BAIT Explained

What is BAIT?

BAIT stands for Bankaufsichtliche Anforderungen an die IT, the Banking Supervisory Requirements for IT. It is a BaFin circular issued in coordination with the Deutsche Bundesbank.

Where MaRisk sets the principle (in AT 7.2: the bank must manage IT risk), BAIT is the operational manual that tells you exactly what that looks like. If BaFin writes to a bank with IT findings, the letter will cite BAIT chapter and verse, not MaRisk AT 7.2.

BAIT was first published in 2017 and substantially updated in 2021 (cloud, information security, contingency) and 2024 (alignment with DORA). The 2024 version narrowed some passages where DORA now leads, but BAIT continues to govern the German-specific operational expectations BaFin examines.

Who has to follow BAIT

Every credit institution and financial services institution in Germany that is in scope of MaRisk. Same population: Sparkassen, Volksbanken, Landesbanken, commercial banks, investment firms. BAIT has three sister circulars for adjacent sectors:

• VAIT: insurance undertakings
• KAIT: capital management companies under the KAGB
• ZAIT: payment institutions and e-money institutions

All four share the same DNA with sector-specific nuances. Master BAIT and you can read the others in an afternoon.

The chapter structure

BAIT chapters follow the IT lifecycle. Each chapter has detailed operational expectations.

Chapter 1: IT strategy

• Documented IT strategy derived from the business and risk strategies
• Board-approved and reviewed at least annually
• Covers IT objectives, architecture, modernisation, sourcing, resources

Chapter 2: IT governance

• Clear allocation of IT responsibilities
• Sufficient resources, qualifications, training
• Defined IT organisation, segregation of duties
• Reporting lines into the board

Chapter 3: Information risk management

• Documented information risk management framework
• Identification and classification of information assets; protection requirement assessment (Schutzbedarfsanalyse)
• Risk analyses, documented controls, periodic review

Chapter 4: Information security management

• ISMS aligned with ISO 27001 or BSI IT-Grundschutz
• Information security officer with independence and board access
• Security policy approved by the board
• Regular ISMS review and exercises

Chapter 5: Operational information security

• Security monitoring; SOC or equivalent
• Vulnerability management, patch management, hardening
• Penetration testing
• Incident detection, response, recovery

Chapter 6: Identity and access management

• Need-to-know, least privilege
• Periodic recertification
• Privileged access management with enhanced controls
• Logging and monitoring; joiners, movers, leavers processes

Chapter 7: IT projects and application development

• Project methodology with defined gates and approvals
• Quality assurance, testing (unit, integration, regression, acceptance)
• Documented design and decisions
• Change management proportional to risk

Chapter 8: IT operations

• Capacity, performance, backup, restore, archiving, decommissioning
• Asset inventory with lifecycle tracking
• Configuration management and baselines

Chapter 9: Outsourcing of IT services and other third-party relationships

• Risk-based provider assessment
• Mandatory contractual provisions (aligned with DORA Pillar 4)
• Ongoing monitoring and exit strategy
• Sub-outsourcing controls

Chapter 10: IT contingency management

• Business impact analysis
• IT contingency plans for critical IT systems
• Recovery time and recovery point objectives (RTO and RPO) defined per critical system
• Regular testing

BAIT and cloud computing

The 2021 update added explicit treatment of cloud computing; the 2024 update preserved it. Cloud arrangements are a regular BAIT examination topic.

• Risk-based selection of the cloud provider with due diligence beyond marketing material
• Contractual clauses on data location, sub-outsourcing, audit, security, exit
• Documented shared responsibility model: who is responsible for what
• Monitoring of the cloud provider
• Contingency arrangements that account for region outages and hyperscaler-wide incidents

How BAIT treats AI

BAIT has no dedicated AI chapter. AI is examined through every chapter:

• The application layer of an AI system under Chapter 7 (projects and development)
• The hosting and operations under Chapter 8
• The vendor relationship under Chapter 9
• Cybersecurity of the AI environment under Chapters 4 and 5
• Access control around the AI under Chapter 6
• Contingency for the AI service under Chapter 10

A BAIT examination of an AI system can touch every chapter. The bank's BAIT file on the AI has to answer all ten supervisory angles in a consistent narrative.

How BAIT interacts with the other frameworks

• MaRisk: BAIT operationalises AT 7.2 (and parts of AT 4.3 and AT 9). The two work as a pair
• DORA: substantial overlap. The 2024 BAIT update narrowed BAIT where DORA now leads. Both apply. Banks typically run one unified IT control framework
• NIS2: reaches financial entities only via DORA as lex specialis. NIS2 Article 21 measures map onto BAIT cleanly. BAIT-compliant banks are close to NIS2 baseline
• EU AI Act: BAIT covers the IT environment around the AI; the AI Act covers the AI system as a product. Both apply
• ISO 42001: no direct overlap but complementary as an AI management system inside a BAIT-governed IT environment
• BSI IT-Grundschutz: Chapter 4 references IT-Grundschutz explicitly. Banks using IT-Grundschutz are well-positioned on Chapter 4 substance

What to do next

• If you are a German bank: read BAIT in full at least once. Map your existing controls to each chapter. The gaps you find are the gaps your auditor or BaFin will find first
• If you sell IT or AI to a German bank: expect questions across all ten chapters. Prepare evidence of your security controls, change management, outsourcing chain, contingency arrangements
• Consolidate the BAIT outsourcing register with the MaRisk AT 9 register and the DORA register where possible
• For any cloud-hosted AI: document the shared responsibility model precisely. BaFin will ask
• Test the contingency plan annually at minimum. An untested plan is a plan that does not exist
• Use the classifier tool to map your system against BAIT and the related German rules