The prudential requirements for IT (Bankaufsichtliche Anforderungen an die IT – BAIT), which are mainly intended for the management boards of credit institutions, aim to provide a more transparent outline of supervisors’ expectations regarding IT security.

This Circular provides a flexible and practical framework for institutions’ technical and organisational resources on the basis of Section 25a(1) of the German Banking Act (Kreditwesengesetz) – in particular for IT resource management and IT risk management. Moreover, it specifies the requirements laid down in Section 25b of the Banking Act (outsourcing of activities and processes).

The revised circular dated 16 August 2021 implements the “EBA Guidelines on ICT and Security Risk Management” (EBA/GL/2019/04) and takes into account experiences from supervisory practice.

In the course of the amendment, two new chapters on “Operational information security” and on “IT service continuity management” were added. The former contains requirements for monitoring information security, for controlling the effectiveness of information security measures. The latter substantiates minimum requirements for business continuity management (AT 7.3 MaRisk) in relation to time-critical IT processes and activities. Furthermore, responsibilities and controls for information risk management and requirements for physical information security were specified.