banking Act (Kreditwesengesetz – KWG) but not expressly listed as “financial entities” under DORA are brought within DORA’s scope via Section 1a(2a) KWG. This includes, for example, factoring institutions and financial leasing institutions, which will be subject to DORA as of 1 January 2027.

However, a simplified DORA framework applies to these institutions. In particular, they are subject to the simplified ICT risk management framework pursuant to Article 16 DORA. They are not required to conduct threat-led penetration testing under Articles 26 and 27 DORA, nor are they subject to the ICT third-party risk management requirements under Articles 28–30 DORA.

Section 1a(2a) KWG will apply from 1 January 2027. Nevertheless, the reporting requirements for ICT-related incidents under Chapter III DORA must already be complied with from 17 January 2025 (cf. Section 65a KWG – transitional provision under FinmadiG). Until 31 December 2026, the German Supervisory Requirements for IT in Financial Institutions (BAIT) continue to apply to the affected institutions.

IT Security Act 2.0

Prior to DORA’s entry into force, Germany significantly enhanced its general IT security framework through the IT Security Act 2.0, adopted in 2021. Its primary objective was to strengthen the Federal Office for Information Security (BSI), including expanded powers to detect security vulnerabilities and defend against cyberattacks, as well as authority to prohibit the use of critical components in order to safeguard public order or security. The Act also introduced a uniform IT security label for consumers and imposed additional security requirements on companies of special public interest.

NIS 2 Implementing Act and KRITIS Umbrella Act

The NIS 2 Implementing Act, published in December 2025, implemented Directive (EU) 2022/2555 (NIS 2) into German law and comprehensively revised the Act on the Federal Office for Information Security (BSIG).

The scope of the BSIG has been significantly expanded. Companies operating in certain sectors and exceeding defined thresholds regarding employees, turnover and balance sheet total are now classified as “important entities” or “essential entities”, including operators of critical infrastructure (KRITIS). These entities are subject to specific registration, reporting and documentation obligations.

For financial institutions, it is important to note that DORA, as a sector-specific regime, generally takes precedence over the national NIS 2 implementation under the BSIG with regard to cybersecurity risk management and incident reporting, provided that DORA’s requirements are at least equivalent.

In addition, the CER Directive (Directive (EU) 2022/2557) obliges Member States to strengthen the physical and organisational resilience of critical entities against threats such as natural hazards, terrorist attacks or sabotage. In Germany, this is implemented through the proposed KRITIS Umbrella Act, which establishes a cross-sectoral legal framework for the protection of critical infrastructure, including identification criteria, minimum resilience standards, risk assessments and a central incident reporting system.

Additional European IT and Digital Legislation

General Data Protection Regulation (GDPR)

Alongside sector-specific IT and cybersecurity requirements, the General Data Protection Regulation (GDPR) remains a core component of IT compliance in the financial sector. Since May 2018, it has been directly applicable in all EU Member States and also affects companies outside the EU processing personal data of EU residents. Financial institutions must ensure transparent and lawful data processing, including compliance with information obligations, purpose limitation and storage limitation principles, as well as safeguarding extensive data subject rights.

Cyber Resilience Act (CRA)

The Cyber Resilience Act establishes, for the first time, a harmonised EU framework setting minimum cybersecurity requirements for connected products placed on the EU market. The Regulation applies directly in all Member States to both connected hardware and software products and does not require national transposition.
For financial institutions, the CRA may become relevant in the development, distribution or use of digital products.

Data Act

The Data Act, directly applicable since September 2025, introduces uniform requirements for companies offering products and services within the EU. It includes provisions on data sharing between businesses and consumers (B2C) and between businesses (B2B), obligations of data holders to make certain data available, and prohibitions of unfair contractual terms concerning data access and use.

Artificial Intelligence (AI) Act

Adopted in 2024, the Artificial Intelligence (AI) Act establishes a harmonised, risk-based framework for the use of artificial intelligence within the European Union, following the principle that the higher the risk, the stricter the regulatory requirements.
This broadens the regulatory focus in the financial sector beyond IT security and operational resilience to encompass the lawful and responsible design and use of AI systems, particularly in areas such as credit scoring, fraud prevention and automated decision-making.

Conclusion

The wide range of IT and digital regulations clearly demonstrates that digital resilience, data security and the responsible use of technology remain firmly on the legislator’s agenda.

For financial institutions in Germany, this means that IT organisation, outsourcing arrangements and data-driven processes must be structured strategically, systematically and with foresight. Regulatory requirements no longer concern isolated IT security measures alone; they increasingly shape governance structures, contractual arrangements, risk management and strategic business decisions. IT compliance has therefore evolved into a core management responsibility with far-reaching implications.

One thing is clear: institutions that integrate and embed regulatory requirements into their governance and business processes at an early stage will not only achieve formal compliance but also strengthen operational stability and build trust. IT regulation is not a static rulebook, but a continuously evolving framework.

0
0



By continuing, you accept our privacy policy.
You May Also Like
PPodcast
KI-Regulierung in der Praxis: Was die Aufsicht zu KI im Finanzsektor wirklich sehen will | ALLES LEGAL #126 AI Regulation in Practice
Read More
  • 2 minute read

AI Regulation in Practice: What Supervisors Really Expect to See from AI in the Financial Sector | ALLES LEGAL #126

Annerton partner Josefine Spengler explains how supervisory authorities assess AI systems in the financial sector in practice. AI is not treated as a regulatory special case but as an ICT system embedded within existing frameworks, particularly DORA. The focus lies on governance, accountability, traceability and ongoing monitoring. The interaction between DORA and the EU AI Act adds further complexity. The key takeaway: AI is not merely an IT issue – it is a management responsibility.
Read More