Gap Analysis
BAIT/xAIT → DORA Mapping
The gap analysis is the starting point for DORA implementation. For organisations previously aligned with BAIT/VAIT/ZAIT/KAIT, the leap to DORA is manageable – the key changes lie in formalisation, governance, and third-party management.
Gap Matrix
| Topic | BAIT/xAIT | DORA | Gap | Effort |
|---|---|---|---|---|
| Governance | Implicit (MaRisk) | Explicit: Management body personally responsible (Art. 5) | 🟡 Medium | Governance document, board training |
| ICT asset inventory | AT 4: Information risk management | Art. 8: Complete asset inventory + criticality classification | 🟡 Medium | Extend existing inventory |
| Security policies | AT 4 / AT 7.2: Information security | Art. 9 + RTS 2024/1774: More detailed | 🟢 Low | Extend existing policies |
| Detection | AT 4.3.4: Security monitoring | Art. 10: Multi-layered detection, automated | 🟡 Medium | SIEM expansion |
| BCP/DRP | MaRisk AT 7.3: IT emergency management | Art. 11–12: RPO/RTO explicit, regular testing | 🟢 Low | Formalise existing plans |
| Awareness | Implicit | Art. 13: Mandatory, including management | 🟢 Low | Set up programme |
| Communication | No explicit requirement | Art. 14: Communication plans, media spokesperson | 🟡 Medium | Create from scratch |
| Incident classification | Major payment security incidents | Art. 18: 7 criteria (RTS 2024/1772), standardised | 🟡 Medium | New classification system |
| Incident reporting | Reporting obligation exists | Art. 19: 4h/72h/1M, XML format, BaFin Hub | 🟠 High | New deadlines, new format |
| Baseline tests | AT 4.3.4 / BT 3.6: Application testing | Art. 25: More comprehensive test programme | 🟡 Medium | Expand test programme |
| TLPT | Not required | Art. 26–27: Systemically important only | 🟢 Low | N/A for most |
| Third-party management | AT 9: Outsourcing | Art. 28–30: Significantly more comprehensive | 🟠 High | Information register, contracts |
| Subcontracting | Basic rules | RTS 2025/532: Due diligence, chain disclosure | 🟠 High | New process |
| Exit strategies | Fundamentally in place | Art. 30: Explicit with transition period | 🟡 Medium | Formalise |
| Information sharing | No requirement | Art. 45: Voluntary | 🟢 Low | Optional |
Results Summary
Low Gaps (existing compliance sufficient)
- ICT security policies (extension)
- BCP/DRP (formalisation)
- Baseline tests (extension)
Medium Gaps (adjustment required)
- Governance formalisation
- Asset inventory with criticality classification
- Detection (SIEM expansion)
- Communication plans
- Incident classification
High Gaps (new development required)
- Incident reporting (new format, new deadlines)
- Third-party information register
- Contract adjustment for all financial sector clients
- Subcontracting governance