By Paul O’Donoghue, Senior Correspondent
A top German regulator has given banks new guidance on how to comply with the EU’s upcoming DORA rules.
BaFin, Germany’s financial regulatory authority, has published detailed notes on the new EU’s Digital Operational Resilience Framework (DORA).
DORA, which sets out rules around how financial institutions protect against and manage cyber threats, will come into force on 17 January 2025.
BaFin said its new guidance is “non-mandatory”.
However, it said the notes could be useful for better knowledge on DORA requirements, such as ICT risk management.
The notes, available HERE, include advice on how banks can tighten their digital controls.
It flagged that management-level staff at banks will be expected to have “sufficient knowledge and skills regarding ICT risks”.
BaFin added that under DORA, management staff will be responsible for “setting clear tasks and responsibilities for all ICT-related functions”.
In an article published on BaFin’s website, Ira Kosche-Steinbrecher from the regulator’s IT supervision arm, confirmed that senior staff will be expected to be more involved in policing technology-related risks.
“Under DORA, the management body of a financial entity is assigned far more tasks,” she said.
Ms Kosche-Steinbrecher said more detail is available for companies in the published notes, which can help banks get familiar with DORA rules “bit by bit”.
BaFin said in July that it will “support companies on their way” to implementing DORA.
Other regulators across Europe have also pledged to help banks familiarize themselves with the new rules.
For example, Ireland’s Central Bank has said it will take a “pragmatic approach” to making sure that firms are compliant with DORA, shying away from immediately penalizing companies.
AML Intelligence currently offers an online course aimed at getting compliance professionals up to speed with DORA requirements. Full details are available HERE.