Dora, which came into force in January 2023 (readable on eur-lex.europa.eu), was nationally implemented with the Financial Market Digitalisation Act (FinmadiG), announced in the Federal Law Gazette on December 27, 2024. Dora applies from January 17, 2025. Comprehensive and current information on Dora is offered by the German Federal Financial Supervisory Authority at www.bafin.de.

Insurance intermediaries and advisors

Insurance intermediaries and advisors must also comply with the new regulations. However, only if they employ 250 or more people and have an annual turnover of more than EUR 50 million or an annual balance sheet total of more than EUR 43 million. For the application of thresholds, only turnovers from activities subject to the Dora Regulation (EU) 2022/2554 are considered.

Regular risk controls

A central element of Dora is the regular evaluation of cyber risk resilience. Using vulnerability assessments and scans, penetration tests, network security assessments, open-source analyses, physical security checks, software product scans, where possible, source code checks, compatibility and performance tests, and end-to-end tests, critical ICT systems must be checked at least annually for gateways for cyber-attacks.

The examinations should be carried out by external service providers, who are specially accredited and certified in the field of penetration testing, possess technical and organisational capabilities, and demonstrate specific expertise in threat analysis, penetration testing, and red team testing. Internal testers can only be used in exceptional cases if specific conditions are met. These must also be approved by the supervisory authorities. Conflicts of interest must be excluded in the design and execution of the tests. Threat information required for the test must also come from an independent third company.

Extensive reporting obligations

Dora also standardises reporting obligations for serious ICT incidents and extends them to the entire financial sector. Thus, financial companies are required to establish a management process for monitoring and logging ICT-related security incidents. Serious incidents must be reported to financial supervisory authorities. Additionally, financial institutions can voluntarily contact the supervisory authority if they detect cyber threats.

External service providers also affected

Fundamentally, Dora applies to all banks and credit institutions, insurance and reinsurance companies, investment firms, central securities depositories, crypto-asset service providers, payment service providers, and electronic payment providers, credit rating agencies, asset management companies, crowdfunding service providers, developers of banking apps, ATM manufacturers, as well as other companies such as transaction and securitisation repositories, trading venues, and data reporting services – defined collectively as "financial companies."

Exceptions include certain company groups such as alternative investment fund managers and occupational pension institutions, insurance intermediaries as a secondary activity, as well as small insurance intermediaries and reinsurers and small companies with cumulatively fewer than ten employees or under EUR 10 million in balance sheet total.

Moreover, Dora does not apply to hardware manufacturers, general or electronic communication services, but rather to external ICT providers offering digital and data services, including providers of cloud computing services, software, data analysis services, and data centres. Financial institutions are required under the new regulation to maintain a directory of their ICT contracts with third parties and provide it to supervisory authorities upon request. They must also carefully review ICT service providers before the contract conclusion.

According to Dora, third-party providers must also comply with certain IT security standards – and the contracts must include termination options for specific scenarios. If critical or important functions are outsourced by financial institutions, additional obligations apply. The supervisory authorities are empowered to define further requirements, including technical standards for such contracts.