IT Security Regulatory Update | February 2023

Focus: outsourcing notices, U.S. data protection agreement & CVDs According to NIS2 directive.

Highlight from February 2023

Reporting outsourcings via the MVP portal

As outsourcings are to be reported to BaFin since 2022, the latter is addressing initial queries and providing a template for the MVP portal.

“Stay up to date with our monthly regulatory update on IT Security Management!”

Notification of outsourcing to BaFin

In 2022, outsourcing reporting requirements have come into effect for various financial institutions, as we discussed in our November update.

For some financial firms, the disclosure requirement was already a known quantity; for others, the requirement was a new one. In the course of the notification regulations, various information concerning the outsourced activity as well as the service provider itself must be shared with the financial supervisory authority.

After the publication of the notification regulations, BaFin expanded and updated the web pages for the affected companies. Now, in addition to providing guidance on how to submit reports through the MVP portal, it has also made available a report template for reporting serious incidents under existing material outsourcing arrangements.

You can find this here on the BaFin website.

messy pile of white paper

In mid-February, BaFin invited financial institutions to an information event around the requirements for notification. At the three-part event, they addressed questions from KWG- and ZAG-regulated institutions, investment companies, as well as insurance companies and institutions for occupational retirement provision.

As a follow-up to its information session, BaFin published a presentation with feedback on the outsourcing notification. In it, they address queries and feedback in the context of general issues and revisits the reporting process.
The common questions it addresses deal with the following topics:

  • Intention and execution of outsourcing,
  • Significant changes in outsourcing,
  • Reporting of serious incidents in the context of existing outsourcing,
  • Subsequent reporting on outsourcings.

In addition, BaFin is addressing its planned portfolio query with the aim of identifying concentration risks and increasing data quality. The query, which will be conducted among financial firms selected on a risk-oriented basis, is scheduled to begin in March 2023.

You can find the presentation of BaFin here on their website.

Source: © German Federal Financial Supervisory Authority /

Statement of the supervisory authorities on the EU-U.S. Data Privacy Shield

With the ECJ’s Schrems II ruling and the associated discontinuation of the US Privacy Shield, the transfer of personal data out of the EU to the United States of America became a challenge. Some two years later, an EU-U.S. Data Privacy Framework is now under discussion to ensure an adequate level of data protection.

Both the German Federal Commissioner for Data Protection and Freedom of Information (BfDI) and the European Data Protection Board (EDPB) welcome the U.S. initiative in principle. Both agencies see progress in various areas in relation to the Privacy Shield, which they derive from the ECJ ruling. The BfDI takes a positive view of the project and sees it as an important step forward in the context of international data protection.

At the same time, the BfDI and the EDPB have concerns as to whether the framework can be used to achieve an appropriate level that complies with the GDPR. Specifically, the EDPB sees vulnerabilities in the context of privacy subject rights, data sharing, exemptions, and aggregate records, among others.

You can find the statement of the BfDI here on its website, the statement of the EDPB here on their website.

Sources: © BfDI –; European Data Protection Board –

ENISA considers Coordinated Vulnerability Disclosures in the context of NIS2

Using a Coordinated Vulnerability Disclosure (CVD), identified vulnerabilities are communicated by the finder to the relevant stakeholders so they can be resolved before being exploited by an attacker. This involves a coordinated approach based on collaboration between the discoverer of the vulnerability, the manufacturer or provider of the product or service, regulatory authorities, and customers, if applicable.

This established approach is taken up by the NIS2 directive. In this context, ENISA is looking at what harmonized national vulnerability programs and initiatives could look like in the EU. In doing so, it addresses the expectations of the EU member states on the one hand and the business community on the other. Thereby anticipates corresponding guidelines.

In its report, ENISA reaches the following conclusions:

1. national specifications on CVD can serve as an example to the industry;
2. specifications on CVD and handling of CVD are still fragmented;
3. education and awareness in the context of CVD should be a priority;
4. there are challenges at the level of law, technology and cooperation;
5. approaches with “security and data protection by design” are to be preferred.

You can find the ENISA report here on their website.

Source: European Union Agency for Cybersecurity (ENISA) –

The notification of outsourcing to BaFin helps to identify risks at a higher level in good time. However, it also involves various expenses and has not yet been fully implemented in many financial companies.

When it comes to implementing the reporting process in the outsourcing process and identifying content to be reported, we at ADWEKO will be happy to assist you with our expertise.

talk to
Pia Streicher!