DORA Enforcement Act (DORA-VG)

All English translation of the authentic German text is unofficial and serves merely information purposes. The official wording in German can be found in the Austrian Federal Law Gazette (Bundesgesetzblatt; BGBl.). All translations have been prepared with great care, but linguistic compromises had to be made. The reader should also bear in mind that some provisions of these laws will remain unclear without certain background knowledge of the Austrian legal and political system. Please note that these laws may be amended in the future and check occasionally for updates. Federal Act implementing Regulation (EU) 2022/2554 on Digital Operational Resilience in the Financial Sector (DORA-VG; DORA-Vollzugsgesetz) DORA Enforcement Act (DORA-VG) Original Version: published in Federal Law Gazette I 112/2024 Note about this translation: this reflects the original version of the Federal Act published in Federal Law Gazette I 112/2024. Date: 17.01.2025

DORA Enforcement Act (DORA-VG) 2 / 11 TABLE OF CONTENTS Article 1. Purpose of this Act Article 2. Competent Authority Article 3. Supplementary regulations on the scope of application Article 4. Supervisory measures and powers Article 5. Cooperation between the FMA and the Oesterreichische Nationalbank Article 6. Advanced tests Article 7. Penal provisions Article 8. Penal provisions with regard to legal persons Article 9. Exercising of supervisory powers to impose administrative sanctions and measures Article 10. Publication of sanctions under administrative law Article 11. Form of communication with the FMA - electronic transmission Article 12. Special procedural provisions Article 13. Costs Article 14. Gender-neutral use of language Article 15. References Article 16. Entry into Force Article 17. Enforcement

DORA Enforcement Act (DORA-VG) 3 / 11 TEXT Purpose of this Act Article 1. This Federal Act implements Regulation (EU) 2022/2554 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No. 909/2014 and (EU) 2016/1011, OJ L 333, 27.12.2022, p. 1. Competent Authority Article 2. In accordance with Article 46 of Regulation (EU) 2022/2554 the FMA shall be the competent authority for monitoring the compliance with this Federal Act and Regulation (EU) 2022/2554 by the following legal entities:

1. credit institutions pursuant to Article 1 para. 1 of the Austrian Banking Act (BWG; Bankwesengesetz), published in Federal Law Gazette no. 532/1993, provided that the European Central Bank is not competent for such monitoring pursuant to Article 46 point a of Regulation (EU) 2022/2554;
2. payment institutions pursuant to Article 4 no. 4 lit. a of the Payment Services Act 2018 (ZaDiG 2018; Zahlungsdienstegesetz 2018) published in Federal Law Gazette I no. 17/2018 and account information service providers pursuant to Article 4 no. 19 ZaDiG 2018 respectively established in Austria;
3. e-money institutions pursuant to Article 3 para. 2 of the E-Money Act 2010 (E-Geldgesetz 2010), published in Federal Law Gazette I no. 107/2010;
4. investment firms pursuant to Article 1 no. 1 of the Securities Supervision Act 2018 (WAG 2018; Wertpapieraufsichtsgesetz 2018) published in Federal Law Gazette I no. 107/2017, established in Austria, which hold a licence pursuant to Article 3 WAG 2018;
5. crypto-asset service providers pursuant to Article 3(1) point 15 of Regulation (EU) 2023/1114 on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937, OJ L 150, 9.6.2023 p. 40, most recently corrected in OJ L 2024/90275, 2.5.2024, and issuers of asset-referenced tokens pursuant to Article 3(1) point 6 of Regulation (EU) 2023/1114;
6. central securities depositories pursuant to Article 2(1)(1) of Regulation (EU) No 909/2014 on improving securities settlement in the European Union and on central securities depositories and amending Directives 98/26/EC and 2014/65/EU and Regulation (EU) No 236/2012, OJ L 257, 28.08.2014, p. 1, most recently amended by Regulation (EU) 2023/2845, OJ L 2023/2845, 27.12.2023, that are established in Austria pursuant to Article 10 of Regulation (EU) No. 909/2014;
7. central counterparties pursuant to Article 2 no. 1 of Regulation (EU) No 648/2012 on OTC derivatives, central counterparties and trade repositories, OJ L 201, 27.07.2012, p. 1, most recently amended by Commission Delegated Regulation (EU) 2022/2554, OJ L 333,

