DORA, BaFin, BAIT, ZAIT — ICT risk management demonstrable.
TL;DR. Banks, insurers, ICT service providers. We know the regulatory layer world — DORA fully in force since January 2025, BaFin supervisory audits have hardened. AI-native operations with demonstrable ICT risk trace.
What this sector typically struggles with
DORA (Digital Operational Resilience Act) is fully in force since January 2025. The deadline for significant institutions is yesterday — Art. 5 (ICT risk management framework), Art. 8 (threat-led penetration testing), Art. 17 (ICT incident reporting to supervisor in hours). BaFin conducts hard audits and doesn't just check theory, it checks operationalization: show me your ICT risk register, show me your incident response logs, show me your third-party risk assessments.
Parallel BaFin MaRisk AT 7.2 demands an IT risk management system per standard. BAIT and ZAIT specify this for banks and insurers. Third-party risk is a nightmare: DORA Art. 28 demands subprocessor lists, risk scoring, continuous monitoring. Most institutions have gaps there. And now EU AI Act comes in: high-risk applications (Art. 6) are regulated — for finance that's e.g. credit scoring models or fraud detection. Transparency requirements are tightening.
The cyber threat landscape for finance is as hard as for KRITIS: ransomware attacks on institutions daily. But unlike manufacturers, reputational impact is immediate — media, customers, regulation ask the same day. BaFin incident reporting must happen in hours, not days.
How we typically help
We build ICT risk management with audited trace. That means: LLM gateway logs not just requests, but also model choice and output reasoning — DORA-ready. Business agents automate ICT incident reporting: detected incident immediately triggers structured form, routes to compliance, and can reach BaFin in 2 hours.
Knowledge base stores DORA requirements, BaFin MaRisk AT 7.2 specifications and third-party risk scoring models. Threat-led penetration testing (TLPT) is a service we orchestrate (with certified red-team partners) — we deliver the blue component (defender team, detection, incident response). Subprocessor register with live risk scoring enables DORA Art. 28 compliance without manual overhead.
EU cloud or on-prem — both common. But regulation is identical: complete audit trail, GDPR-compliant, subprocessor transparency.
Where it usually pays to start
Banks and insurers should start with ICT risk and third-party risk — those are audit priorities.
- DORA ICT risk framework build: Create risk register, define risk appetite, establish key metrics (KRIs).
- BaFin MaRisk AT 7.2 evidence pack: Demonstrate IT risk governance, document policies, processes, governance structure.
- ICT incident reporting automation: Detection → prioritization → escalation → BaFin reporting in standard form, all time-controlled.
- TLPT preparation: Build threat model for critical systems, define red-team scenarios, check blue-team readiness.
- Subprocessor register with risk scoring: List all third parties (cloud, SaaS, outsourcing), risk scores per DORA Art. 28, monitoring plan.
- AI governance framework: For AI Act preparation: identify high-risk models, capture transparency requirements, build audit trail.
What you can hand off
-
DORA ICT risk framework build
Establish risk register, risk appetite, KRIs (key risk indicators), build reporting dashboard.
-
BaFin MaRisk AT 7.2 evidence pack
Document policies, processes, governance structure, audit logs and prepare for supervisory examination.
-
ICT incident reporting automation
Detection → prioritization → BaFin reporting in 2–4 hours, with full documentation and compliance audit trail.
-
TLPT preparation and execution
Build threat models, orchestrate red teams, deliver blue component (evaluation, remediation), improve audit readiness.
-
Subprocessor register with risk scoring
Build third-party list, perform DORA Art. 28 scoring, automate continuous monitoring.
-
AI governance framework (AI Act preparation)
Identify high-risk systems, capture transparency requirements, build audit trails for supervision.
Obligations we address
Financial services and insurance is the densest regulatory layer in DACH in 2026: DORA fully in force since January 2025, BaFin MaRisk with sector-specific provisions, GDPR as foundation, anti-money laundering and anti-fraud obligations plus EU AI Act for high-risk AI.
-
DORA Art. 5EU 2022/2554 DORA · Art. 5 ICT risk management framework
Mandatory documented ICT risk management with risk tolerance, risk register, mitigation plan. BaFin checks under ICT supervision. We build the ICT risk framework, operate the live risk register in Nova9 and deliver quarterly reports in supervisory-compliant format.
-
DORA Art. 7DORA · Art. 7 ICT systems and security standards
Prescribes security standards for each critical ICT system — access controls, encryption, logging, vulnerability management. We build the technical compliance layer on Nova9 and document each critical system with asset inventory and risk scoring.
