Is DORA destroying the principle of subsidiarity?

Purpose of this article

Recently I came across an article published by the German „Genossenschaftsverband Bayern“, regarding the planned „Regulation of the European Parliament and the council on digital operational resilience for the financial sector and amending Regulations“, in short „DORA“ (Digital Operational Resilience Act).

DORA is a planned regulation of the European Parliament, which is supposed to strengthen cyber resilience in the financial sector. The Genossenschaftsverband Bayern criticizes, that DORA does not entirely comply with the association structures of the German „Genossenschaften“. In particular, it will be more difficult for small and medium-sized banks to benefit from synergies in the IT development and to strengthen their information security[1].

Furthermore, the Genossenschaftsverband Bayern criticizes that this regulation goes beyond the planned harmonization of all corresponding rules and laws and does not apply the principle of proportionality. Banks already have to fulfill the strict supervisory requirements, for example the EBA-guideline or the BaFin-standards[2].

This article will give an overview of the points of criticism with respect to outsourcing.

What is DORA?

The European Commission describes the goals of DORA in their press article „Digitalisierung des Finanzsektors: Modern und kostengünstig bezahlen”:

The Digital Operational Resilience Act, which is published as a proposal today, should guarantee, that all participants of the financial sector meet all necessary security requirements with the purpose to reduce risks of cyber-attacks as well as other risks. With this regulation, all companies are obligated to ensure their ability to resist all kinds of disturbance and threats, which are related to information and communication technology (ICT)[3].

DORA and outsourcing

On the basis of outsourcing, I would subsequently like to investigate whether DORA is proportionate in particular for small and medium-sized, cooperatively organized banks. The same may be applicable for the German Sparkassen-Finanzgruppe. On the one hand, there are differences between the two banking groups, but on the other hand they are quite similar in comparison to major banks or direct banks.

“Chapter V“ of the regulation deals with “Managing of ICT Third Party-Risk“ and in section 1 the “Key principles for a sound management of ICT Third Party Risk“ are described[4].

Article 25 includes provisions about how financial institutes should manage their risks of outsourced IT services.  Regarding article 5 paragraph 9 (g) the regulation refers to the “Multi-Vendor-Strategy“: „(…) defining a holistic ICT multi-vendor strategy at entity level showing key dependencies on ICT third-party service providers and explaining the rationale behind the procurement mix of third-party service providers[5]. This shall be elaborated upon at a later stage.

Paragraph 4 describes the obligation to maintain a „Register of Information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers“.

The following paragraphs imply rules for the assessment of risks, contractual agreements with ICT third-party services and the development of exit strategies, in case an ICT third-party service is no longer able to fulfill its services.

Article 26 (p. 54) concludes regulations about important aspects financial institutes have to consider, if they conclude contracts with ICT vendors. The financial companies have to take into account “(…) whether the conclusion of a contractual arrangement in relation to the ICT service would lead to any of the following: (a) contracting with an ICT third-party service provider which is not easily substitutable; or (b) having in place multiple contractual arrangements in relation to the provision of ICT services with the same ICT third-party service provider or with closely connected ICT third-party service providers. “

Financial entities should evaluate the costs and benefits of each alternative solution[6].

In this scenario it is obvious that financial institutes have to fulfill comprehensive obligations with regards to outsourcing and that they have broad duties of documentation as well as disclosure requirements.

Moreover, a strategy which is based on the replacement of ICT third-party service providers and targeting a multi-vendor-strategy, should ensure service levels, improve information security as well as business continuity. The Genossenschaftsverband Bayern describes in its position paper, that DORA claims a multi-vendor-strategy of the banks, which requires financial institutes to disclose dependencies in connection with the outsourcing of ICT services and the listing of all service providers[7].

The idea of Genossenschaften

We can find a definition of “Genossenschaft“ on Gabler Wirtschaftslexikon. A „Genossenschaft“ is a merger of persons with the purpose of supporting business activities and supporting of the members with collaborative business activities[8].

Friedrich Wilhelm Raiffeisen (1818-1888) was one of the most important representatives. He established a charitable benefit society with the goal to help the rural population in need[9].

At the same time Hermann Schulze-Delitzsch helped needy craftsmen[10].

In 1893 the founder of the Genossenschaftsverband Bayern developed the idea and the model of Raiffeisen. According to the chronicle of the Genossenschaftsverband Bayern, the founders established a regional and self-administrated union, which should undertake superordinate tasks[11]. Furthermore, the farmers, merchants and clergy acted along the principle of subsidiarity. This means: Whatever the association could not to fulfill within its decentralized structure, was undertaken by the nearest organizational level.

Summary and outlook

If we consider the requirements of DORA, in particular the multi-vendor-strategy and the principle of the Genossenschaften, it becomes clear that DORA does not meet the idea and goals of the cooperative banking group. The cooperative financial group has had a successful division of labour with the Fiducia & CAD IT AG for a long time. This is questioned through DORA and is not target-oriented for this association. The Genossenschaftsverband Bayern thus rightly criticizes DORA in its position paper[12].

In my opinion, the situation for the German Sparkassenorganisation is the same. The Sparkassen group features the same structure and also has one main ICT service provider, the Finanz Informatik GmbH & Co. KG.

In my view, the Genossenschaftsverband Bayern justifiably indicatesthat IT outsourcing of banks should remain within the group and the regulation of the European Parliament should focus on cloud vendors which are active EU-wide. A generalized intensification for all financial institutes is not expedient[13].

However, in order to be as well prepared as possible for the directive, it is advisable to introduce standards such as ISO 27001 within the institutions in addition to appropriate MaRisk norms, which already include essential and important aspects of information security.



Source references

[3]     WEBER, „Digitalisierung des Finanzsektors“,

[4]     „COM-2020-595-F1-EN-MAIN-PART-1.pdf“, Seite 51ff,

[5]    „COM-2020-595-F1-EN-MAIN-PART-1.pdf“, Seite 35,

[6]     „COM-2020-595-F1-EN-MAIN-PART-1.pdf“, Seite 54,

[11]   „GVB Chronik Online 125“, Seite 8,