The German Federal Financial Supervisory Authority (Bundesanstalt für FinanzdienstleistungsaufsichtBaFin) recently commented on the ever increasing relevance of IT-security and IT-compliance for financial service providers. Within the comments, BaFin referenced new legal requirements as well as  new guidance. Over the last couple of days, BaFin also launched a public consultation on its draft guidance regarding supervisory requirements on IT-infrastructure.

Legal framework

Due to the increased risk for and occurrence of cyber-attacks new statutory requirements for IT compliance for operators of “critical infrastructures” have been introduced into German law (German IT-Security Act and the corresponding “Regulation for the determination of critical Infrastructures according to the BSI-Act”). Both the law  and regulation are supervised by the Federal Office for Information Security (Bundesamt für Sicherheit in der InformationstechnikBSI). If certain conditions are met, operators of such critical infrastructures have to comply with reporting obligations as well as obligations on the implementation of security standards. According to a new draft bill, the scope of these regulations will also cover future financial organizations.

Current view of the BaFin

These new requirements for IT-compliance for financial service providers was also the main topic at a recent conference held by the BaFin on 16 March 2017. BaFin’s executive director highlighted in particular the relevance of an efficient IT-security concept and IT compliance and considers “the danger of a cyberattack on German banks is higher than ever before”. Risks aren´t solely arising from outside attacks and caused by sub-standard IT-security infrastructure; but more so from the “growing outsourcing of financial services”, as data is nowadays regularly processed by external service providers, in particular cloud service providers.

Hence, the draft guidance on “Supervisory Requirements on IT Infrastructure” (“Bankaufsichtliche Anforderungen an die IT) is of particular significance. BaFin also emphasized the “Minimum Requirements towards the Risk Management” (Mindestanforderungen an das Risikomanagement) regarding IT-security. According to the executive director compliance with these minimum requirements is an ongoing responsibility for the management of financial service providers. The respective management members also assume liability in this regard.


We will monitor developments on this topic closely and post an update as soon as new information on the requirements for IT-compliance is published. In the meantime, financial service providers should review and, if necessary amend and modify, their IT infrastructure to ensure compliance.