BAIT & VAIT — BaFin IT Requirements for Banks and Insurers

Q: Are BAIT and VAIT laws or only administrative regulations?

Both are BaFin circulars -- administrative regulations, not laws in the strict sense. They specify the statutory requirements on proper business organisation from KWG §25a (banks) and VAG §23 (insurers). In supervisory practice they are binding: anyone who deviates must justify why. Deviations without a solid justification typically produce findings in the special audit.

Q: How does DORA relate to BAIT and VAIT?

DORA has applied directly across the entire EU since January 2025 and supersedes parts of the national circulars. BaFin has announced that BAIT and VAIT will be consolidated accordingly. Until then: DORA requirements take precedence, BAIT/VAIT remain authoritative for aspects not covered by DORA (e.g. internal outsourcing below critical thresholds). Institutions must consider both frameworks in parallel.

Q: Is an ISO 27001 certificate sufficient to meet BAIT?

No, a certificate alone is not sufficient -- it covers around 70 percent of the BAIT requirements. BaFin-specific topics such as the outsourcing register under AT 9, IT contingency exercises with defined recovery times or the separation of development, test and production environments must be demonstrated on top. Many institutions use ISO 27001 as the foundation and supplement it with the BaFin-specific items.

A savings bank reports a cyber incident at an outsourcing partner. The BaFin special audit starts six weeks later and demands, for every outsourced IT service: risk assessment, contractual clauses on information and audit rights, recovery tests from the last twelve months, documented escalation paths. Assembling this evidence during the audit itself loses the discussion about the adequacy of governance before it begins. BAIT and VAIT demand an operating IT governance system whose effectiveness must be demonstrable at any time.

BAIT (Supervisory Requirements for IT in Banks), VAIT (Supervisory Requirements for IT in Insurance Undertakings) and KAIT (Supervisory Requirements for IT in Asset Management Companies) are circulars issued by the Federal Financial Supervisory Authority (BaFin). They specify the statutory requirements on IT governance for regulated financial institutions. Current versions: BAIT dated 16 August 2021, VAIT dated 3 March 2022, KAIT dated 1 October 2019.

What does the standard cover?

The three circulars share a common structure of eight to eleven chapters. They govern requirements for IT strategy, IT governance, information risk management, information security management, user access management, IT projects, IT operations and outsourcing.

The chapters at a glance (BAIT 2021)

Chapter 1 — IT strategy: a documented IT strategy adopted by executive management and linked to the business strategy.
Chapter 2 — IT governance: organisational and procedural structure of the IT function, roles, staffing, requirements for the IT function.
Chapter 3 — Information risk management: systematic identification, assessment and treatment of information risks based on a current inventory of information assets.
Chapter 4 — Information security management: information security policy, Information Security Officer, incident management, awareness.
Chapter 5 — Operational information security: vulnerability, patch and configuration management, logging and monitoring, penetration tests.
Chapter 6 — Identity and access management: documented access concepts, periodic recertification, segregation of critical functions.
Chapter 7 — IT projects and application development: project risk assessment, separation of development, test and production environments, requirements management.
Chapter 8 — IT operations: inventory of IT components, lifecycle management, backup, contingency management with defined RTO/RPO.
Chapter 9 — Outsourcing and other external procurement of IT services: risk assessment, contractual requirements, outsourcing register, steering and monitoring.
Chapter 10 — IT contingency management: recovery plans, annual tests for time-critical activities.
Chapter 11 — Critical infrastructures: additional requirements for KRITIS institutions under the BSI Act.

What VAIT adds

VAIT follows the same structure but adds requirements for insurance-specific processes: policy administration systems, claims handling, actuarial and actuarial-mathematical functions. KAIT is considerably shorter and focuses on topics relevant to asset management companies such as investment management systems and interfaces to depositaries.

Audit practice

Annual statutory audit. Statutory auditors verify compliance with BAIT/VAIT annually as part of the financial audit. The audit report goes to BaFin, where findings are evaluated.

BaFin special audit under §44 KWG / §306 VAG. Triggered by events or conducted periodically, BaFin audits directly on site, often focusing on a specific topic (e.g. outsourcing, contingency management, access rights). Duration typically 4-12 weeks. Serious findings can lead to supervisory measures up to the dismissal of managing directors.

Self-disclosures and IT supervisory reports. Institutions report certain incidents (e.g. serious IT security incidents, prolonged outages of critical systems) to BaFin. Since DORA took effect, EU-wide harmonised reporting obligations apply in addition.

Mapping to other standards

Standard	Relation to BAIT/VAIT
MaRisk	Overarching framework for risk management; AT 9 (outsourcing) and AT 7.2 (technical-organisational resources) are the anchor points for BAIT/VAIT
DORA (EU 2022/2554)	Supersedes substantial parts since January 2025, especially ICT risk management, incident reporting, third-party risk
ISO/IEC 27001	Covers around 70 percent of the information security requirements; must be supplemented with BaFin-specific items
BSI IT-Grundschutz	More detailed catalogues of measures, used in some houses as implementation guidance for operational security
NIST CSF	Structured framework for cyber resilience, useful for self-assessing maturity
EBA Guidelines on ICT and Security Risk Management	European predecessor regulation for banks, partially implemented in BAIT
EIOPA Guidelines on ICT Security and Governance	European predecessor regulation for insurers, partially implemented in VAIT

Implementation effort

Small institutions (e.g. savings banks, small insurers, < 200 staff): initial build 12-24 months, thereafter 1-3 FTE for ongoing operation of the ISMS, outsourcing governance and access management. Associated solutions (e.g. from the Sparkassen-Finanzgruppe or the cooperative FinanzVerbund) are frequently used.

Mid-sized institutions (200-2,000 staff): 18-30 months build, 5-15 FTE in IT risk, security and outsourcing. Dedicated IT contingency teams, dedicated Information Security Officer and Outsourcing Officer.

Large banks and insurers: multi-year programme, dozens of FTEs, typically a three-lines model with a dedicated IT risk function in the second line and IT audit in the third line.

Recurring costs: penetration tests (annually for critical applications), external contingency exercises, audit days through statutory auditors, tools for access management and IT service management.

ISO/IEC 27001: International ISMS standard; the foundation for the information security chapters of BAIT/VAIT.
DORA: EU regulation on digital operational resilience; supersedes BAIT/VAIT in key areas.
BSI IT-Grundschutz: Detailed catalogues of measures, useful for implementing operational security.
NIST CSF: Maturity model for self-assessing cyber governance.

Sources

BaFin: Supervisory Requirements for IT in Banks (BAIT) — current circular
BaFin: Supervisory Requirements for IT in Insurance Undertakings (VAIT) — current circular
BaFin: Supervisory Requirements for IT in Asset Management Companies (KAIT) — current circular
BaFin: Minimum Requirements for Risk Management (MaRisk) — overarching framework
Regulation (EU) 2022/2554 (DORA) — European regulation

Frequently asked questions

Are BAIT and VAIT laws or only administrative regulations?