DORA Enforcement Act (DORA-VG) 4 / 11 27.12.2022, p. 1 that are established in Austria pursuant to Article 14 of Regulation (EU) No. 648/2012; 8. trading venues pursuant to Article 1 no. 26 of the Securities Supervision Act 2018 (WAG 2018; Wertpapieraufsichtsgesetz 2018) published in Federal Law Gazette I no. 107/2017 operated by an investment firm based on a licence pursuant to Article 3 para. 2 nos. 4 and 5 WAG 2018 or by a market operator based on a licence pursuant to Article 3 of the Stock Exchange Act 2018 (BörseG 2018; Börsegesetz 2018), published in Federal Law Gazette I no. 107/2017; 9. data reporting service providers pursuant to Article 2(1) point 36a of Regulation (EU) No 600/2014 on markets in financial instruments and amending Regulation (EU) No 648/2012, OJ L 173, 12.06.2014, p. 84, most recently amended by Regulation (EU) 2024/791, OJ L 2024/791, 08.03.2024, for which the FMA is the competent authority pursuant to Article 27a in conjunction with Article 2(3) of Regulation (EU) No 600/2014; 10. AIFMs pursuant to Article 2 para. 1 no. 2 of the Alternative Investment Fund Managers Act (AIFMG; Alternative Investmentfonds Manager-Gesetz) published in Federal Law Gazette I no. 135/2013, established in Austria that hold a licence pursuant to Article 4 para. 1 AIFMG; 11. management companies pursuant to Article 3 para. 2 no. 1 of the Investment Fund Act 2011 (InvFG 2011; Investmentfondsgesetz 2011), published in Federal Law Gazette I no. 77/2011 that hold a licence pursuant to Article 5 para. 1 InvFG 2011; 12. undertakings pursuant to Article 1 para. 1 no. 1 of the Insurance Supervision Act 2016 (VAG 2016; Versicherungsaufsichtsgesetz 2016), published in Federal Law Gazette I No. 34/2015; 13. pension companies (Pensionskassen) pursuant to Article 1 para. 1 of the Pensionskassen Act (PKG; Pensionskassengesetz), published in Federal Law Gazette No. 281/1990, that hold a licence pursuant to Article 8 para. 1 PKG; 14. administrators of critical benchmarks pursuant to point 6 of Article 3(1) and point b of Article 20(1) of Regulation (EU) 2016/1011 on indices used as benchmarks in financial instruments and financial contracts or to measure the performance of investment funds and amending Directives 2008/48/EC and 2014/17/EU and Regulation (EU) No 596/2014, OJ L171, 29.06.2016, p. 1, most recently amended by Regulation (EU) 2023/2869, OJ L 2023/2869, 20.12.2023, for which the FMA is the competent authority pursuant to Article 40(2) of Regulation (EU) 2016/1011; 15. crowdfunding service providers pursuant to point e of Article 2 (1) Regulation (EU) 2020/1503 on European crowdfunding service providers for business and amending Regulation (EU) 2017/1129 and Directive (EU) 2019/1937, OJ L 347, 20.10.2020, p. 1. Supplementary regulations on the scope of application Article 3. (1) The rules contained in this Federal Act, Regulation (EU) 2022/2554, as well as delegated and implementing acts issued based on that Regulation shall apply to credit institutions pursuant

DORA Enforcement Act (DORA-VG) 5 / 11 to Article 1 para. 1 BWG that are not any of the legal entities listed in points a to t of Article 2(1) of Regulation (EU) 2022/2554, as if they were credit institutions pursuant to Article 2(1) point a of Regulation (EU) 2022/2554. (2) Regulation (EU) 2022/2554 and this Federal Act shall not apply to enterprises recognised as non￾profit housing associations where they conduct transactions listed in Article 1 para. 1 BWG that are part of their core transactions. Supervisory measures and powers Article 4. (1) Irrespective of Article 46 and Article 50 (2) of Regulation (EU) 2022/2554, the FMA shall be afforded the supervisory powers and means pursuant to Article 46 of Regulation (EU) 2022/2554 in the same way and scope as set out in the relevant supervisory laws, that it may also make use of in the enforcement of other obligations in accordance with these supervisory laws. The FMA may also allow inspections or investigations to be undertaken by suitable experts. (2) In the event of breaches against Regulation (EU) 2022/2554 or this Federal Act, the FMA shall be authorised within its scope of competence pursuant to Article 46 of Regulation (EU) 2022/2554:

