Digital Operational Resilience Act (DORA)

Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (Regulation (EU) 2022/2554, “DORA”),is an EU regulation ultimately effective as of 17 January 2025. It aims to strengthen the resilience, reliability, and continuity of financial services across the European Union. DORA is designed to ensure that organizations can withstand, respond to, and recover from cyber incidents and therefore aims to strengthen the resilience, reliability, and continuity of financial services throughout the European Union.

The purpose of this Initiative page is to answer frequently asked questions with respect to the relationship between customers (in their role as Financial Entity) and Deutsche Börse AG.

This is an embedded image

1. What is an ICT Service under DORA?

Definition: DORA defines an ICT Service as digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis (Art. 3(21) DORA).

Requirements: ICT Services provided by ICT third-party service providers to Financial Entities must comply with Art. 30 DORA.

Examples: Annex III of the Commission Implementing Technical Regulation 2024/2956 (the “ITS”) provides examples of ICT Services, focusing on the information needed for the register as per Art. 28(3) DORA.

Clarification: FAQs from the European Supervisory Authorities (ESAs) clarified that a service shall not be considered as an ICT Service if a Financial Entity is authorized to deliver such service. Consequently, any activities which are directly resulting from these authorizations would not constitute ICT Services. However, these FAQs have been partially withdrawn and the European Commission plans to clarify this through a Q&A with the support of the ESAs.

2. Which ICT services are provided by Deutsche Börse AG and how is it intended to proceed with such services?

Deutsche Börse AG (”DBAG“) is authorized to operate the Frankfurt Stock Exchange under its exchange license.

However, trading at the Frankfurt Stock Exchange or the Open Market (Freiverkehr) is not provided as an IT platform or software solution service. The aforementioned trading activities are subject to a regulatory authorization requirement, but neither DBAG nor the Frankfurt Stock Exchange do offer trading activities as PaaS, Saas, IaaS solutions enabling third-parties to conduct a market on their own. Neither DBAG nor the Frankfurt Stock Exchange offer services conformant to the ICT Services mentioned in Annex III of Commission Implementing Technical Regulation 2024/2956 with respect to the operation of a trading system. This core function is not to be considered as ICT Service. 

Accordingly, DBAG believes that customers will not be required to amend their existing contractual arrangements in this respect. We refer to the publications of Market Data & Services with respect to the implementation of DORA to the relevant market data products. 

Please note that, as of now, the legal framework comprising the regulatory technical standards for DORA is not fully complete and yet to be finalized. In addition, the EU Commission announced to issue an administrative practice on the interpretation of ICT Services with a potential relevance for other services than the services mentioned above (such as the technical access to trading). DBAG is closely monitoring the further development of the DORA legislation and the associated administrative practice – and is prepared to roll-out respective DORA appendices for contracts in scope, if needed. We, therefore, ask you to wait until the matter has been finally clarified and subsequently acknowledge that we will not be able to sign any individual contracts until then.

3. Who should I contact with questions regarding DORA?

For clients of Deutsche Börse AG, your first point of contact should always be client.services@deutsche-boerse.com. As reference, please mention the market, your Member ID, and the Service you are referring too.

4. Are the services offered under the Vendor Access Agreement to be considered ICT services under DORA?

The Vendor Access Agreement is addressed to vendors. The services under the Vendor Access Agreement are not made available to financial entities. Therefore, the DORA requirements for ICT third-party service providers do not apply.

5. Is DBAG responding to individual requests to fill in the “Provider Questionnaire”?

Due to high inquiry volumes, we cannot fill out individual questionnaires. Please refer to our website, customer portal, or industry sources like the commercial register or SWIFT Registry. To make this convenient to you, sources incl. download links are made available by email on request.

6. Will Deutsche Börse AG provide information about the subcontractors involved in the provision of ICT services if such services are identified?

The RTS on subcontracting is currently only available in a draft version and does not constitute applicable law. According to our information, the draft version is currently being discussed (in particular by various companies and associations) and an exchange is taking place with the EU Commission. For this reason, it has been decided to implement DORA requirements only if they also constitute applicable law.  Deutsche Börse AG will take the necessary measures for implementation as soon as the aforementioned RTS has been adopted and entered into force with binding effect. 

7. Is Deutsche Börse AG compliant with recognized information security standards?

It is one of our main goals to apply the highest security standards to protect our systems and ensure stable market and clearing environments. In order to assist our customers with their due diligence, we have already made a comprehensive catalogue available on request and soon also in our Member Section (under Resources > Compliance > Information Security). In addition, we are planning to make a DORA aligned control report for the year of 2025 available in early 2026

8. Has Deutsche Börse AG established and maintained business continuity plans?

It is one of our main goals to apply the highest security standards to protect our systems and ensure stable market and clearing environments. In order to assist our customers with their due diligence, we have already made a comprehensive catalogue available on request and soon also in our Member Section (under Resources > Compliance > Information Security). In addition, we are planning to make a DORA aligned control report for the year of 2025 available in early 2026.

 

Contacts

Customer Functional Support

Service times 9–18 CET/CEST

+49 69 21110333

client.services@deutsche-boerse.com
 

Market Status

XETR

-

-

Parts of the trading system are currently experiencing technical issues

The trading system is currently experiencing technical issues

Xetra newsboard

The market status window is an indication regarding the current technical availability of the trading system. It indicates whether news board messages regarding current technical issues of the trading system have been published or will be published shortly.

Please find further information about incident handling in the Emergency Playbook published on the Xetra webpage under Technology --> T7 trading architecture --> Emergency procedures. Detailed information about incident communication, market re-opening procedures and best practices for order and trade reconciliation can be found in the chapters 4.2, 4.3 and 4.5, respectively. Concrete information for the respective incident will be published during the incident via newsboard message

We strongly recommend not to take any decisions based on the indications in the market status window but to always check the production news board for comprehensive information on an incident.


Emergency procedures


An instant update of the Market Status requires an enabled up-to date Java™ version within the browser.