Question 1

Is DORA mandatory for all Frankfurt financial institutions?

Accepted Answer

Yes. DORA applies to all EU-regulated financial entities including banks, insurers, investment firms, payment institutions and crypto-asset service providers. From January 2025, all entities must comply with DORA's requirements for ICT risk management, incident reporting and digital operational resilience testing, regardless of size.

Question 2

How does ISO 27001 relate to DORA for Frankfurt banks?

Accepted Answer

ISO 27001 provides a strong foundation for DORA compliance, many of its controls directly satisfy DORA's ICT risk management requirements. However, DORA includes additional obligations specific to financial services, such as ICT third-party concentration risk reporting and TLPT resilience testing. KaitoSec maps the gap between your ISO 27001 controls and full DORA compliance.

Question 3

Which supervisory authority oversees DORA compliance in Germany?

Accepted Answer

BaFin (Bundesanstalt für Finanzdienstleistungsaufsicht) is the primary competent authority for DORA oversight in Germany, working alongside the ECB for significant institutions. Frankfurt-based entities should expect enhanced supervisory scrutiny given the city's systemic importance to EU financial stability.

Question 4

Are Frankfurt fintech startups also subject to DORA?

Accepted Answer

Fintechs holding a BaFin licence, including payment institutions, e-money institutions and investment firms, are subject to DORA. Proportionality provisions apply to microenterprises, but most licensed Frankfurt fintechs will face DORA's full requirements. KaitoSec offers a DORA readiness assessment to identify your specific obligations.

DORA-grade resilience for Frankfurt's finance sector

Financial Regulation Expertise

DORA Compliance for Financial Entities

Critical Infrastructure Protection

FAQ

Product

Frameworks

Solutions

Services

Resources

Company

Legal