All regulated financial institutions in Europe and their third-party ICT service providers face the same challenge regarding DORA: meeting a comprehensive set of requirements and thereby demonstrably strengthening their digital operational resilience. For smaller institutes, this means they must implement these requirements using lean structures in which every measure must have a targeted impact.
The Pensionskasse der Frankfurter Sparkasse VVaG (engl. pension institution) faced this challenge. As an occupational pension institution with a small IT infrastructure, it needed to implement key DORA requirements in a way that would be regulatorily compliant and, at the same time, function effectively within the organization.
It quickly became clear that implementing individual measures in isolation would not be sufficient. What is crucial is a structured approach that bundles requirements, prioritizes them, and consistently aligns them with the organization’s specific context. Together with usd AG, the Pensionskasse therefore developed an approach that addresses precisely this: creating clear structures, defining responsibilities more precisely, and translating regulatory requirements in a way that ensures they function effectively in day-to-day operations and have a lasting impact.
Challenge: Translating Complex Requirements Into Practical Solutions
The Pensionskasse operates with a lean organizational and IT structure. As a regulated financial entity and occupational pension institution, however, it is fully subject to DORA and must implement and demonstrate compliance with its requirements despite having significantly fewer resources than many larger organizations.
The primary objective was therefore to develop an approach that aligned with the organization's size, structure, and operating model. At the same time, the Pensionskasse deliberately sought more than simply achieving compliance with individual requirements. Its goal was to integrate DORA's obligations into a coherent and consistent framework that would support the organization as a whole.
The project focused on key DORA domains, including governance, roles and responsibilities, ICT risk management, ICT incident management, ICT testing, and the oversight of ICT third-party service providers. Because the Pensionskasse relies on specialized external expertise, it also needed a structured way to identify, assess, and effectively integrate these providers into its own risk management framework.
Solution: Establishing Structures and Actively Managing Implementation
Together with usd AG, the Pensionskasse developed measures that would stand up to audits and, at the same time, could be realistically integrated into daily organizational operations. The principle of proportionality formed an important foundation for the entire project. In financial market regulation, this principle ensures that requirements, controls, and reporting obligations are tailored to the size, complexity, and risk profile of the respective financial institution.
At the heart of the approach was a clear governance and management framework. The project team worked jointly to establish the necessary structures, processes, and responsibilities to systematically integrate DORA requirements into existing workflows. Rather than implementing new, isolated measures, they made targeted adjustments to existing processes, integrated them step by step into the organization, and defined clear lines of responsibility. This resulted in a robust framework that provides guidance and facilitates implementation in daily business operations.
The management of external ICT service providers was also consistently refined: the project team systematically identified the partners of the Pensionskasse, assessed their roles within the target vision, and, in close collaboration with them, established clear mechanisms for management and oversight.
The project showed that DORA compliance can go beyond meeting regulatory requirements and deliver tangible value to the organization. Close collaboration with the executive board and external service providers was a key success factor, helping establish a shared understanding of risks, priorities, and regulatory expectations from the outset.
Kolja Renkel, Security Consultant, usd AG

Results: Developing a Structure and Embedding It in Day-to-Day Operations
The result is not an additional regulatory framework on top of day-to-day operations, but rather a clear structure that provides guidance and improves management. For the Pensionskasse, the project delivered tangible benefits in daily operations: responsibilities were defined more clearly, processes were better integrated, and coordination was managed in a more targeted approach. This allows decisions to be made with more precision, regulatory requirements to be integrated more efficiently, and overall management to be more consistent across the board. This is a key lever, especially in an organization with limited resources. Clear lines of responsibility and transparent processes reduce friction and create certainty in operational implementation.
The institute also gained significant transparency in its dealings with external ICT service providers. Today, its partners can be categorized in a well-organized approach, managed more effectively, and seamlessly integrated into the company’s processes. At the same time, the project demonstrated that many measures reinforce one another. Improvements in digital operational resilience have a positive impact on governance structures and organizational processes. In this way, a robust overall picture emerged step by step, in which regulatory requirements do not exist in isolation from one another but rather build upon and support one another.
Outlook: Strengthening Established Structures and Driving Continuous Improvement with Support from usd
In the coming years, the Pensionskasse intends to consistently further consolidate the structures it has established as part of its continuous improvement process and embed them even more firmly into everyday operations. Existing measures will be gradually refined, adapted to new requirements, and expanded to include additional areas. The focus is on the continuous development of a framework that evolves in tandem with regulatory and organizational changes. New requirements are to be systematically integrated into existing processes so that the organization can sustainably strengthen its digital operational resilience.
usd AG continues to support the Pensionskasse in its role as an ICT risk control function. It assists the fund in assessing new developments at an early stage, consistently integrating regulatory requirements into existing structures, and strategically advancing the organization. This will result in a long-term framework that is not only robust from a regulatory perspective but also effective in day-to-day operations.
The collaboration was always professional and goal-oriented. The project helped us implement the DORA requirements in a structured manner. The reliable and solution-oriented accompaniment contributed significantly to the project’s success.
Monika Förster, Executive Board, Pensionskasse der Frankfurter Sparkasse VVaG
About Pensionskasse der Frankfurter Sparkasse VVaG
The Pensionskasse der Frankfurter Sparkasse VVaG is a smaller mutual insurance association within the meaning of Section 210 of the German Insurance Supervision Act (Versicherungsaufsichtsgesetz, VAG) and a regulated pension institute pursuant to Section 233 VAG.
Its sponsoring institutions are Frankfurter Sparkasse, a public law institution (Anstalt des öffentlichen Rechts), Landesbank Hessen Thüringen Girozentrale (Helaba), and Helaba Invest Kapitalanlagegesellschaft mbH. The Pensionskasse serves 1,377 members and 1,260 pension beneficiaries and reports total assets of EUR 273 million (all figures as of 31 December 2025).



