Contents
IT operations
Stronger operational stability
Reference: page 14
DORA’s Article 7 significantly raises expectations for updated, reliable, and technologically resilient ICT systems, surpassing BAIT/VAIT.
Key differences vs. BAIT/VAIT
- BAIT/VAIT (chapter 8.3) require “regular updating” of IT systems.
- DORA requires updated ICT systems and explicitly lists:
Mandatory criteria under Art. 7 DORA
- Up-to-date ICT systems
- Reliability of systems (Art. 7(b))
- Technological resilience (Art. 7(d))
- Capability to function under stressed market conditions — a completely new requirement not found in BAIT/VAIT.
This explicitly strengthens operational resilience as a supervisory priority.
Capacity management (Art. 7(c) DORA + Art. 9 RTS RMF)
DORA expands capacity management into a far more formal process:
- More documentation required
- Resource optimisation measures must be defined
- Resource shortages must be monitored and prevented
- Redundant ICT capacities must exist (Art. 12(4) DORA)
This is broader than BAIT/VAIT chapter 8.8.
Legacy systems – obligatory annual risk analysis
Under Art. 8(7) DORA:
- Legacy systems must be explicitly checked each year
- AND assessed after any change in ICT risk
- Must be evaluated for specific ICT risks before and after integration with new technology
In BAIT/VAIT, legacy systems required management but not mandatory annual risk assessment.
Classification of ICT systems and information
Reference: page 14
This requirement links IT operations directly to the ICT risk management framework.
Mandatory identification & classification (Art. 8(1) DORA + Art. 4 RTS RMF)
Financial entities must:
- Identify and classify ICT systems
- Identify and classify information used in business functions
- Document all reciprocal impacts between ICT assets and business functions
- Maintain comprehensive inventories representing both systems and information
This merges two BAIT/VAIT processes:
- Information domain definition (BAIT/VAIT chapters 3.3/3.4)
- IT component listing (BAIT/VAIT chapter 8)
DORA requires a holistic view, which BAIT/VAIT never mandated.
The PDF (page 14) explicitly states this provides a completely new level of transparency compared to prior regulations.
Expansion to include all changes to ICT systems
Reference: page 14–15
This is one of the biggest operational impacts of DORA.
Key shift
Under BAIT/VAIT:
- Only significant changes required formal change management processes.
Under DORA (Art. 9(4)(e), (f) + Art. 17 RTS RMF):
- ALL changes to ICT systems are in scope.
- No materiality threshold.
Implications
Every ICT change must be:
- Recorded
- Tested
- Assessed
- Approved
- Implemented
- Verified
- Documented in a controlled way
This includes:
- Minor configuration changes
- Patch-level updates
- Parameter adjustments
- Script changes
- Infrastructure-as-Code modifications
- Data migrations
- Network and firewall rule changes
Additional RTS requirements
Art. 17 RTS RMF includes new minimum requirements:
- Impact analysis
- Back-out/fallback planning
- Testing procedures
- Separation of roles
- Change approval procedures
This is significantly more prescriptive than BAIT/VAIT.
Segregated data retention & reconciliation of backups
Reference: page 15
Art. 12 DORA extends familiar BAIT/VAIT concepts (chapter 8.7) in multiple ways:
a) Backup policy obligations
Not just procedures — DORA requires a policy for:
- Backup
- Restoration
- Recovery
- Testing
BAIT/VAIT only required procedures, not a formalised policy.
b) Physical and logical segregation of backup systems
Art. 12(3) DORA requires:
- ICT systems for backups must be physically AND logically segregated from source systems.
Under BAIT/VAIT, this was optional (“possible requirement”).
Under DORA, it is mandatory.
c) Expanded restoration requirements
Backups must ensure:
- Minimal downtime
- Minimal disruption
- No endangerment of system security
- Preservation of data confidentiality, integrity, authenticity, and availability
This full CIA+A requirement goes far beyond BAIT/VAIT.
d) Mandatory multiple checks and reconciliations
Art. 12(7) DORA introduces:
- Multiple post-recovery checks
- Reconciliation procedures to ensure highest possible data integrity
BAIT/VAIT did not require reconciliations.
e) Mandatory testing of restoration procedures
Both BAIT and VAIT required testing, but DORA adds:
- Testing against failure scenarios
- Testing against cyber-compromised backups
- Integration with incident response and recovery plans
f) Error reporting
BAIT/VAIT spoke of “disruptions”;
DORA (Art. 8(2)(c) RTS RMF) requires:
- Classification of “errors”
- Mandatory evaluation procedures
- Integration into ICT risk processes
Source: BaFin, Supervisory statement: Guidance notes on the implementation of DORA for ICT risk management and ICT third-party risk management