Germany's Federal Financial Supervisory Authority issues supervisory guidance on DORA simplified ICT risk management and ICT third‑party risk rules

Germany's Federal Financial Supervisory Authority (BaFin) published a supervisory notice setting out implementation guidance on the Digital Operational Resilience Act (DORA) simplified information and communication technology (ICT) risk management framework under Article 16 and the ICT third‑party risk management requirements in Articles 28 to 30, taking account of relevant regulatory technical standards. The guidance is addressed to two groups: BaFin‑supervised institutions that are not subject to the Capital Requirements Regulation (CRR), which will apply the simplified ICT risk management framework and ICT third‑party risk management rules from January 2027 in replacement of the Banking Supervisory Requirements for IT (BAIT); and small occupational pension institutions (EbAV), small investment firms and insurance holdings, which have applied Article 16 since early 2025. BaFin compares BAIT and the Insurance Supervisory Requirements for IT (VAIT) with DORA Articles 16 and 28 to 30, highlights material simplifications under the simplified ICT risk management framework (with more limited simplifications for third‑party risk management), expands its list of minimum contractual clauses to show Article 16 simplifications, and provides an overview of Article 16 documentation requirements. BaFin notes the notice is limited to BAIT and VAIT and is not relevant for firms previously subject to the Payment Services Supervisory Requirements for IT (ZAIT) or the Capital Management Supervisory Requirements for IT (KAIT), which are not covered by Article 16 DORA.