FinmadiG & DORA: Impact on Leasing and Factoring Companies

Financial Market Digitization Act (FinmadiG) and Digital Operational Resilience Act (DORA) – what do these new regulations mean for leasing and factoring companies? In this blog article, we explain in practical terms why DORA will also become binding for leasing and factoring companies as a result of the FinmadiG, which requirements will apply from January 2025 and January 2027 and ways you can prepare now. Decision-makers in leasing and factoring companies will find out which new obligations await them, what will change compared to the previous IT supervision (BAIT) and what specific recommendations for action apply.

Overview and background

DORA (Digital Operational Resilience Act) is an EU regulation (EU 2022/2554) to strengthen digital operational resilience in the financial sector. It aims to ensure that financial companies introduce robust mechanisms for ICT risk management, IT incident reporting and the monitoring of third-party IT providers. Since 17 January 2025, this has applied to all EU-regulated financial companies and harmonizes the requirements for Cyber Security in banks, insurance companies, payment service providers, etc. – and now also in Germany for other sectors.

The FinmadiG (Financial Market Digitization Act) is a German legislative package that was passed at the end of 2024 and extends several EU regulations (including MiCA for crypto assets and DORA) in accordance with national requirements. Originally, DORA did not include leasing and factoring companies in the “positive list” of affected financial institutions, but the German legislator has extended the scope in accordance with Section 1a (2a) KWG in order to make these institutions even more digitally resilient. The FinmadiG ensures that proportionality is maintained, especially for smaller players.

Scope of application: Why leasing and factoring companies are now affected

Which companies are affected? In practice, it affects finance leasing and factoring companies, among others, which are considered financial services institutions under the German Banking Act (“Kreditwesengesetz”, KWG). Many leasing companies that offer so-called finance leasing with assumption of acquisition costs require a BaFin license and were previously subject to national regulations (BAIT). Factoring providers are also regulated as financial service providers. FinmadiG now makes them subject to mandatory DORA. Unregulated lessors who, for example, only carry out operating leasing without a financing function, are excluded unless they act as ICT service providers for financial institutions (in which case they could be covered as third-party ICT providers within the meaning of DORA).

What is the intention of the legislator? Leasing and factoring companies often manage large assets and sensitive data. Their digital operational stability is important in order to avoid failures, cyber attacks or IT breakdowns that could trigger financial chain reactions. DORA aims to establish a minimum level of cyber security: from risk management, incident detection and reporting to the control of outsourced IT services. German legislators are using the FinmadiG to close any gaps: Even if these companies are smaller than banks, they are now subject to comparable basic requirements, albeit in a simplified form (keyword proportionality).

Simplified requirements according to Art. 16 DORA

Simplified DORA obligations apply to leasing and factoring companies in accordance with Article 16 DORA (“Simplified ICT Risk Management Framework”). These companies must implement ICT risk management, but in a simplified form. Specifically, this means

• Basic ICT risk management: basic mechanisms are sufficient to identify, assess, manage and monitor ICT risks. The scope and depth of the processes should be appropriate to the size and complexity of the company.
  
• Proportionate approach: The measures may be risk-based and proportionate. Smaller, less complex leasing/factoring providers do not have to establish bank-like processes, but must find practical solutions.
  
• Documentation and review: Even in a simplified framework, documented ICT governance is necessary (e.g. IT guidelines, responsibilities, emergency concept). This should be regularly reviewed and updated, but with a sense of proportion and without bureaucratic overkill.

Important: The general DORA requirements of Articles 5-15 (comprehensive ICT framework) do not apply to these companies. This means that complex processes in particular, which are intended for large banks, are not mandatory here.

There are also specific exceptions: Threat-Led Penetration Testing (TLPT) in accordance with Art. 26/27 DORA does not have to be carried out by leasing and factoring companies. The obligation to carry out these very complex, simulation-based attack tests is reserved for critical large institutions. There are also simplifications in ICT third-party provider risk management: If a leasing/factoring company is to be classified as a “microenterprise” within the meaning of DORA (fewer than 10 employees and < €2 million annual turnover/total assets), certain outsourcing monitoring requirements do not apply.

From BAIT to DORA: what is changing?

Until now, many of the companies affected have been governed by BAIT (“Bankaufsichtliche Anforderungen an die IT”) – a national directive issued by BaFin. DORA and FinmadiG are now creating a new regulatory framework that will gradually replace BAIT. BaFin has announced that it will not allow the existing IT supervisory regulations (BAIT, but also ZAIT/VAIT/KAIT for payment services, insurers and capital management) to run in parallel, but will instead introduce DORA as a uniform standard. In concrete terms, this means

• BAIT will continue to apply on a transitional basis until the end of 2026, provided that an institution is not yet directly subject to DORA. From January 1, 2027 at the latest, all relevant institutions should exclusively meet DORA requirements and BAIT will be completely repealed. For institutions that will only fall under DORA from 2027 as a result of FinmadiG (see deadlines below), BAIT will serve as a bridge until then.
  
