DORA is intended to transfer national regulations in the area of financial market regulation into uniform, harmonised EU law. This blog post focuses on the delta to current regulation, i.e. what is actually new for the established financial industry out of DORA.DORA broadens the scope to about 20 types of entities and ICT third party providers. For those companies for which the rule contents such as ICT risk management, reporting of ICT incidents and auditing of digital operational stability were previously not an issue, everything is new out of DORA. For the companies already supervised by BaFin, DORA contains many parts known from XAIT.

With the help of certified information security management systems (ISMS), institutions can fulfil a large part of the xAIT requirements (BAIT, ZAIT, KAIT, VAIT). If institutions are certified in accordance with ISO 27001, for example, they must also take into account the sector-specific details of the circulars. Nevertheless, the establishment of an ISMS is recommended after the EU regulation Digital Operational Resilience Act (DORA) will soon require an ISMS in addition to the EBA guidelines at the European level.

The Digital Operational Resilience Act (DORA) creates an EU legal framework "on the operational resilience of digital systems of the financial sector". DORA combines existing regulations on security measures, reporting and verification of outsourcing, but expands and deepens them in selected places. Through DORA, third-party ICT providers become the object of supervision, just like banks and insurance companies. As a comprehensive set of rules for information security, DORA will have an impact in the three dimensions of organisation, regulation and IT in financial companies comparable to that of the GDPR in the protection of personal data.

In May, the EU Competition Commission found that access to Apple's NFC interface could have been unlawfully restricted. A compulsion to open the NFC interface could trigger far-reaching market movements in mobile finance. Unimpressed by this, Apple is launching its next finance product with an integrated BNPL solution and is entering the credit business - with its own licence and operational processing. Banks should not assume that the regulator alone will solve this challenge for them, but use the opportunity to reflect on their own positioning between cooperation and competition with xPays.

This blogpost analyses the BaFin circular "Insurance Supervisory Requirements for IT (VAIT)" and puts it in the context of BAIT and ZAIT.

Publishing houses, especially those with a clear focus on daily newspapers, have come under massive pressure in recent years: In relation to the print business, sales on the reader market are steadily declining, and for a few years now, sales in the advertising business have also been stagnating. At the same time, the technology basis is becoming a problem: legacy ERP systems for the administration and billing of subscription customers can only be operated with a high expenditure of resources, while they hardly allow for digital business models. At the same time, the old editorial systems designed for the print business are not capable of publishing journalistic content quickly and flexibly on digital channels. Covid-19 massively exacerbates the situation and quickly threatens their existence.

On the one hand, new technologies can significantly shrink the cost base quickly and permanently. At the same time, thanks to higher modularity, they offer the necessary flexibility for modern publishing on online and offline channels. Furthermore, new business models can be tested and new ways of monetising content can be explored. To exploit the potential, action must be taken quickly, consistently and with the necessary IT and transformation know-how.

At the same time as the Banking Authority IT Requirements (BAIT), the German Federal Financial Supervisory Authority has also updated the Payment Services Authority IT Requirements for Payment and E-Money Institutions (ZAIT). The following blog post deals with the changes to the various requirements and analyses the differences between BAIT and ZAIT. It can be said at the outset that, in comparison, six chapters have remained the same in terms of content, five chapters have changed in part and the changes in the area of "outsourcing" have changed significantly. Furthermore, ZAIT introduces more fine-grained specifications, a framework with target formulations and the freedom of implementation with appropriate measures increasingly becomes a catalogue of measures.

Instant Payments (IP) are about to become a reality in Switzerland, and as such, will be quickly accepted and expected by customers as the new normal. Simultaneously, IP readiness will require comprehensive adaptations and adjustments in existing processes as well as IT landscapes of banks, thereby limiting the implementation effort from “a lot” to “a whole lot”. The need for Swiss banks to take action and decide on an implementation strategy for Instant Payments is imminent. Our payments experts Tatsiana Bychkouskaya, Tobias Krück, Fabian Meyer and Kenneth Chu Sam explain in their latest blogpost „Swiss Instant Payments – burden or opportunity for banks?“, how Swiss banks can leverage these complex adaptations as an opportunity to gain strategic edge.