- Regulatory requirements increasingly affect non-regulated third-party providers
- De facto NIS2 compliance required even before coming into force
- Be prepared becomes a competitive factor
Between 14 and 28 April 2025, financial institutions in the EU must have registered their IT service providers with the Federal Financial Supervisory Authority (BaFin). With the entry into force of the Digital Operational Resilience Act (DORA), many IT service providers without direct regulation will come under the scrutiny of supervisory authorities. At the same time, the upcoming implementation of the European NIS2 Directive is creating increased pressure to act in other sectors.
âA number of service providers are currently faced with the task of documenting security certificates, risk analyses and contract compliance at short notice â often without having been confronted with comparable requirements in the past,â explains Ulrich Plate, Leader of the Critical Infrastructure Competence Group at eco â Association of the Internet Industry.
Outside the financial sector, too, there is already increasing momentum: companies that will fall under NIS2 in the future are already demanding concrete proof of cybersecurity from their suppliers. Among other things, the directive requires companies to commit their ICT supply chain to a minimum level of security. âWhat we are seeing is a kind of regulatory knock-on effect,â says Plate. âMany clients are already contractually demanding de facto NIS2-compliant security, even though the requirements have not yet been transposed into national law.â
Increase in the number of contracts
According to current estimates, around 30,000 companies in Germany will in future fall directly under the NIS2 regulation. But even service providers who are not directly affected are feeling the effects: in practice, contracts are being adapted, security questionnaires are being sent out, and providers are only being contracted if they are sufficiently compliant. âSuppliers often have to fulfil their obligations earlier than their clients,â warns Plate. âThose who don’t prepare will no longer be considered in future tenders.â
DORA brings new visibility to third-party providers
DORA is putting a clear deadline on this development in the financial sector. The registration requirement not only includes a report to the BaFin, but also comprehensive audit requirements â from risk analysis to auditability. In the future, the supervisory authority will also be able to control IT service providers that are not directly regulated. âDORA brings IT service providers into the direct visibility of the supervisory authority,â explains Plate. âThe market boundary for cybersecurity is shifting â if you want to stay in business, you have to adapt to the regulation.â
Using compliance to gain a competitive advantage
SMEs in particular are faced with the task of aligning their internal processes with new requirements â for example, with certifications, emergency plans or structured verification procedures. In this context, early positioning can be an advantage. IT service providers should therefore check now how well they are prepared for regulatory requirements â and quickly close any gaps, according to Plate. âIT compliance is a differentiating factor,â says Plate. âThose who invest in security standards today strengthen their own resilience and gain the trust of (new) contractors.â
