Contents
- Information risk and information security management
- Integration of information security into ICT risk management
- Information security policies (mandatory content)
- Information classification & handling (explicit new requirement under DORA)
- Identity and access management (IAM) requirements
- Data leakage prevention (DLP), secure data handling & environment separation
- Logging, monitoring & detection controls
- Cryptographic controls and lifecycle management
Information risk and information security management
Integration of information security into ICT risk management
Reference: page 11
The PDF makes clear that:
- Information security is an inherent part of ICT risk management under DORA.
- Financial entities must implement controls that address confidentiality, integrity, availability and authenticity (the classic CIA+A model).
- BAIT/VAIT treat information security as a separate control area; DORA embeds it more tightly into the overall risk process.
A small diagram on page 11 illustrates the integration, showing “Information Security” inside the larger “ICT Risk Management” block.
Information security policies (mandatory content)
Reference: pages 12–13
DORA and the RTS RMF require a set of formalised, approved, and periodically updated information security policies.
The PDF highlights that these must specifically cover:
- Access control policy
- User and system access
- Privileged account governance
- Multi-factor authentication
- Segregation of duties
- Cryptography policy
- Encryption standards
- Key management
- Secure lifecycle handling
- Hardware security modules (where applicable)
- Network security policy
- Segmentation
- Zero-trust principles
- Boundary protection
- Secure remote access
- Logging and monitoring policy
- Minimum events to be logged
- Log retention
- Correlation and SIEM integration
- Access protection of logs
BaFin emphasises that these policies must be proportionate but explicit, approved by the management body, and aligned with the risk analysis.
BAIT/VAIT also require policies, but DORA adds explicit granularity and formal approval duties.
Information classification & handling (explicit new requirement under DORA)
Reference: page 13
DORA requires:
- A formal information classification scheme,
- With minimum levels (usually „public“, „internal“, „confidential“, „strictly confidential“),
- Mapped to protection needs (C–I–A–A),
- Applied consistently across data lifecycle stages.
The PDF states that this classification must be applied to:
- Data at rest
- Data in transit
- Data in processing
- Backups
- Archives
- Test data
→ BAIT/VAIT have similar expectations in VAIT 2023, but DORA elevates classification to an auditable requirement under Articles 6–15.
Identity and access management (IAM) requirements
Reference: page 14
The PDF devotes an entire subsection to IAM.
Core mandatory elements
- Unique user IDs
- Strict privileged access governance
- Multi-factor authentication for all critical functions
- Certification of access rights in regular cycles
- Segregation of duties
- Immediate revocation of access rights after personnel changes
Specific BaFin clarification
BaFin stresses that automated provisioning/de-provisioning is not explicitly required by DORA, but it is the “expected state-of-the-art proportionate control” for medium and large institutions.
Visual element (page 14)
The page contains a table-like text block explaining the difference between:
- Business users
- Privileged technical users
- Third-party access
Each category must follow a separate access governance path.
Data leakage prevention (DLP), secure data handling & environment separation
Reference: page 15
BaFin emphasises:
DLP controls
- Monitoring of outbound data flows
- Protection for email, web, removable media
- Alerts for sensitive data exfiltration
- Proportionate to risk and data volume
Data handling requirements
Explicit duties for:
- Secure data transfer channels
- Protection of sensitive and personal data
- Anonymisation/pseudonymisation when possible
- Safe deletion and disposal of data and media
Environment separation
The PDF states clearly:
Production, test and development environments must be sufficiently segregated.
Use of productive data in test systems requires strong safeguards and justification.
This reflects DORA Art. 9(2)(d) and is aligned with ISO 27001.
Logging, monitoring & detection controls
Reference: page 16
DORA prescribes:
Minimum logging requirements
- System events
- Access logs
- Security events
- Administrative activities
- Network events
- Third-party access events
Monitoring and detection
- Continuous monitoring
- Security event correlation (SIEM expected for medium/large institutions)
- Alerts must be routed to ICT security function
- Integration with incident reporting obligations (Art. 17–20 DORA)
The PDF stresses that log integrity is non-negotiable — protected from alteration, deletion, or unauthorised access.
This is stricter and more explicit than BAIT/VAIT, especially with respect to event correlation and routing.
Cryptographic controls and lifecycle management
Reference: page 16
The guidance includes:
- Controlled cryptographic key lifecycle
- Secure storage of keys
- Strong key rotation procedures
- Cryptography aligned with international standards (e.g., NIST, ENISA)
- Minimisation of unsupported or legacy algorithms
The PDF explicitly mentions that cryptography should be “risk-adequate but strong by default”.
Source: BaFin, Supervisory statement: Guidance notes on the implementation of DORA for ICT risk management and ICT third-party risk management