IT-Security Regulatory Update | June 2022

Focus: Cloud outsourcing

Highlight from June 2022

Revision of the orientation guide
to cloud outsourcing likely

During the December 2, 2021 meeting of the IT Expert Panel, representatives of the supervisory authority spoke about an update of BaFin’s guidance on outsourcing to the cloud. While these are non-binding, they provide valuable guidance for institutions.

“Stay up to date with our monthly regulatory update on IT Security Management!”

Guidance on cloud outsourcing expected to be broadened and enhanced

On December 2, 2021, the BaFin Expert Panel IT met. In the related minutes published on June 14, ITEM 4 is likely to attract attention: “Guidance on outsourcing to cloud providers”. In fact, the question of an update is raised here and seems likely.

The guidance issued by the German Federal Financial Supervisory Authority (BaFin) was published back in 2018. Due to the rapidly changing, increasingly digitalized industry, the regular adjustment already announced at that time appears to make sense. A representative of the supervisor confirms this according to the minutes. The basis for the revision is the experience gained and the results of the Special Expert Panel Cloud. The participants of the panel suggested that the guidance be expanded and enhance the guidance. In particular, they asked for the differentiation between community and public cloud to be included.

In addition, however, it was also advocated that the existing structure between BAIT and guidance be maintained. In contrast to the binding requirements of the BAIT, the Orinetierunghilfe does not contain any binding requirements, but is intended as supportive document. It is used as such by banks and other participants in the financial market and can be adapted and updated more easily.

The BaFin guidance from 2018 can be found
on the BaFin website.

Light blue background with dark blue gears. In front of it a laptop, a cell phone, a desktop screen, a camera and a tablet. All of them are connected with arrows to each other as well as the white cloud depicted above with various symbols, for example, notes for music.

In addition to the topic of cloud outsourcing, the expert panel discussed the Digital Operational Resilience Act (DORA), which is scheduled for publication at the end of the year. High implementation efforts are to be expected in the 24 months between its publication and its entry into force, and should be anticipated now. BaFin is making efforts to avoid duplicate regulation at the national level, but must first await the publication of DORA to do so.

The proposal for DORA of the European Commission can be found here on the website of the EUR-Lex. The minutes of the IT expert committee can be found here on the BaFin website.

In March 2022, the special expert committee Cloud of BaFin’s expert committee IT, mentioned in the December minutes, met regarding the topic of Configuration Management Database (CMDB). The panel addressed the proportionality principle in relation to the inventory for components of the IT systems and their relationship to each other. In addition, the panel discussed the operational responsibility in the context of 8.2 BAIT on the part of cloud service providers (CSP) and institutions, as well as for interfaces and their documentation.

According to the panel, the abstraction boundary is formed by the jointly operated layers. Above the limit, the institute is responsible, so full mapping and documentation is required. Below the abstraction limit, the CSP is responsible, therefore mapping is usually not required. At the abstraction boundary, the parameterization of the services and the service description of the CSP must be included.

The minutes of the Special Expert Panel Cloud of the Expert Panel IT can be found
on the BaFin website.

Source: © German Federal Financial Supervisory Authority /

BaFin announces more targeted IT audits with focus on IT security

At the Non Performing Loans Forum 2022, the Executive Director of Banking Supervision at the German Federal Financial Supervisory Authority (BaFin), Raimund Röseler, spoke about risks and corresponding measures taken by BaFin. Among other things, he notes that international conflicts increase the risk of cyber attacks. He cites Russia’s war of aggression against Ukraine as an example of this. Although no specific, successful attacks have yet resulted from this situation, the risk remains high, he said. It is not only institutions themselves that are exposed to the risk; cyber incidents and attacks at service providers and infrastructure providers in particular pose a high risk to the financial market and its participants.

“Which bank and which credit analyst is really in a position to assess the IT security of bank customers? I, for one, know of only a few institutions that deal with this more intensively,” Raimund Röseler raises. It is precisely against this background that BaFin is planning more targeted IT audits at institutions and service providers and also plans to check compliance with supervisory IT requirements as part of operational supervision. In this regard, Röseler notes, “No bank manager should be able to talk his way out of this and point the finger at IT service providers.”

You can find the speech of Raimund Röseler’s speech can be found here on BaFin’s website.

Source: © German Federal Financial Supervisory Authority /

Sustainability and digital transformation go hand in hand

The European Commission is addressing the compatibility of sustainability and digital transformation as part of its Strategic Foresight Report 2022. The report is based on a report by the Joint Research Center (JRC) that demonstrates the need to link the two issues. The ten focus topics of the JRC report are also addressed in the European Commission’s report:

1. strengthening resilience and strategic autonomy in critical sectors.
2. strengthening green and digital diplomacy.
3. strategic management of the supply of critical materials and goods to avoid dependencies.
4. strengthening economic and social cohesion
5. adapting education and training systems to keep pace with the rapidly changing reality.
6. mobilization of future-proof investments in new technologies and infrastructures
7. development of monitoring frameworks
8. ensuring a future-proof regulatory framework for the single market to promote sustainable business models and consumer behavior patterns.
9. strengthening the global approach based on a“Reduce, Repair, Reuse, Recycle” principle.
10. promote robust cybersecurity and secure data-sharing frameworks to make critical infrastructures more resilient on the one hand and to strengthen trust in digitization and sustainability on the other.

The commission concludes that by addressing the interrelationships and tensions between the areas along the ten focus themes, it is possible to successfully connect the two sets of issues by 2050. In doing so, it promotes a regenerative and carbon-neutral economy that reduces pollution, restores biodiversity and natural capital, and makes the EU more resilient and autonomous. At the same time, fair change is made possible for the benefit of people, the community and the region.

The Strategic Foresight Report 2022 can be found
 on the website of the Commission.
The report of the JRC can be found here
on their website.

Source: European Commission –

Even though the guidance on cloud outsourcing is non-binding, it is often used as a basis for outsourcing to the cloud. Enhancing and adaptation of the guidance is desirable and helpful, but also entails expenses. A good opportunity to also assess your general compliance in the context of outsourcing!

We at ADWEKO are happy to assist you in assessing your outsourcing management as well as in implementing new requirements.

talk to

Pia Streicher!