New BaFin supervisory notice on DORA: What companies should know and do now

BaFin has published a new supervisory noticeconcrete implementation instructionsfor thesimplified ICT risk management framework (Art. 16 DORA)and thatICT third-party risk management (Articles 28-30 DORA)gives. The information is aimed in particular at small IORPs, small securities institutions, insurance holding companies and institutions outside CRR supervision. Depending on the target group, different application times apply. The message showswhere DORA simplifies(e.g. no IT strategy requirement, “need-to-use” in IAM, reduced change detail),where requirements remain the same(backups, tests, due diligence) andwhere elsethan in the BAIT/VAIT (e.g. contract requirements, subcontracting, exit).

Context & target group

With the new supervisory notice, BaFin wants companiespracticalsupport the implementation of DORA –in particularwith the simplified frameworkArticle 16 DORA(for certain smaller institutes) as well as atICT third party risk managementafterArticles 28–30 DORA. The instructions also take into account the relevant onestechnical regulatory standards (RTS), among others theRTS RMF(Delegated Regulation (EU) 2024/1774) andRTS SUBfor subcontracting (Delegated Regulation (EU) 2025/532).

Addressees & schedule (selection):

• Non-CRR institutions(under BaFin supervision): fromJanuary 1, 2027the simplified framework applies;BAITapply temporarily untilDecember 31, 2026further.
• Small IORVs, small securities institutions, insurance holding companies: turnArticle 16 DORAalreadysince the beginning of 2025to.

Important: Compare the new cluesBAIT/VAITwithDORA Articles 16 & 28–30;ZAIT/KAITarenotrecorded.

The 7 most important changes at a glance

1. No separate DORA strategy requirementIn the simplified framework according to Art. 16 DORA existsno obligation to have an independent strategy for digital operational resilience. A separate oneIT strategydemands DORAbasically not. Instead is aICT-specific governance and control frameworkto build.
2. Greater focus on ICT risk rather than pure information securityThe emphasis is shifting: assessment, analysis and controls of theICT risksare even more clearly in the center.
3. Asset classification becomes mandatoryDORA demands oneClassification of ICT and information assetsand their interactions – a more integrated view than in BAIT/VAIT.
4. Less detail in change managementThere isno rigid detailed specificationsmore; changes arecontrolledcapture, test, approve, implement and review - with less minimum detail than in BAIT/VAIT.
5. “Abolition of the data backup concept” – but backups remain mandatoryAformal data backup conceptis no longer required in the simplified framework.Backups, restores and regular testinghowever, remainmandatory. Practical:less documentary ballast, same technical care.
6. BCM/ICT business continuity: leaner but scenario-basedTestingand theDocumentation of the results(including escalation/communication plans) are required; theNumber of scenariosis in a simplified frameworklower.Crisis management functionisnotPart of the simplified framework.
7. IAM: “Need-to-use” complements “Need-to-know” & “Least privilege”That's new“Need-to-use” principle: Access should not only be low, but must beactually required for usebe. At the same time eliminatedAuthorization conceptsor their formal examination in the previous depth –Expenses decrease.

ICT third-party risk: Facilitations but clear guardrails

BaFin providesgeneral reliefout, apply at the same timemore precise requirementsin critical points:

• Contract contents:expansionthe mandatory clauses (BaFin has themList of minimum contract componentsby a column forArt. 16-Simplificationssupplemented).
• Subcontracting (sub-outsourcing):new RTS SUBconcretize,whatto be determined/evaluated.
• Risk assessment & due diligence: continueextensive, including exit planning and requirementsReporting requirements/information register.Facilitationsarelowerthan in ICT risk management itself.

Documentation: BaFin overviews help with tailoring

Accompanying the announcement, BaFinOverviews of the documentation requirements according to Art. 16 DORApublished – includedcompact one-pagerandNotice documentwith Q&A character. That makes it easierrisk-based, proportional documentationspecifically for the simplified framework.

What remains challenging (despite simplification)?

1. Minimum technical standards: backups, restore,regular testsstayDuty.
2. Third Party Control:Due diligence, contract management, subcontractor management, exit– in totalstill substantial.
3. Governance responsibility: ThatGoverning bodystays in the driver's seat, withclear tasksandReporting requirements.

Practice checklist (30/60/90 days)

0-30 days (Scoping & Gap Scan)

• Clarify scope(Art. 16 now vs. from 2027) andBAIT→DORA transitionplan.
• Third Party Portfoliovelvetsubcontracts&critical functionsinventory.
• Documentation one-pagerBaFin asReferenceanchor in the ISMS.

30-60 days (Design & Controls)

• ICT/Information Asset Classificationput on;Change processtrim to DORA logic (controlled instead of detail-driven).
• BCM scenariosandCommunication/escalation plansestablish;Test planwith reduced but effective scenario breadth.

60-90 days (third party & IAM)

• Contractual clausescheck against BaFin list;Subcontracting Rules/Notificationstighten according to RTS SUB;Exit playbooksadd to.
• IAM policyaround“Need to use”expand;Role/rights checkRoll out pragmatically (without the old baggage of authorization concepts).

Implications for BAIT/VAIT houses

BaFin makes it clear:DORA simplifies in several places, but isno “light ISM”¹. StraightThird Party Risksas well asBackup/recovery capabilitiesstaycore critical. For non-CRR institutions this means by the end of 2026:Maintain BAIT, parallelDORA readinessbuild up so that theSwitching in 2027succeeds smoothly.

¹"Light-ISMS": describes a very lean information security management system that works with reduced governance, fewer controls and less documentation compared to established standards.

The supervisory notice provideswelcome clarity:less form, more substance. Who DORAintelligently proportionalimplemented – withslim change,clear asset picture,sensible BCM scenarios,well-managed third partiesand“Need-to-use” in IAM–reduces effortandincreases resilienceat the same time. For many houses, this is the chance to get rid of legacy issues from the BAIT times and DORAmodern, risk-orientedto anchor.

👉 The full announcement can be found here:https://www.bafin.de/SharedDocs/Veroeffentlichungen/DE/Aufsichtsmitigung/2025/neu/supervisedmitigung_2025_08_21_leitung_artikel_16_dora.html;jsessionid=CA07DA9240B37CEDC3448DAB0B08F82C.internet942

Do you have any questions about the practical implementation? Please feel free to contact us – we will accompany you on your way to DORA compliance.

👉 Find out more:https://advisori.de/dienste/regulatory-compliance-management/dora-digital-operational-resilience-act

📞 +49 173 3670962

🌐www.advisori.de

📧info@advisori.de