1. to issue an instruction requiring the natural or legal person to temporarily or permanently desist from the conduct that causes the breach and to desist from a repetition of such conduct;
2. to request information about data relating to communications pursuant to Article 134 no. 2 of the Code on Criminal Procedure 1975 (StPO; Strafprozessordnung 1975) published in Federal Law Gazette no. 631/1975 and to inspect filed results of such investigative activities and to receive copies of them, where a justified suspicion exists of a breach against the provisions in Regulation (EU) 2022/2554 and this Federal Act and where such records could be relevant for an investigation in connection with these breaches; the procedural provisions pursuant to Article 153 paras. 4 to 6, and 8 of the Stock Exchange Act 2018 (BörseG 2018; Börsegesetz 2018) shall apply to the information about data relating to communications and the monitoring of communications, although the Federal Administrative Court (Bundesverwaltungsgericht) shall apply instead of Vienna Regional Criminal Court (Landesgericht für Strafsachen Wien), and a reference to Article 7 or Article 8 of this Federal Act instead of the references to Article 154, Article 155 para. 1 no. 2, and Articles 163 and 164 BörseG 2018;
3. to issue public announcements, including ones that state the identity of the natural or legal person and the type of breach. Article 9 of the Federal Act and Article 54 of Regulation (EU) 2022/2554 shall apply accordingly. (3) The FMA may cooperate with the competent authorities of other Member States, with the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), the European Securities and Markets Authority (ESMA) and the European Central Bank (ECB), where this is necessary for the performance of the duties defined in the Federal Act and in Regulation (EU) 2022/2554 and provided that the information submitted to these authorities is subject to a comparable degree of professional secrecy as set out in Article 14 of the Financial Market

DORA Enforcement Act (DORA-VG) 6 / 11 Authority Act (FMABG; Finanzmarktaufsichtsbehördengesetz), published in Federal Law Gazette I no. 97/2001. The FMA may, for the purpose of cooperation, use its powers even if the conduct which forms the subject matter of the investigation does not constitute a violation of a legal provisions applicable in Austria. (4) The FMA may cooperate with third country authorities that are performing a duty that corresponds to those of a competent authority pursuant to Article 46 of Regulation (EU) 2022/2554. Such cooperation including the exchanging of all information shall be permissible, provided it relates to the obligations and duties of a competent authority under this Federal Act or Regulation (EU) 2022/2554 or the corresponding duties of a third country authority. Transmission shall only be permissible provided that the transmitted data are subject to comparable degree of professional secrecy at those authorities as set out in Article 14 FMABG. The FMA may exclusively make use of its powers for the purposes of the cooperation in accordance with this paragraph; that shall also apply, in the case that the cooperation occurs based on an investigative procedure in a third country in relation to behaviour that does not constitute a breach of a regulation applicable in Austria. Cooperation between the FMA and the Oesterreichische Nationalbank Article 5. (1) In the case of legal entities pursuant to Article 2 nos. 1, 2, 3, 6 and 7, the FMA and the Oesterreichische Nationalbank shall cooperate closely to effectively fulfil their respective duties in accordance with the Federal Act and the respective sectoral Federal Acts. The provisions contained in the respective sectoral Federal Acts on the duties of the Oesterreichische Nationalbank and its cooperation with the FMA shall apply subject to the proviso that the duties of the Oesterreichische Nationalbank defined therein apply for the supervision purposes of this Federal Act and Regulation (EU) 2022/2554 for the area of prudential supervision in this Federal Act as well as Regulation (EU) 2022/2554. (2) The FMA is the competent authority regarding the Oversight Framework for critical ICT third-party service providers, whose high-level representative pursuant to Article 32 (5) of Regulation (EU) 2022/2554 is a member of the Oversight Forum. (3) A claim for damages as stipulated in provisions of federal law arising from actions taken by the FMA, its employees or its bodies, as well as actions by the Oesterreichische Nationalbank, its employees or its bodies, who are active within the scope of this Federal Act or Regulation (EU) 2022/2554, shall be excluded in the following instances:

1. in the case of actions taken within the scope of the joint examination team pursuant to Article 40 (1) of Regulation (EU) 2022/2554 and
2. in cooperation, the exchange of information or other assistance towards the lead supervisory authority pursuant to Article 3 point 61 of Regulation (EU) 2022/2554.

