Comprehensive information on the risk assessment of ICT third-party service providers, a new deadline for the submission of information registers, the lifting of German supervisory requirements for IT – the German Federal Financial Supervisory Authority BaFin is keeping the financial sector on its toes at the start of the year. We have summarized the most important information for you and asked our experts what affected institutions can expect from the latest BaFin updates.
Submit information register by 11 April 2025
In order to classify the degree of dependency of financial institutions on their ICT third-party service providers, the supervisory authorities need an overview of their contractual agreements. The information register required by DORA is intended to provide this overview. Financial companies must have created this register by 17 January 2025 and make it available to their competent authority upon request. In a press release on 7 January, BaFin announced that all financial companies in Germany must submit their information register to BaFin by 11 April 2025 at the latest. By 30 April 2025, the national competent authorities should then submit the collected registers to the European supervisory authorities. This is because the latter are planning to publish a list of critical ICT third-party service providers in the second half of 2025.
“I cannot recommend waiting until 11 April. The regulatory obligation to have a complete information register by the deadline of 17 January 2025 remains unaffected. Furthermore, BaFin speaks of “at the latest”. As BaFin must consolidate the registers and transmit them to the European supervisory authorities by 30 April 2025, it is quite possible that registers will already be collected before 11 April.”
Simon Weickart, Managing Security Consultant & Certified PECB DORA Lead Manager
The end for KAIT, VAIT, ZAIT, BAIT – German regulatory requirements for IT are lifted
The application of DORA from 17 January would result in double regulation for many institutions in Germany that are currently subject to BaFin's supervisory requirements for IT. To avoid this, BaFin announced on 10 January that the circulars KAIT (Capital Management Supervisory Requirements for IT), VAIT (Insurance Supervisory Requirements for IT) and ZAIT (Payment Services Supervisory Requirements for IT) will be repealed at the end of 16 January 2025. In the case of the Banking Supervision IT Requirements, BAIT, the repeal will take place gradually for different groups by 31 December 2026. Institutions that are required to operate ICT risk management in accordance with DORA from 17 January 2025 will be exempt from BAIT from then on.
Chapter 11 (Management of relationships with payment service users) of BAIT has already been repealed in the currently valid version dated 16 December 2024.
“As announced, BaFin will repeal the xAIT for all institutions that are not regulated under FinMaDig (Act on the Digitalization of the Financial Market) with the application of DORA at the end of 16 January 2025. However, I assume that requirements from the xAIT, which are not directly reflected in DORA but have already been implemented in most companies, will also play a role as important best practices for future regulatory audits.”
Dr. Christian Schwartz, Head of InfoSec in Finance & Certified PECB DORA Senior Lead Manager
Do you have questions about DORA or need support with implementating it? Get in touch. We are happy to assist you.
