Digital Operational Resilience Act (DORA)

Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (Regulation (EU) 2022/2554, “DORA”),  is an EU regulation that entered into force on 17 January 2023 and is ultimately effective as of 17 January 2025. It aims to strengthen the resilience, reliability, and continuity of financial services across the European Union. DORA is designed to ensure that organizations can withstand, respond to, and recover from cyber incidents and therefore aims to strengthen the resilience, reliability, and continuity of financial services throughout the European Union. 

In accordance with Art. 30 DORA, the minimum requirements set forth in agreements between a Financial Entity and an ICT Third-Party Service Provider with respect to the provision of ICT Services shall apply.   

Purpose of this webpage is to provide an overview of the roll-out approach and to answer frequently asked questions with respect to the relationship between customers (in their role as Financial Entity) and Deutsche Börse AG (in its role as ICT Third Party Service Providers, where applicable).

This is an embedded image

1. What is an ICT Service under DORA and which services provided by Deutsche Börse AG are of relevance?

DORA defines an ICT Service as any “digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis […]”, Art. 3(21) DORA. Consequently, an ICT Service provided by an ICT Third Party Service Provider on an ongoing basis towards a Financial Entity is subject to the requirements outlined in Art. 30 DORA.

An indication what could constitute an ICT Service could be drawn from Annex 3 to the Draft Implementing Technical Standards on the standard templates for the purposes of the register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers under Article 28(9) of Regulation (EU) 2022/2554. Please note that this list might not be exhaustive as it primarily refers to the question which information needs to be put in the register pursuant to Art. 28(3) DORA.

Deutsche Börse AG (“DBAG”) is authorized to operate the exchange Frankfurter Wertpapierbörse (FWB) under its exchange license. However, trading is not provided as an IT platform or software solution service. Trading is subject to a regulatory authorization requirement and such activity is conducted by DBAG, but they DBAG does not offer trading PaaS, Saas, IaaS solutions enabling third-parties to conduct a market on their own.

As DBAG in it´s capacity as operator of the FWB doesn’t offer services conformant to the ICT services mentioned in Annex III of the Draft ITS with respect to the operation of a trading system, these core functions are not to be considered as ICT Services. Furthermore and in the context of the DORA Dry Run, the European Supervisory Authorities (“ESAs") published FAQs which also address the term ICT Services. These FAQs are currently under review and will be replaced in the near future. In these FAQs it was clarified that a service shall not be considered as an ICT Service if a Financial Entity has obtained a license to deliver it. Consequently, any activities which are directly resulting from these authorizations would not constitute ICT Services. However, other services which are not subject to an authorization requirement might conform to the definition of ICT Services (such as certain connectivity services might be considered as ICT Services).

Connectivity services are laid down in Deutsche Börse AG Agreements or Provider Connection Agreements. Deutsche Börse AG is currently assessing whether and which connectivity services might be subject to DORA. In the event such services are affected, the DORA-specific adjustments will be implemented through an additional addendum to the existing contracts. Affected customers will be proactively approached and will receive a DORA-compliant addendum.

2. Have you completed an impact analysis of DORA?

Yes, an impact assessment for Deutsche Börse AG in its role as ICT Third-Party Service Provider has been completed. Additional information will be available here on this Initiative page in the coming weeks.

3. Will Deutsche Börse AG entities agree dedicated DORA agreements with individual clients / users of ICT Services provided by Deutsche Börse AG

Deutsche Börse AG is obliged by law to treat all their Trading Participants equally. For this reason, it is intended to provide a standard contract as a DORA-compliant solution.

 

Contacts

Customer Technical Service (CTS)

Service times Monday 1:00– Friday 22:00 CET/CEST

+49 69 211-VIP/ +49 69 21110888 (all)

CTS@deutsche-boerse.com
 

Customer Functional Support

Service times 9–18 CET/CEST

+49 69 21110333

client.services@deutsche-boerse.com
 

Market Status

XETR

-

-

Parts of the trading system are currently experiencing technical issues

The trading system is currently experiencing technical issues

Xetra newsboard

The market status window is an indication regarding the current technical availability of the trading system. It indicates whether news board messages regarding current technical issues of the trading system have been published or will be published shortly.

Please find further information about incident handling in the Emergency Playbook published on the Xetra webpage under Technology --> T7 trading architecture --> Emergency procedures. Detailed information about incident communication, market re-opening procedures and best practices for order and trade reconciliation can be found in the chapters 4.2, 4.3 and 4.5, respectively. Concrete information for the respective incident will be published during the incident via newsboard message

We strongly recommend not to take any decisions based on the indications in the market status window but to always check the production news board for comprehensive information on an incident.


Emergency procedures


An instant update of the Market Status requires an enabled up-to date Java™ version within the browser.