DORA Enforcement Act (DORA-VG) 7 / 11 Advanced tests Article 6. (1) Prior to issuing a certificate pursuant to Article 26 (7) of Regulation (EU) 2022/2554 the FMA shall obtain an expert opinion from the Oesterreichische Nationalbank. In so doing, the Oesterreichische Nationalbank shall assess whether an advanced test was conducted in line with the requirements set out in Articles 26 and 27 of Regulation (EU) 2022/2554. The request for an expert opinion shall be restricted to individual aspects of Articles 26 and 27 of Regulation (EU) 2022/2554 provided this is appropriate in light of the Oesterreichische Nationalbank's scope of involvement in the prudential supervision of the financial undertaking being tested. (2) The Oesterreichische Nationalbank shall submit such expert opinions pursuant to para. 1 on its own responsibility and on its own behalf. To the greatest possible extent, the FMA shall use the opinions of the Oesterreichische Nationalbank as a basis, and may rely on their accuracy and completeness, unless the FMA has reason to doubt their accuracy or completeness. The Oesterreichische Nationalbank shall transmit the opinions of the affected legal entity pursuant to Article 2 (1) points a to t of Regulation (EU) 2022/2554 to the FMA without delay. (3) In the case of expert opinions pursuant to para. 1 in relation to legal entities pursuant to Article 2 nos. 4, 5, and 8 to 15 of this Federal Act that are required to conduct advanced tests pursuant to Article 26 (1) of Regulation (EU) 2022/2554, the Oesterreichische Nationalbank shall:

1. draw up a statement of costs arising in the respective financial year from duties and activities in connection with expert opinions pursuant to para. 1 along with a breakdown by the individual categories of legal entities pursuant to Article 2 nos. 4, 5, and 8 to 15 to be audited by the auditor pursuant to Article 37 of the National Bank Act 1984 (NBG; Nationalbankgesetz 1984), published in Federal Law Gazette no. 50/1984;
2. submit the audited statement to the Federal Minister of Finance and the FMA by 30 April of the respective following financial year;
3. publish the audited statement following submission pursuant to no. 2 on its website;
4. submit the estimated costs from duties and activities in connection with expert opinions pursuant to para. 1 along with a breakdown by the individual categories of legal entities pursuant to Article 2 nos. 4, 5, and 8 to 15, as well as the estimated annual average number of employees occupied with expert opinions pursuant to para. 1 for the following year to the Federal Minister of Finance and the FMA by 30 September each year, based on the test plan for the following year that is submitted by the FMA in a timely manner; and
5. inform the Federal Minister of Finance and the FMA once a year about the annual average number of employees occupied with expert opinions pursuant to para. 1; such information may also be provided by means of a publication.

DORA Enforcement Act (DORA-VG) 8 / 11 Penal provisions Article 7. Any person who, as the person responsible (Article 9 of the Administrative Penal Act (VStG; Verwaltungsstrafgesetz 1991) published in Federal Law Gazette No. 52/1991) of legal entity pursuant to points a to t of Article 2 (1) of Regulation (EU) 2022/2554

