BaFin's xAIT
Harmonization with DORA - We Accompany You
Since 17 January 2025, almost all supervised institutions and companies in the European financial sector have been subject to the Digital Operational Resilience Act (DORA). This aims to improve and harmonize the IT security and operational resilience of banks and financial institutions across Europe.
In Germany, institutions were previously regulated by BaFin's IT requirements. Many of the processes and measures required there can now be found in the DORA Regulation. In order to avoid double regulation, BaFin repealed the supervisory requirements for IT in e-money institutions (ZAIT), insurance undertakings (VAIT), and German asset managers (KAIT) in January of 2025. The affected institutions will be fully regulated by DORA in future. The scope of application of supervisory requirements for IT in financial institutions (BAIT) was initially adjusted. However, the circular will also be repealed in its entirety upon 31 December 2026.
Harmonization with DORA: How Do We Proceed?
Harmonization with DORA requires a detailed implementation project at your institution. Before you start, we recommend that you consider which other security standards have already been implemented in your company and which national regulations place requirements on your company. In most cases, implemented systems and processes for compliance with ISO 27001 or the BaFin's IT requirements (BAIT, KAIT, VAIT, ZAIT) can be used as a good basis. A gap analysis is a good first step to create clarity.
Gap Analysis
As the requirements have a significant impact on institutions, a mere document review is not sufficient to determine the implementation status of the DORA requirements. We therefore recommend a combination of:
- Document review
- Interviewing key personnel
- Examination of the implementation
The result of the gap analysis is a good picture of the expected effort. It provides implementation options that can be used to set the direction for implementation at the highest management level (action plan).
After completing the gap analysis, we work with you on harmonization projects that are tailored to your institution. In these projects, we specifically address the focal points identified in the gap analysis and work closely with you to implement the guidelines.
Further information on harmonization with DORA and the procedure can be found here.
Harmonization with BAIT: How Do We Proceed?
With the introduction of DORA on 17 January 2025, the scope of application of BAIT was adjusted. Institutions that are required to operate ICT risk management in accordance with Art. 5-15 or Art. 16 DORA are excluded from the BAIT scope of application. The circular will still apply to all other regulated institutions before it is completely repealed on 31 December 2026.
We are pleased to provide you with further support in harmonizing with BAIT:
Harmonization Measures
Implementation of harmonization with BAIT in a comprehensive implementation project tailored to the institution. We support you at all levels, from defining the strategy and formulating guidelines to the operational implementation of the requirements in the organization.
