DORA Archives | PAYMENT.TECHNOLOGY.LAW.

IT-Anforderungen an Finanzunternehmen in Deutschland – ein Überblick über den regulatorischen Rahmen IT Requirements for Financial Institutions in Germany – an overview of the regulatory framework

7 minute read

IT Requirements for Financial Institutions in Germany – an overview of the regulatory framework

byValesa Krasniqi
24. February 2026

IT regulation in the financial sector is becoming increasingly complex. With DORA, the FinmadiG, the NIS 2 Implementation Act, GDPR, the Cyber Resilience Act, the Data Act and the AI Act, financial institutions face far-reaching requirements regarding digital resilience, third-party risk management and governance. This article provides a structured overview of the current regulatory framework in Germany and at EU level.

PPodcast

KI-Regulierung in der Praxis: Was die Aufsicht zu KI im Finanzsektor wirklich sehen will | ALLES LEGAL #126 AI Regulation in Practice

2 minute read

AI Regulation in Practice: What Supervisors Really Expect to See from AI in the Financial Sector | ALLES LEGAL #126

byJosefine Spengler
18. February 2026

Annerton partner Josefine Spengler explains how supervisory authorities assess AI systems in the financial sector in practice. AI is not treated as a regulatory special case but as an ICT system embedded within existing frameworks, particularly DORA. The focus lies on governance, accountability, traceability and ongoing monitoring. The interaction between DORA and the EU AI Act adds further complexity. The key takeaway: AI is not merely an IT issue – it is a management responsibility.

FFinTech

8 minute read

AI in the Financial Sector – Key Findings of the new OECD Paper

byJosefine Spengler
3. February 2026

The OECD paper “Supervision of Artificial Intelligence in Finance” analyses supervisory practices related to the use of AI in the financial sector. This article outlines the key findings and assesses them in light of the recent BaFin guidance.

DDORA & IT Security

EZB-Leitfaden zur Auslagerung von Cloud-Diensten: Tipps zur Umsetzung von DORA ECB Guide on Cloud Outsourcing: Implementation Tips for DORA Compliance

7 minute read

ECB Guide on Cloud Outsourcing: Implementation Tips for DORA Compliance

byNiklas Olschewski
18. November 2025

In July 2025, the ECB published a non-binding guide on cloud outsourcing, aiming to align financial institutions with DORA’s resilience standards. It addresses supervisory findings and offers actionable best practices.

FFinTech

Von Outsourcing zu Third Party Arrangements: Die neuen EBA-Leitlinien zum Drittparteienmanagement • Teil 1: Überblick über die wichtigsten Neuerungen

5 minute read

From Outsourcing to Third Party Arrangements: The New EBA Guidelines on Third-Party Risk Management 2/2

byJosefine Spengler
23. October 2025

The new EBA Guidelines significantly expand the approach to third-party risk. In this second part, we explore what this means in practice for banks, payment and e-money institutions – from new organisational requirements to integration with DORA. What are the biggest challenges and where do opportunities arise?

LLegal

7 minute read

From Outsourcing to Third Party Arrangements: The New EBA Guidelines on Third-Party Risk Management 1/2

byJosefine Spengler
9. October 2025

On 8 July 2025, the European Banking Authority (EBA) published a new consultation paper on the EBA Guidelines for third-party risk management. The draft goes well beyond the previous Outsourcing Guidelines from 2019. The objective is to establish a harmonised European framework for managing third-party risks, aligned in particular with the Digital Operational Resilience Act (DORA). Part 1 of the analysis highlights the key innovations and main content; a practical assessment will follow in Part 2.

DData Protection

4 minute read

Cyber Resilience Act: The Overlooked Puzzle Piece in Financial IT

byJosefine Spengler
11. September 2025

Digital products like baby monitors and smartwatches have become an integral part of everyday life – but they carry security risks, especially when manufacturers fail to provide updates. The EU’s new Cyber Resilience Act (CRA), in force since 10 December 2024, aims to change that. But what does it mean for the financial sector?

FFinTech

5 minute read

From Onboarding to Offboarding: Lifecycle Management of ICT Third-Party Relationships under DORA

byJosefine Spengler
28. August 2025

The DORA Regulation (EU) 2022/2554 obliges financial institutions to manage their ICT third-party relationships in a structured way across the entire lifecycle – from selection to exit. For FinTechs, this means that ad hoc purchases of IT services are a thing of the past. Instead, documented and auditable processes are required, taking into account risks, supervisory requirements, and exit strategies.

PPodcast

2 minute read

Under Scrutiny: How DORA Is Reshaping Resilience Testing | ALLES LEGAL #105

byJosefine Spengler,PayTechLaw-Team
16. July 2025

In the final episode of our DORA series, we focus on one of the regulation’s key aspects: the mandatory testing of digital resilience.

PPodcast

2 minute read

Business Continuity under DORA | ALLES LEGAL #104

byJosefine Spengler,PayTechLaw-Team
9. July 2025

What happens when your cloud provider fails or a cyberattack takes down your systems? This episode is all about Business Continuity Management (BCM) – and why it’s a critical regulatory requirement for banks and fintechs under DORA. Tune in now!

PPodcast

2 minute read

In an Emergency, Every Minute Counts – What DORA Requires in Case of an IT Incident | ALLES LEGAL #103

byJosefine Spengler
2. July 2025

A severe IT incident – and the clock is ticking. Why DORA leaves no leeway when it comes to reporting IT incidents and how companies can prepare is explained by Josefine Spengler in this episode. Tune in now!

PPodcast

2 minute read

Digital resilience is a matter for top management | ALLES LEGAL #102

byJosefine Spengler
25. June 2025

In the third episode of our podcast series ‘Alles Legal – Fintech-Recht kompakt’, Josefine Spengler, lawyer at Annerton, talks to host Dana Wondra from Payment & Banking about a key innovation in financial supervisory law: What does DORA require in terms of ICT risk management – and why is digital resilience now a top priority?

PPodcast

2 minute read

DORA requirements for IT procurement | ALLES LEGAL #101

byJosefine Spengler
18. June 2025

This podcast episode is about the new EU legal framework DORA (Digital Operational Resilience Act), which affects all regulated financial companies – from fintechs and payment service providers to major banks. DORA is the first binding regulation on how financial companies must strengthen their digital resilience.

BBanking

2 minute read

BaFin publishes guidance on documentation requirements under DORA

byPayTechLaw-Team
18. December 2024

With just under a month to go before the Digital Operational Resilience Act (DORA) comes into force, the…