Germany's Federal Financial Supervisory Authority publishes further DORA guidance on simplified ICT risk and third-party risk management

Germany's Federal Financial Supervisory Authority (BaFin) issued a supervisory notice setting out how in-scope firms can implement the EU Digital Operational Resilience Act (DORA) simplified requirements for the ICT risk management framework and ICT third-party risk management, taking account of the relevant regulatory technical standards. The guidance targets two groups: BaFin-supervised institutions that are not subject to the Capital Requirements Regulation (CRR), which will apply the simplified ICT risk and third-party risk management requirements from January 2027 as they replace the Banking Supervisory Requirements for IT (BAIT), and small occupational pension institutions, small investment firms and insurance holdings, which have applied Article 16 DORA since early 2025. To make the simplifications transparent, BaFin compares BAIT and the Insurance Supervisory Requirements for IT (VAIT) with DORA Article 16 and Articles 28–30, also contrasting the regular and simplified DORA frameworks, and expands its list of minimum contract components with a column showing Article 16-related simplifications. BaFin also published a separate overview of the documentation requirements under Article 16 DORA; the notice is not relevant for firms previously subject to the payments services or capital management IT requirements (ZAIT or KAIT), as they are not covered by Article 16.