-
DORA Art. 8DORA · Art. 8 TLPT (threat-led penetration testing)
Significant institutions must conduct TLPT every three years — with approved red-team partner under TIBER-EU methodology. We bring the blue component (defender team, detection, incident response), prepare the test and deliver supervisory reports in TIBER format.
-
DORA Art. 17DORA · Art. 17 ICT incident reporting
Significant ICT incidents must be reported within 4 hours initially, 24 hours in detail, and 1 month finally to BaFin — stricter timeline than NIS2. We deliver automated workflow from detection trigger to BaFin submission with executive sign-off.
-
DORA Art. 28DORA · Art. 28 ICT third-party risk
Subprocessor register with risk scoring, substitutability analysis and ICT concentration risk assessment mandatory. We deliver the DORA subprocessor construct register, maintain it continuously and integrate contract templates for DORA-compliant subprocessor agreements.
-
BaFin MaRiskBaFin MaRisk · AT 7.2 IT risk governance
Specifies for German banks the ICT risk management — governance structures, reporting lines, maturity assessment. We map our DORA implementation to MaRisk AT 7.2 and deliver parallel compliance stack for national BaFin supervision.
-
BAITBAIT · banking supervisory IT requirements
Operational specification of MaRisk AT 7.2 for banks — IT strategy, IT governance, information security management, identity/access management, disaster management. We deliver BAIT-compliant implementation stack and audit evidence pack.
-
ZAITZAIT · insurance supervisory IT requirements
BaFin counterpart to BAIT for insurers — operational specification of MaRisk and VAIT predecessors. We deliver ZAIT-compliant implementation stack with insurance-specific risk profiles (solvency, underwriting IT, portfolio data systems).
-
GwGMoney Laundering Act · §6, §10 due diligence and monitoring
Credit institutions and insurers must systematically monitor anti-money laundering and terrorist financing risks — detection logic, sanctions screening, suspicious activity workflow. We build the technical detection layer and integrate with existing AML tooling (Actimize, Fircosoft, in-house).
-
AI ActEU AI Act · Art. 6 high-risk AI in finance
Credit scoring, fraud detection, insurance pricing fall under high-risk AI — governance, transparency, bias testing, human supervision. We build the AI governance stack on LLM gateway with output validation, bias metrics and complete audit trail.
Sector facts
| Typical engagement size | 200–10,000 employees (depending on institution size; significant institutions ≥2,000 employees) |
|---|---|
| Most common triggers | DORA deadline exceeded, BaFin supervisory examination, ICT incident reporting obligation, TLPT requirement from regulator |
| Typical deployment model | EU cloud at dynexo or on-prem (depending on data sensitivity and internal governance) · Reason: GDPR requirement and audit controllability |
| Core regulation | DORA, BaFin MaRisk AT 7.2, BAIT/ZAIT, GDPR, EU AI Act (Art. 6–12) |
| Nova9 modules in use | Knowledge base (DORA/MaRisk mapping), business agents (incident reporting automation), LLM gateway (output tracking), observability (KRI tracking), endpoint agents |
| Typical onboarding | 60–90 days (risk framework, third-party audit, TLPT preparation, evidence pack build) |
| Audit mirror | Fully in EU · Retention: 10 years (DORA/MaRisk requirement) |
| Clone handover | Available — DORA-relevant for compliance handover |
Asked before the briefing
-
Are you DORA subprocessor-capable (Art. 28)?
Yes. Subprocessor list is public, DORA Art. 28-compliant contract in place. We update the list quarterly and inform you immediately on changes. We don't do sub-subcontracting without your explicit approval. -
Can you conduct TLPT (threat-led penetration testing)?
Yes, with certified red-team partner. We deliver the blue component: threat modeling, scenario definition, red-team orchestration, evaluation, remediation planning. Test execution is DORA Art. 8-compliant. -
What does BaFin audit accompaniment look like concretely?
Standard. We deliver evidence in BaFin-expected format: ICT risk register, policies, incident response logs, third-party risk assessments, TLPT results. Usually that's sufficient to pass supervisory examination. -
How do you see the EU AI Act — do we need to panic?
No, but preparation yes. LLM gateway is audit-ready — Art. 12 requirements (documentation, monitoring, human-in-the-loop) are supported. We help identify high-risk systems and build governance.
How do we make your ICT risk governance DORA-compliant?
The industry briefing assesses your current DORA status (Art. 5–17), shows gaps in risk management, TLPT readiness and third-party governance and sketches a 12-month plan — often critical for significant institutions.