BaFin Issues New Guidance on ICT Risks in the Use of AI Under DORA

Key Takeaways

• AI as an ICT Risk Issue: BaFin frames AI primarily through the lens of ICT risk, emphasizing operational resilience rather than innovation alone.
• Lifecycle Governance Matters: ICT risks must be managed across the full AI lifecycle, from data sourcing to system retirement.
• Integration Into Existing Frameworks: AI systems should be embedded within existing ICT risk management structures, not governed in isolation.
• Third-Party Dependencies in Focus: ICT third-party risk management remains a priority, particularly where AI relies on external providers or platforms.
• DORA Alignment, Not New Rules: The guidance is non-binding but designed to help firms meet DORA requirements more effectively.

Deep Dive

Germany’s financial regulator, Federal Financial Supervisory Authority (BaFin), has published new supervisory guidance aimed at helping financial entities manage information and communication technology (ICT) risks arising from the use of artificial intelligence. Released on January 30, 2026, the document focuses squarely on how AI-related risks should be addressed within the framework of the EU’s Digital Operational Resilience Act (DORA).

AI is already embedded across much of the financial services value chain, from data analysis and underwriting to fraud detection and customer interaction. BaFin’s guidance reflects a growing regulatory concern that, while AI can drive efficiency and innovation, its deployment also introduces material ICT risks that must be actively governed, controlled, and monitored.

Importantly, the guidance is non-mandatory. BaFin positions it as practical supervisory advice rather than a binding rulebook, designed to support firms as they implement DORA’s operational resilience requirements in AI-enabled environments. The document is aimed in particular at institutions subject to the Capital Requirements Regulation, as well as insurers supervised under the Solvency II framework.

A central theme of the guidance is lifecycle-based risk management. BaFin examines ICT risks across the full AI lifecycle, including data acquisition, model development, system provision, ongoing operation, and eventual retirement. According to the regulator, security and resilience expectations do not diminish once a model is deployed; instead, AI systems must remain subject to continuous oversight and control throughout their operational life.

The guidance places particular emphasis on two areas that are already under heightened scrutiny across Europe: ICT risk management and ICT third-party risk management. BaFin stresses that AI systems should not sit outside existing governance structures. Rather, they must be fully integrated into firms’ established ICT risk management frameworks, with appropriate safeguards for underlying ICT assets and dependencies, including external service providers and technology vendors.

BaFin also notes that the guidance reflects accumulated industry experience with AI deployment in financial services. By drawing on observed practices and challenges, the regulator appears to be signaling an expectation that firms move beyond experimental or siloed AI governance and toward more mature, enterprise-wide operational resilience models aligned with DORA.

As supervisory attention on AI continues to intensify across the EU, BaFin’s guidance offers a clear indication of how national regulators expect financial institutions and insurers to operationalize resilience, security, and third-party controls when AI becomes part of critical business processes.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.