How does Germany's data protection differ from GDPR?

Germany supplements GDPR with the BDSG (Federal Data Protection Act) and has 16 state-level DPAs with independent enforcement powers. Cleo tracks decisions from all German authorities.

What is the German Supply Chain Due Diligence Act?

The LkSG requires companies with 1,000+ employees to monitor human rights and environmental risks across their supply chains. Cleo automates third-party screening to meet LkSG requirements.

🇩🇪Germany

DORA compliance in Germany

In Germany, BaFin enforces DORA for banking, insurance, and investment firms. German financial entities must reconcile DORA with existing BaFin requirements (MaRisk, BAIT, VAIT, KAIT).

Start free scan

Enforcement authority

BaFin (Federal Financial Supervisory Authority) + BSI for cybersecurity aspects

Maximum sanctions

BaFin can impose fines, require remediation measures, restrict business activities, or revoke licenses. Criminal liability possible under KWG (Banking Act).

Key obligations

What DORA requires from organizations operating in Germany.

Align BaFin BAIT/VAIT/KAIT requirements with DORA ICT risk management framework

Report ICT incidents to BaFin in accordance with DORA reporting timelines

Implement TLPT testing program coordinated with BSI (Federal Office for Information Security)

Maintain comprehensive ICT third-party provider register as required by BaFin

Local context in Germany

Germany's MaRisk and BAIT frameworks already impose strict IT risk requirements. BaFin has indicated it will align these with DORA rather than create parallel obligations. The BSI provides TLPT testing standards for the German market.

DORA by industry in Germany

Retail & Consumer Goods HealthTech Insurance Energy & Utilities Cosmetics & Personal Care Electronics & Connected Devices

Frequently asked questions

How does DORA apply in Germany?

In Germany, BaFin enforces DORA for banking, insurance, and investment firms. German financial entities must reconcile DORA with existing BaFin requirements (MaRisk, BAIT, VAIT, KAIT).

Who enforces DORA in Germany?

BaFin (Federal Financial Supervisory Authority) + BSI for cybersecurity aspects

What are the penalties for DORA non-compliance?

BaFin can impose fines, require remediation measures, restrict business activities, or revoke licenses. Criminal liability possible under KWG (Banking Act).

Read our complete DORA compliance guide

DORA in other jurisdictions

🇪🇺European Union 🇫🇷France 🇬🇧United Kingdom 🇺🇸United States 🇧🇷Brazil 🇦🇺Australia 🇮🇳India

Check your DORA compliance now

Start free scan to see your risk score and applicable obligations.

Start free scan

Key obligations

What DORA requires from organizations operating in Germany.

Align BaFin BAIT/VAIT/KAIT requirements with DORA ICT risk management framework

Report ICT incidents to BaFin in accordance with DORA reporting timelines

Implement TLPT testing program coordinated with BSI (Federal Office for Information Security)

Maintain comprehensive ICT third-party provider register as required by BaFin

Frequently asked questions

How does DORA apply in Germany?

In Germany, BaFin enforces DORA for banking, insurance, and investment firms. German financial entities must reconcile DORA with existing BaFin requirements (MaRisk, BAIT, VAIT, KAIT).

Who enforces DORA in Germany?

BaFin (Federal Financial Supervisory Authority) + BSI for cybersecurity aspects

What are the penalties for DORA non-compliance?

BaFin can impose fines, require remediation measures, restrict business activities, or revoke licenses. Criminal liability possible under KWG (Banking Act).