Germany: Published BaFin implementation guidance on DORA

On 8 July 2024, the German Federal Financial Supervisory Authority (BaFin) issued implementation guidance for the Digital Operational Resilience Act (DORA). Companies in the banking and insurance sectors under BaFin's supervision will be required to adhere to DORA, effective from the implementation date of 17 January 2025. These firms must adopt a standard risk management framework and effectively manage their information and communication technology (ICT) risks in line with DORA requirements. The guidance, though non-binding, aims to assist companies in implementing DORA's provisions regarding regular ICT risk management and managing ICT-related risks from third-party providers. It also incorporates technical and regulatory standards. Additionally, the implementation instructions provide an outline of the essential contractual terms that supervised entities must include in agreements with ICT third-party service providers.