1. fails to fulfil the ICT risk management requirements pursuant to Articles 5 to 14 with the exception of Article 11 (11) of Regulation (EU) 2022/2554;
2. fails to fulfil the simplified ICT risk management requirements pursuant to Article 16 (1) and (2) of Regulation (EU) 2022/2554;
3. fails to address or classify report ICT-related incidents and cyber threats pursuant to Article 17 and Article 18(1) and (2) of Regulation (EU) 2022/2554 or fails to report them pursuant to the first, fourth and fifth subparagraphs of Article 19(1) as well as Article 19(3) to (5) of Regulation (EU) 2022/2554;
4. does not conduct digital operational resilience testing pursuant to Articles 24 and 25 of Regulation (EU) 2022/2554;
5. fails to conduct advanced tests pursuant to Article 26 (1) to (6) and the first subparagraph of (8) as well as Article 27 of Regulation (EU) 2022/2554 for an undertaking identified pursuant to the third subparagraph of Article 26 (8);
6. fails to manage ICT third-party risk pursuant to Article 28 (1) to (8) and Article 29 of Regulation (EU) 2022/2554 or fails to take contractual arrangements on the use of ICT services pursuant to Article 30 (1) to (4) of Regulation (EU) 2022/2554;
7. makes use of the services of an ICT third-party service provider established in a third country, that does not meet the requirements set out in Article 31 (12) of Regulation (EU) 2022/2554;
8. fails to temporarily suspend the usage or deployment of a corresponding service in contravention of an order by the FMA pursuant to the first sentence of Article 42(6) of Regulation (EU) 2022/2554, or fails to terminate a corresponding contractual agreement in contravention of an order by the FMA pursuant to the second sentence of Article 42(6) of Regulation (EU) 2022/2554;
9. breaches the obligations pursuant to Article 45 of Regulation (EU) 2022/2554 when exchanging information pursuant to Article 45 (1) of Regulation (EU) 2022/2554, commits an administrative offence and shall be fined up to EUR 150 000 by the FMA. Penal provisions with regard to legal persons Article 8. (1) The FMA may impose fines against legal persons, if natural persons who acted individually or as part of a body of a legal person and who have a managerial role within the legal person based on:
10. a power of representation of the legal person,
11. an authority to take decisions on behalf of the legal person, or
12. an authority to exercise control within the legal person

DORA Enforcement Act (DORA-VG) 9 / 11 have breached the provisions listed in Article 7. (2) Legal persons may also be held responsible for breaches of the provisions listed in Article 7, if such breaches by a natural person acting for the legal person were made possible by a lack of supervision or control by one of the persons referred to in para. 1. (3) The fine pursuant to para. 1 or para. 2 shall be:

1. up to EUR 500 000, or
2. up to 1 % of total annual net turnover pursuant to para. 4 depending on which amount is higher. (4) The total annual net turnover pursuant to para. 3 no. 2 shall be determined based on the most recently adopted annual financial statement. If the obliged entity is a credit institution pursuant to Article 1 para. 1 BWG, an electronic money institution pursuant to Article 3 para. 2 of the E￾Geldgesetz 2010, a payment institution pursuant to Article 4 no. 4 lit. a ZaDiG 2018, an AIFM pursuant to Article 2 para. 1 no. 2 AIFMG, a management company pursuant to Article 3 para. 2 no. 1 InvFG 2011 or an institution pursuant to Article 1 para. 1 WAG 2018, the total annual turnover is the total of revenues listed in nos. 1 to 7 of Annex 2 to Article 43 BWG less the expenditures listed therein. If the obliged entity is a credit institution pursuant to Article 1 para. 1 no. 21 BWG, total annual turnover is the total of the revenue from management costs pursuant to Article 26 of the Act on Severance and Retirement Funds for Salaried Employees and Self-Employed Persons (BMSVG; Betriebliches Mitarbeiter- und Selbständigenvorsorgegesetz) published in Federal Law Gazette I no. 100/2002. If the obliged entity is a Pensionskasse pursuant to Article 1 para. 1 PKG, then the total annual turnover shall be the remuneration to cover operating expenses pursuant to item II.1 of Form B of Annex 1 to Article I Article 30 PKG taking into consideration the change of the provision for administrative expenses in accordance with the business plan pursuant to item II.3 of Form B of Annex 1 to Article I, Article 30 PKG. If the obliged entity is an insurance undertaking pursuant to Article 1 no. 1 VAG 2016, then the total annual turnover shall be the total of the income items listed in Article 146 para. 4 nos. 1 to 8 and 10 to 11 VAG 2016 less the expenditures listed therein. Where the legal person is a parent undertaking or subsidiary of a parent undertaking, which is required to draw up a consolidated financial statement in accordance with Directive 2013/34/EU on the annual financial statements, consolidated financial statements and related reports of certain types of undertakings, amending Directive 2006/43/EC of the European Parliament and of the Council and repealing Directives 78/660/EEC and 83/349/EEC, OJ L 182, 29.06.2013, p. 19, last amended by Directive (EU) 2024/1306, OJ L 2024/1306, 08.05.2024, then the authoritative total annual net turnover is the total annual net turnover of the relevant type of income according to the relevant accounting provisions, that was stated in the last available consolidated accounts adopted by the competent management body of the ultimate parent undertaking. Where the FMA is unable to determine or calculate the bases for the total annual net turnover, then it shall estimate them. In so doing, all relevant circumstances that are relevant for the estimate shall be taken into account.

