IT-Security Regulatory Update | January 2022

Highlight from January 2022

7th MaRisk amendment announced in Q4 2022

A protocol of the MaRisk expert committee indicates that the 7th amendment to the MaRisk based on the EBA Guidelines on loan origination and monitoring is to be expected in the fourth quarter of 2022.

“Stay up to date with our monthly regulatory update on IT Security Management!”

Seventh amendment of MaRisk imminent

In minutes of the MaRisk (Minimum Requirements for Risk Management) expert committee published in January, one of the items on the agenda was the seventh amendment to the minimum requirements for risk management. According to the protocol, this is expected as early as the fourth quarter of 2022.

In terms of content, the following is to be expected:

  • EBA guidelines on lending and credit monitoring
  • Direct investment in real estate
  • Special funds
  • Business model analysis
  • Home Office Trading

Furthermore, addressees should be prepared for MaRisk to become leaner in the future – unfortunately not from a content perspective. Due to more and more frequent European requirements that are need to be implemented, more references and fewer direct citations are to be incorporated into MaRisk. For the recipient, this is likely to be accompanied by increased research necessity and thus greater effort, as was also suggested by the expert panel.

The committee also discussed with issues such as clarifications on the sixth MaRisk amendment, background information on the upcoming obligation to report outsourcing activities, and a realignment of supervision with regard to special funds.

The minutes of the MaRisk expert committee can be found
on the website of the Federal Financial Supervisory Authority (BaFin).

© Federal Financial Supervisory Authority /

Notes on handling certificates and attestations from cloud service providers

A special expert panel of the IT expert committeeof the Federal Financial Supervisory Authority (BaFin) has dealt with the topic of certificates and attestations in the context of cloud service providers (CSP).

The panel concluded that in context of standard certificates and attestations may be sufficient. However, for those components of the internal control system (ICS) that are not covered, alternatives must be identified for the gathering of information. If information cannot be obtained or is missing, this must be reflected in the risk assessment and the resulting risks must be managed accordingly.

The minutes of the special expert committee can be found here on the BaFin website.

© Federal Financial Supervisory Authority /

European regulators brace for systemic cyber incidents

The EU’s Digital Operational Resilience Act (DORA) provides a pan-European framework for coordinating systemic cyber incidents for competent authorities. In a public statement, the European Supervisory Authroities (ESAs) welcome the implementation recommendation of this framework by the European Systemic Risk Board (ESRB).

The ESAs have the task of preparing for the gradual development of a framework that will enable an effective, coordinated, and EU-wide response to significant cross-border cyber incidents with potential systemic implications.

The statement of the ESAs can be found here on the website of the Joint Committee.

Source: Joint Committee of the European Supervisory Authorities – JC of the ESAs,

Take this announcement as an opportunity to conduct an initial impact analysis and, if necessary, make note of the MaRisk amendment for a project at the end of 2022 / beginning of 2023 in the project portfolio.

We at ADWEKO are happy to assist you in this process.

talk to

Pia Streicher!