Beitragsbild zur Success Story der Pensionskasse der Frankfurter Sparkasse: Eine Person überquert eine Hängebrücke durch eine Waldlandschaft als Symbol für sichere Wege und erfolgreiche Zusammenarbeit mit der usd AG beim Thema DORA

DORA Implementation at the Pensionskasse der Frankfurter Sparkasse: When Regulatory Requirements Meet Small Institutes

15. July 2026

All regulated financial institutions in Europe and their third-party ICT service providers face the same challenge regarding DORA: meeting a comprehensive set of requirements and thereby demonstrably strengthening their digital operational resilience. For smaller institutes, this means they must implement these requirements using lean structures in which every measure must have a targeted impact.

The Pensionskasse der Frankfurter Sparkasse VVaG (engl. pension institution) faced this challenge. As an occupational pension institution with a small IT infrastructure, it needed to implement key DORA requirements in a way that would be regulatorily compliant and, at the same time, function effectively within the organization.

It quickly became clear that implementing individual measures in isolation would not be sufficient. What is crucial is a structured approach that bundles requirements, prioritizes them, and consistently aligns them with the organization’s specific context. Together with usd AG, the Pensionskasse therefore developed an approach that addresses precisely this: creating clear structures, defining responsibilities more precisely, and translating regulatory requirements in a way that ensures they function effectively in day-to-day operations and have a lasting impact.

Challenge: Translating Complex Requirements Into Practical Solutions

The Pensionskasse operates with a lean organizational and IT structure. As a regulated financial entity and occupational pension institution, however, it is fully subject to DORA and must implement and demonstrate compliance with its requirements despite having significantly fewer resources than many larger organizations.

The primary objective was therefore to develop an approach that aligned with the organization's size, structure, and operating model. At the same time, the Pensionskasse deliberately sought more than simply achieving compliance with individual requirements. Its goal was to integrate DORA's obligations into a coherent and consistent framework that would support the organization as a whole.

The project focused on key DORA domains, including governance, roles and responsibilities, ICT risk management, ICT incident management, ICT testing, and the oversight of ICT third-party service providers. Because the Pensionskasse relies on specialized external expertise, it also needed a structured way to identify, assess, and effectively integrate these providers into its own risk management framework.

Solution: Establishing Structures and Actively Managing Implementation

Together with usd AG, the Pensionskasse developed measures that would stand up to audits and, at the same time, could be realistically integrated into daily organizational operations. The principle of proportionality formed an important foundation for the entire project. In financial market regulation, this principle ensures that requirements, controls, and reporting obligations are tailored to the size, complexity, and risk profile of the respective financial institution.

At the heart of the approach was a clear governance and management framework. The project team worked jointly to establish the necessary structures, processes, and responsibilities to systematically integrate DORA requirements into existing workflows. Rather than implementing new, isolated measures, they made targeted adjustments to existing processes, integrated them step by step into the organization, and defined clear lines of responsibility. This resulted in a robust framework that provides guidance and facilitates implementation in daily business operations.

The management of external ICT service providers was also consistently refined: the project team systematically identified the partners of the Pensionskasse, assessed their roles within the target vision, and, in close collaboration with them, established clear mechanisms for management and oversight.

The project showed that DORA compliance can go beyond meeting regulatory requirements and deliver tangible value to the organization. Close collaboration with the executive board and external service providers was a key success factor, helping establish a shared understanding of risks, priorities, and regulatory expectations from the outset.

Kolja Renkel, Security Consultant, usd AG

Results: Developing a Structure and Embedding It in Day-to-Day Operations

The result is not an additional regulatory framework on top of day-to-day operations, but rather a clear structure that provides guidance and improves management. For the Pensionskasse, the project delivered tangible benefits in daily operations: responsibilities were defined more clearly, processes were better integrated, and coordination was managed in a more targeted approach. This allows decisions to be made with more precision, regulatory requirements to be integrated more efficiently, and overall management to be more consistent across the board. This is a key lever, especially in an organization with limited resources. Clear lines of responsibility and transparent processes reduce friction and create certainty in operational implementation.

The institute also gained significant transparency in its dealings with external ICT service providers. Today, its partners can be categorized in a well-organized approach, managed more effectively, and seamlessly integrated into the company’s processes. At the same time, the project demonstrated that many measures reinforce one another. Improvements in digital operational resilience have a positive impact on governance structures and organizational processes. In this way, a robust overall picture emerged step by step, in which regulatory requirements do not exist in isolation from one another but rather build upon and support one another.

Outlook: Strengthening Established Structures and Driving Continuous Improvement with Support from usd

In the coming years, the Pensionskasse intends to consistently further consolidate the structures it has established as part of its continuous improvement process and embed them even more firmly into everyday operations. Existing measures will be gradually refined, adapted to new requirements, and expanded to include additional areas. The focus is on the continuous development of a framework that evolves in tandem with regulatory and organizational changes. New requirements are to be systematically integrated into existing processes so that the organization can sustainably strengthen its digital operational resilience.

usd AG continues to support the Pensionskasse in its role as an ICT risk control function. It assists the fund in assessing new developments at an early stage, consistently integrating regulatory requirements into existing structures, and strategically advancing the organization. This will result in a long-term framework that is not only robust from a regulatory perspective but also effective in day-to-day operations.

The collaboration was always professional and goal-oriented. The project helped us implement the DORA requirements in a structured manner. The reliable and solution-oriented accompaniment contributed significantly to the project’s success.

Monika Förster, Executive Board, Pensionskasse der Frankfurter Sparkasse VVaG

About Pensionskasse der Frankfurter Sparkasse VVaG

The Pensionskasse der Frankfurter Sparkasse VVaG is a smaller mutual insurance association within the meaning of Section 210 of the German Insurance Supervision Act (Versicherungsaufsichtsgesetz, VAG) and a regulated pension institute pursuant to Section 233 VAG.

Its sponsoring institutions are Frankfurter Sparkasse, a public law institution (Anstalt des öffentlichen Rechts), Landesbank Hessen Thüringen Girozentrale (Helaba), and Helaba Invest Kapitalanlagegesellschaft mbH. The Pensionskasse serves 1,377 members and 1,260 pension beneficiaries and reports total assets of EUR 273 million (all figures as of 31 December 2025).

Also interesting:

more security at TU Darmstadt: Another Award for Maximilian Müller

more security at TU Darmstadt: Another Award for Maximilian Müller

The Computer Science Student Council of TU Darmstadt has awarded Prof. Dr. Michael Waidner and our colleague Maximilian Müller as the best lecture of the winter semester 2025/26 for their course "Information Security Management". The prizes for the best lecture and...

A5: BSI Publishes New Audit Framework for Trustworthy AI

A5: BSI Publishes New Audit Framework for Trustworthy AI

The German Federal Office for Information Security (BSI) has published the Community Draft of the AI Audit and Assurance Assessment Architecture (A5) (currently available in German only), thus starting the consultation phase. A5 is intended to create a standardized...

AI Vulnerability Storm: When a Lack of Speed Becomes a Risk

AI Vulnerability Storm: When a Lack of Speed Becomes a Risk

Current developments in AI systems show that vulnerabilities are found more quickly, suitable exploits are developed more quickly, and attacks are increasingly implemented automatically. This significantly reduces the time between discovery and exploitation. What used...

Categories

Categories