Contents
Governance and organisation
DORA (Regulation (EU) 2022/2554) introduces a new governance paradigm for ICT risk management that differs materially from the BAIT/VAIT architecture. The BaFin guidance highlights three core areas of change:
DORA requires a new strategy for digital operational readiness (DOR Strategy)
Reference: page 8
Key points
- DORA replaces the IT strategy known from BAIT/VAIT with a Digital Operational Resilience Strategy (DOR Strategy).
- The DOR Strategy is narrower in some areas (no full IT strategy), but also stricter where it relates to ICT risks.
- New scope:
- ICT risk management as a strategic pillar
- ICT third-party risk strategy
- Optional multi-vendor strategy (Art. 6(9) DORA)
Differences vs. BAIT/VAIT
- BAIT/VAIT require a broad functional IT strategy (architecture, resourcing, outsourcing planning, etc.).
- DORA’s DOR Strategy has no explicit requirement for:
- IT business continuity planning (though BCM is covered elsewhere in DORA)
- IT security implementation according to defined standards
- Communication obligations for the IT strategy
Operational implication
Financial entities will have to maintain two strategy layers:
- DOR Strategy (mandatory under DORA – ICT resilience-centric)
- IT Strategy (still required by general governance or business needs)
ICT-specific internal governance and control framework
Reference: page 9
DORA introduces a fully-fledged ICT governance framework focusing on the “effective and prudent management of ICT risk”.
Key elements
- ICT risk management is now part of overall risk management (Art. 6(1) DORA).
- Management body retains ultimate responsibility (similar to BAIT/VAIT).
- Three Lines of Defence explicitly required (Art. 6(4) DORA).
- Mandatory ICT risk control function (new):
- Manages and oversees ICT risks
- Must be segregated, independent
- Goes beyond the traditional Information Security Officer (ISO)
- Monitoring function for ICT third-party contracts (Art. 5(3) DORA)
- New role comparable to a central outsourcing manager
- Not present in BAIT/VAIT in this explicit form
ICT security policies
DORA (RTS RMF Art. 2(2)) prescribes a set of mandatory ICT security policies, which BAIT/VAIT do not explicitly require as formally approved policies.
Protocol for technological change
- DORA expects ICT governance to consider evolving technology and threat levels explicitly (Recital 48, RTS RMF Art. 2(2)).
Significant expansion of the management body’s tasks
Reference: pages 9–10
This is one of the most significant shifts introduced by DORA. Compared to BAIT/VAIT, DORA requires management boards to:
a) Possess ICT risk competence
- Members must have sufficient knowledge & skills regarding ICT risks (Art. 5(4) DORA).
- They must maintain and update this expertise through regular training.
b) Approve and oversee all ICT-relevant policies
Including:
- Information security policy
- ICT business continuity policy
- ICT third-party risk management policy
- ICT security policies under RTS RMF
BAIT/VAIT do not require board-level approval for detailed ICT security policies.
c) Define clear responsibilities for all ICT functions
(Art. 5(2)(c) DORA)
d) Ensure appropriate resourcing
- Sufficient staffing, skills, budgeting for ICT risk management
(Art. 5(2)(g) DORA).
e) Approve internal ICT audit plans
And any significant changes.
f) Oversee implementation of ICT response & recovery capabilities
BCM obligations become board-level responsibilities.
Source: BaFin, Supervisory statement: Guidance notes on the implementation of DORA for ICT risk management and ICT third-party risk management