DORA Enforcement Act (DORA-VG) 10 / 11 Exercising of supervisory powers to impose administrative sanctions and measures Article 9. When determining the type and amount of administrative penalties as well as other measures under administrative procedural law for breaches of Regulation (EU) 2022/2554 or this Federal Act, the FMA shall take into account accordingly to what extend the breach occurred deliberately or was the result of negligence, as well as all other relevant circumstances, including as appropriate:

1. the significance, severity and duration of the breach;
2. the degree of responsibility of the natural or legal person responsible for the breach;
3. the financial strength of the natural or legal person responsible for the breach;
4. the amount of gains achieved or losses avoided by the natural or legal person responsible, insofar as they can be determined;
5. the losses arising for third parties from the breach, insofar as they can be determined;
6. the willingness of the responsible natural or legal person to cooperate with the FMA, irrespective of the requirement, to collect the gains achieved or losses avoided from this natural or legal person;
7. previous breaches by the natural or legal person responsible. Publication of sanctions under administrative law Article 10. The party affected by the publication pursuant to Article 54 of Regulation (EU) 2022/2554 may file a request to the FMA to review the lawfulness of such a publication in a procedure concluded by means of an administrative decision. In this case, the FMA shall announce the initiation of such proceedings in the same manner. If, during this review, it is found that the publication was unlawful, the FMA shall correct the publication or, at the request of the person subject to this publication, either revoke it or remove it from its website. If suspensory effect is granted to an appeal against an administrative decision that was announced pursuant to Article 54 of Regulation (EU) 2022/2554, the FMA shall announce this in the same way. The publication shall be corrected, or, upon request of the concerned party, either revoked or removed from the website if the administrative decision is repealed. Form of communication with the FMA - electronic transmission Article 11. The FMA may prescribe by way of a Regulation that the notifications and submissions pursuant to Article 11 (9) and (10), Article 19 (4), Article 26(6), Article 28(3) and Article 45(3) of Regulation (EU) 2022/2554 shall be made exclusively in electronic form, and shall also be required to correspond to specific formats, technical minimum requirements and modes of submission. In so doing, and taking into consideration European practices in this area, the FMA shall observe the principles of economy and expediency, ensuring the data's electronic availability to the FMA at all times, and that supervisory interests are not compromised. The FMA shall take appropriate arrangements to allow individuals subject to reporting requirements or, where applicable,

DORA Enforcement Act (DORA-VG) 11 / 11 individuals they have charged with submitting the reports on their behalf, to verify over an appropriate period of time whether the reporting data submitted by them or by the person charged with submitting the reports is correct and complete. Special procedural provisions Article 12. Fines imposed by the FMA pursuant to this Federal Act shall flow to the Federal Government. Costs Article 13. The FMA’s costs from its activity as the competent authority pursuant to Article 46 of Regulation (EU) 2022/2554 are to be allocated

1. to the appropriate accounting group pursuant to Article 19 FMABG, or
2. where sub-accounting groups are to be established within the accounting group in accordance with the Federal Act, to the appropriate sub-accounting group to which the costs for the performance of supervisory activities according to the legal acts under European Union law and the corresponding national accompanying measures listed in Article 46 of Regulation (EU) 2022/2554 are to be allocated. Gender-neutral use of language Article 14. Where expressions in this Federal Act relating to persons are given only in the masculine form, they shall refer equally to all genders. The applicable gender-specific form is to be used when applied to specific persons. References Article 15. Where reference is made in this Federal Act to other Federal Acts, then such references shall apply to the version currently in force. Entry into Force Article 16. (1) With the exception of the provisions listed in para. 2, this Federal Act shall enter into force on 17 January 2025. (2) Article 6 para. 3 no. 4 shall enter into force on 30 September 2024. Article 6 para. 3 no. 5 shall enter into force on 1 January 2026. Enforcement Article 17. The Federal Minister of Finance shall be responsible for enforcing this Federal Act.