Zum Inhalt springen

Knowledge

Glossary and Terminology.

The most important terms from DORA, MaRisk, ISO 27001, and regulatory practice - concise, practical, and action-oriented.

Note: These definitions are independently formulated implementation aids. They do not replace binding regulatory interpretation. For binding definitions, consult the respective original sources (DORA Regulation, MaRisk, ISO 27001).

Management-Zusammenfassung

  • DORA, MaRisk und ISO 27001 verwenden zahlreiche spezifische Fachbegriffe und Abkürzungen.
  • Dieses Glossar erklärt Begriffe kurz, praxisnah und umsetzungsorientiert — keine Normwiedergabe.
  • Jeder Begriff enthält einen Querverweis zu relevanten Plattform-Seiten für vertiefende Informationen.
  • Das Glossar wird fortlaufend um neue Begriffe aus der regulatorischen Praxis ergänzt.

DORA Kernbegriffe

DORA

Digital Operational Resilience Act (Regulation (EU) 2022/2554). EU-wide regulation on digital operational resilience in the financial sector. Governs ICT risk management, incidents, testing, third-party risk, and information register.

kwF

Critical or important function. Business functions whose disruption or failure would have significant negative impacts on the financial institution, customers, or financial stability.

ICT Third-Party Provider

ICT third-party service provider. Providers of ICT services to a financial institution. Subject to strict contractual, due diligence, and registration obligations under DORA Art. 28.

Information Register

Annual reporting of all ICT third-party relationships to the supervisory authority (DORA Art. 28). Contains contract information, protection needs classifications, and subcontractors.

CTPP

Critical ICT Third-Party Provider. Designated by the ESAs (EBA, EIOPA, ESMA). Subject to oversight by Joint Examination Teams (JET).

ICT Incident

ICT incident. Any event compromising the availability, authenticity, integrity, or confidentiality of networks and information systems. Reporting obligations by severity level.

Testing & Resilienz

TLPT

Threat-Led Penetration Testing. Threat-based penetration testing for significant institutions and CTPPs under DORA Art. 26. Simulates APTs using threat intelligence. First deadline: 17 January 2028.

Resilience Testing

Systematic testing of digital operational resilience under DORA Chapter IV. Encompasses 12 test types with protection-level-based frequencies.

3-Year Rule

DORA Art. 24(2): All relevant test types must be conducted at least once within a rolling 3-year period (36 months). No exceptions.

page.dora_glossar.term_red_team_blue_team_purple_team_title

page.dora_glossar.term_red_team_blue_team_purple_team_desc

TIBER-EU

Threat Intelligence-Based Ethical Red Teaming. EU-wide framework by the ECB for TLPT tests. Methodology reference for DORA-compliant tests.

MaRisk

MaRisk

Minimum Requirements for Risk Management. Central supervisory framework for German financial institutions. 9th amendment final (Circular 06/2026, 30 June 2026).

WpI MaRisk

MaRisk for securities institutions. Proportional requirements for small and medium-sized securities institutions.

page.dora_glossar.term_10_marisk_title

page.dora_glossar.term_10_marisk_desc

page.dora_glossar.term_at_bt_title

page.dora_glossar.term_at_bt_desc

ISO 27001

ISMS

Information Security Management System under ISO/IEC 27001:2022. Core for systematic risk management, controls, evidence, and continuous improvement.

Annex A Controls

93 controls in 4 categories (Organisational, People, Physical, Technological) as a reference framework. Mapped with DORA articles and MaRisk.

kontinuierliche Verbesserung

PDCA-Zyklus (Plan-Do-Check-Act) als Grundprinzip des ISMS. Management-Reviews, interne Audits und Korrekturmaßnahmen führen zu ständiger Anpassung und Optimierung der Informationssicherheit.

Regulatorik & Aufsicht

BaFin

German Federal Financial Supervisory Authority. Responsible for DORA implementation, information register acceptance, and ICT incident reporting hub.

EBA

European Banking Authority. Develops technical regulatory standards (RTS) and guidelines for DORA, particularly on testing, ICT risk management, and CTPP oversight.

ESAs

European Supervisory Authorities (EBA, EIOPA, ESMA). Jointly responsible for CTPP designation, oversight, and guidelines under DORA.

JET

Joint Examination Team. Joint inspection team of the ESAs for the oversight of critical ICT third-party providers.

NIS2

Network and Information Security Directive 2. EU-wide directive for cybersecurity. Financial institutions fall under DORA, not NIS2.

CRA

Cyber Resilience Act. EU regulation on cybersecurity of products with digital elements. Affects software manufacturers and supply chains.

Technische Begriffe

page.dora_glossar.term_sast_dast_iast_title

page.dora_glossar.term_sast_dast_iast_desc

CVE

Common Vulnerabilities and Exposures. Standardised identifier for publicly known security vulnerabilities.

RoE

Rules of Engagement. Formal document defining the scope, methods, and boundaries of a penetration test or TLPT exercise.

page.dora_glossar.term_aptt_apt_title

page.dora_glossar.term_aptt_apt_desc

Hinweis zur Verwendung

  • Dieses Glossar ist eine Arbeitshilfe — keine verbindliche Auslegung.
  • Für regulatorisch bindende Definitionen konsultieren Sie DORA, MaRisk, EBA-Leitlinien und BaFin-Veröffentlichungen.
  • Änderungen in der regulatorischen Landschaft (z. B. 10. MaRisk) können Begriffe und Anforderungen anpassen.
  • Vorschläge für neue Begriffe gerne an das Plattform-Team.