BaFin Compliance:
BAIT, MaRisk and DORA

BAIT stands for "Bankaufsichtliche Anforderungen an die IT" (Supervisory Requirements for IT in Financial Institutions) and is the BaFin IT security circular for credit institutions under the German Banking Act (KWG). BAIT remains valid - but with a considerably reduced scope since the Digital Operational Resilience Act (DORA, EU 2022/2554) entered into force on 17 January 2025. DORA has fully repealed the VAIT (insurance companies), KAIT (capital management companies) and ZAIT (payment service providers) circulars. BAIT still applies to institutions primarily subject to the KWG that are not fully covered by DORA. Companies should assess whether they fall under DORA - in that case DORA is the governing framework, supplemented by BAIT where still applicable.

MaRisk (Minimum Requirements for Risk Management) is the comprehensive BaFin circular on risk management for credit institutions. It addresses all material risk types - including operational risks, of which IT risks and cyber risks form a part. MaRisk requires an integrated risk management system that systematically identifies, assesses, controls and monitors IT risks as part of operational risks. AT 7.2 MaRisk contains specific requirements on technical and organisational equipment - including: appropriate IT systems, data backups, contingency plans and access rights management. With DORA, IT-specific requirements are increasingly anchored there, while MaRisk continues as the general risk management framework.

The relevant BaFin circulars for IT security are: BAIT (RS 10/2017): Supervisory Requirements for IT in Banks - for credit institutions under the KWG; contains requirements on IT strategy, IT governance, information risk management, information security management, operations and contingency management. MaRisk (RS 05/2017): Minimum Requirements for Risk Management; AT 7.2 addresses technical and organisational equipment. EBA SREP Guidelines: European requirements beyond MaRisk. DORA (from 17 Jan 2025): For institutions in scope, DORA is the primary framework and has replaced VAIT, KAIT and ZAIT. The requirements of BAIT and DORA overlap substantially; for DORA-obligated institutions, DORA takes precedence.

When the Digital Operational Resilience Act (DORA, EU 2022/2554) entered into force on 17 January 2025, BaFin fully repealed VAIT (supervisory requirements for IT in insurance companies), KAIT (requirements for capital management companies) and ZAIT (IT supervisory requirements for payment service providers). BAIT remains in force but loses relevance for many institutions because DORA, as an EU regulation (directly applicable, without national implementing act), takes precedence. DORA applies to: credit institutions, investment firms, payment institutions, e-money institutions, insurance companies, asset managers, rating agencies, trading venues, trade repositories and ICT third-party service providers. Core obligations under DORA: ICT risk management, reporting of major ICT incidents (within 4h/24h/72h), DORA penetration tests (TLPT), management of ICT third-party risks and information sharing.

In a special audit under §44 of the German Banking Act (KWG), BaFin can examine all aspects of a credit institution's business organisation and risk management - including IT security and operational stability. Typical IT audit focus areas are: IT governance and responsibilities (who is responsible for IT security?), information risk management (BAIT Chapter 2: recording and assessment of IT risks), information security management (ISMS, security policies, penetration tests), outsourcing management (§25b KWG, BAIT Chapter 9: oversight of outsourced IT service providers), contingency and business continuity management, access rights management (role-based access control, privileged access management), and incident management (detection and escalation processes). Frequent BaFin findings: inadequate documentation, missing or outdated penetration test reports, poor outsourcing controls without regular supplier audits, no BCP tests, incomplete access rights reviews and missing escalation paths for security incidents.

Structured preparation for BaFin IT audits covers several areas: Documentation check: all IT security policies, the information risk register, penetration test reports and outsourcing contracts must be complete and current. BAIT gap analysis: comparison of all BAIT requirements against the current implementation status - ideally by an external reviewer with BaFin experience. Penetration tests and vulnerability scans: regular tests document the "regular review of IT systems" (BAIT AT 7.3). DORA readiness: assessing whether the institution falls under DORA and which DORA requirements (TLPT, ICT third-party management, reporting obligations) need to be implemented. Mock audit: internal mock audits simulate the audit process and uncover remaining gaps. AWARE7 supports with structured BAIT/DORA gap analyses and penetration tests.

The distinction between BAIT and DORA depends on the institution's regulated status. DORA applies to a very broad range of financial institutions - credit institutions, investment firms, payment institutions, insurance companies and many more. For all institutions falling under DORA, DORA as an EU regulation takes precedence. BAIT continues as a BaFin circular but loses practical relevance for DORA-obligated credit institutions, as DORA governs the relevant IT requirements more directly and comprehensively. For smaller institutions that may use DORA proportionality provisions, BAIT remains relevant as a reference framework. Recommendation: have an expert assess whether and to what extent DORA applies to your institution - and which additional BAIT requirements exist.

AWARE7 supports financial institutions with specialised cybersecurity services for BaFin compliance: BAIT gap analysis: structured comparison of all BAIT requirements against the current implementation status, including action plan. DORA readiness assessment: analysis of DORA scope, gap analysis on ICT risk management, incident reporting and ICT third-party management. Penetration tests (web, network, cloud) to fulfil BAIT AT 7.3 requirements and DORA TLPT preparation. ISO 27001 ISMS implementation as a structured foundation that systematically addresses BAIT and DORA requirements. Vulnerability management and continuous monitoring. Preparation for BaFin audits through internal mock audits and documentation reviews.