Live Updates
๐Ÿ‡ฉ๐Ÿ‡ช BaFin Guidance high

Artificial intelligence: BaFin publishes guidance on ICT risks

| Germany
AI Analysis

Executive Summary

BaFin's "Guidance on ICT Risks in the Use of Artificial Intelligence at Financial Entities," published December 18, 2025, provides non-mandatory advice to help financial entities manage ICT risks from AI under DORA across the AI lifecycle. It matters because it integrates AI explicitly into existing ICT risk frameworks, emphasizing security, resilience, and third-party risks for supervised institutions, aligning with RTS on ICT risk management (EU 2024/1774) and subcontracting (EU 2025/532). This clarifies supervisory expectations amid growing AI adoption in finance, reducing ambiguity in DORA compliance. #

What Changed

The guidance does not introduce new binding rules but clarifies AI as ICT systems requiring DORA-compliant treatment, including: - AI strategy: Management-approved, aligned with overall strategy, defining responsibilities, competencies, and interdisciplinary collaboration for critical functions. - ICT risk management integration: Cover identification, protection, detection, response, recovery, training; apply to AI lifecycle (data acquisition, development, operation, retirement). - Development and testing: Robust standards, documentation, testing proportionate to criticality; special focus on generative AI/LLMs, open-source, and code generation risks. - Operational processes: Asset classification, monitoring, access controls, logging, anomaly detection, business continuity, secure decommis

What You Need To Do

  • Develop and approve AI strategy integrated with ICT roadmap and governance
  • Embed AI in existing ICT risk framework, ensuring lifecycle coverage with safeguards (e
  • Conduct third-party due diligence and contractual reviews for AI/cloud providers, including exit/portability testing
  • Implement AI-specific testing, documentation, and incident processes proportionate to criticality
  • Ensure management accountability for oversight, training, and interdisciplinary controls

Key Dates

18 December 2025 - Guidance issuance date.
01 February 2024 - Related BaFin/Bundesbank supervisory notice on cloud outsourcing (contextual reference).
2026 " possibly indicating update/display date, but issuance confirmed Dec 2025).

Compliance Impact

Urgency: High โ€“ DORA is live (effective Jan 17, 2025), and AI use is widespread; this guidance operationalizes ICT requirements for AI, exposing non-compliant firms to supervisory scrutiny, fines, or remediation orders under CRR/Solvency II. It heightens focus on third-party/cloud risks amid EU AI Act rollout, demanding immediate gap assessments to avoid operational resilience failures.

Who is Affected

scope financial entities using AI, including banks, investment firms, and insurers relying on AI across value chains or third-party providers.

References

Summary

The Federal Financial Supervisory Authority (BaFin) has issued its โ€œGuidance on ICT Risks in the Use of Artificial Intelligence at Financial Entitiesโ€. The guidance will help entities manage ICT risks in accordance with the requirements under DORA.

Sectors

Banking & CreditInsurance & Pensions

Topics

Prudential / Capital RequirementsOperational Resilience / OutsourcingTechnology & Cyber

Relevant Firm Types

BankInsuranceAll Firms
View Original on BaFin Back to Feed