BaFin's "Guidance on ICT Risks in the Use of Artificial Intelligence at Financial Entities," published December 18, 2025, provides non-mandatory advice to help financial entities manage ICT risks from AI under DORA across the AI lifecycle. It matters because it integrates AI explicitly into existing ICT risk frameworks, emphasizing security, resilience, and third-party risks for supervised institutions, aligning with RTS on ICT risk management (EU 2024/1774) and subcontracting (EU 2025/532). This clarifies supervisory expectations amid growing AI adoption in finance, reducing ambiguity in DORA compliance.
What Changed
The guidance does not introduce new binding rules but clarifies AI as ICT systems requiring DORA-compliant treatment, including:
AI strategy: Management-approved, aligned with overall strategy, defining responsibilities, competencies, and interdisciplinary collaboration for critical functions.
ICT risk management integration: Cover identification, protection, detection, response, recovery, training; apply to AI lifecycle (data acquisition, development, operation, retirement).
Development and testing: Robust standards, documentation, testing proportionate to criticality; special focus on...
What You Need To Do
- Develop and approve AI strategy integrated with ICT roadmap and governance
- Embed AI in existing ICT risk framework, ensuring lifecycle coverage with safeguards (e
- Conduct third-party due diligence and contractual reviews for AI/cloud providers, including exit/portability testing
- Implement AI-specific testing, documentation, and incident processes proportionate to criticality
- Ensure management accountability for oversight, training, and interdisciplinary controls
Key Dates
18 December 2025 - Guidance issuance date.
01 February 2024 - Related BaFin/Bundesbank supervisory notice on cloud outsourcing (contextual reference).
2026 " possibly indicating update/display date, but issuance confirmed Dec 2025).
Compliance Impact
Urgency: High โ DORA is live (effective Jan 17, 2025), and AI use is widespread; this guidance operationalizes ICT requirements for AI, exposing non-compliant firms to supervisory scrutiny, fines, or remediation orders under CRR/Solvency II. It heightens focus on third-party/cloud risks amid EU AI Act rollout, demanding immediate gap assessments to avoid operational resilience failures.