• Differences in content: DORA is more detailed and uniformly formulated across the EU, while BAIT were more principle-oriented guidelines. New under DORA are, for example, mandatory reports of serious IT incidents to the supervisory authority within tight deadlines – BAIT required internal incident management, but no formal external reporting obligation in this form.
  
• Simplifications vs. BAIT: According to the explanatory memorandum, the simplified DORA requirements are even less demanding than the previous BAIT rules for these companies. This means that anyone who has worked in compliance with BAIT should be able to easily fulfill the DORA obligations within the simplified framework – for example, some detailed requirements of BAIT are missing, which are now deliberately left out so as not to overburden small companies.
  
• More binding: As an EU regulation, DORA is directly legally valid and sanctions can be imposed in the event of violations. While BAIT were “only” administrative regulations that were used in audits, DORA is directly applicable law. Companies should therefore be prepared for audit-proof compliance with the DORA requirements.

Important dates and obligations

January 17, 2025: DORA comes into force – from this date, leasing and factoring companies must report serious ICT incidents to the supervisory authority without delay (standardized criteria in accordance with Art. 18/19 DORA). Existing IT regulations (BAIT, ZAIT etc.) will be gradually replaced by DORA upon this date.
January 1, 2027: Expiry of the transition period – by this date, every leasing/factoring company must have fully implemented simplified ICT risk management in accordance with DORA (Art. 16). All other relevant DORA requirements will also apply without restriction from 2027. At the same time, BAIT will finally end on December 31, 2026.

No mandatory penetration tests: Threat-led penetration tests (DORA Art. 26/27) are no longer required for leasing and factoring providers, these complex attack simulations are not mandatory.

Exception micro-enterprises: Companies with <10 employees and <€2 million turnover are considered micro-enterprises. Certain requirements – e.g. formal third-party risk management – are not prescribed for them.

Practical recommendations for action: How to prepare yourself

Even if some obligations will not take full effect until 2027, leasing and factoring companies should take action now. The following steps are recommended in order to implement the upcoming requirements efficiently and in good time:

• Establish ICT risk management: Develop a basic ICT risk management system that suits the size of your company. Identify key ICT risks (e.g. cyberattack, system failure), assess their potential impact and define countermeasures. Document the procedure in an IT policy or concept. It is important to clearly define responsibilities – e.g. an IT risk manager or a small team that monitors risks and coordinates measures.
  
• Introduce incident management and register: Set up a process to identify, report and handle Cyber Security incidents (e.g. cyberattacks, major system disruptions) internally. Create an incident register in which every significant incident is recorded with the date, impact and measures taken. This register not only helps internally, but also serves to fulfill the official reporting obligation and, if necessary, to provide proof that incidents are being dealt with systematically.
  
• Create an overview of ICT service providers: Compile a complete list of all third-party ICT providers and outsourced IT services (e.g. data center operators, cloud services, software service providers). This information register should document the respective contracts and the criticality of the services. DORA requires effective “ICT Third-Party Risk Management”, which includes knowing and monitoring your critical service providers. Check contracts for contingency plans, exit rights and security assurances and, if necessary, obtain improvements to meet DORA standards (Art. 28-31).
  
• Prepare the reporting process to the supervisory authority: From January 2025, significant IT incidents must be reported to BaFin. Define internally which thresholds make an incident reportable (DORA provides criteria such as number of customers affected, downtime, financial losses, etc.). Determine who will be responsible for reporting in an emergency and how you will gather all the necessary information within the specified period (usually max. 72 hours). Train employees in this process so that you can react quickly in the event of an emergency.
  
• Awareness and training: Sensitize your team to the new requirements. ICT security is not just a matter for the IT department. All employees should be aware of basic principles (e.g. phishing threats) and know how to report incidents. Conduct regular training and workshops to promote a risk-aware corporate culture.
  
• Monitoring standards and guidance: Keep an eye out for further regulatory technical standards (RTS) and guidelines on DORA that are yet to be published by the European supervisory authorities and BaFin. These concretizations (e.g. exact reporting formats, evaluation methods for risks) will help you to implement the requirements precisely. Plan buffers so that you can integrate new requirements into your processes promptly.

Summary

For leasing and factoring companies, the expansion of the DORA regulations through the FinmadiG brings new obligations, but also opportunities. From 2025, IT risks and their control will finally become the focus of supervision – a development that makes sense in view of the growing cyber risks. It is crucial to use the transition period until 2027: Those who set up a suitable ICT risk management system early on, maintain an incident and information register and raise awareness among their workforce will not only meet the DORA requirements, but also strengthen their own company’s digital resilience. The good news is that the simplified requirements are feasible and in some cases less strict than previous BAIT rules. Through clever preparation and pragmatic measures, leasing and factoring providers can see the upcoming regulatory requirements as an opportunity to professionalize Cyber Security – for the benefit of their own business and customer confidence. 

Your expert for Regulatory Compliance Consulting

Thomas Lang

Partner & Managing Director

valantic Division Digital Strategy & Analytics

+49 171 6804635

• Cyber Security
• Breach Coaching
• Crisis Management
• Emergency Drills

Email LinkedIn

Get in touch with us. We look forward to addressing your challenges together.