On December 18, 2025, the German regulator, the Federal Financial Supervisory Authority (BaFin), issued Guidance on managing information and communication technology (ICT) risks when using artificial intelligence (AI) by entities operating in the financial sector.

The Guidance is intended to help financial entities implement the regulatory requirements under the Digital Operational Resilience Act (DORA) and manage their ICT risks effectively when using AI. It is particularly aimed at institutions subject to the Capital Requirements Regulation and insurers supervised under Solvency II.

Particular attention is paid to ICT and third-party ICT risk management when using AI, with the aim of ensuring the security of an AI system at every stage. The guidance takes into account the RTS on ICT risk management (Delegated Regulation (EU) 2024/1774) and the RTS on subcontracting ICT services supporting critical or important functions (Delegated Regulation (EU) 2025/532). 

The guidance is non-binding. The guidance is based, among other things, on discussions with financial entities operating in Germany and does not represent a binding interpretation of DORA by BaFin.