On 30 June 2026, all credit institutions and financial services institutions in Germany received an important circular: Following the consultation phase, the German Federal Financial Supervisory Authority (Bafin) published the 9th amendment to its Minimum Requirements for Risk Management (MaRisk). With this update, Bafin sends a clear message: the requirements for institutions are to be aligned more closely with their individual risk profiles. At the same time, the regulator is raising its expectations regarding governance, transparency, and accountability.
From a regulatory perspective, this may appear to strike a balance between easing certain requirements and tightening others. In practice, however, it creates a key challenge: institutions must not only adapt their existing frameworks but also ensure that these frameworks continue to evolve in a consistent and coherent manner. Firms have until 1 January 2027 to implement the new requirements. We have highlighted the most important changes for you:
Proportionality Becomes the Guiding Principle
Bafin places significantly greater emphasis on the principle of proportionality in the 9th amendment to MaRisk. The revised framework consistently distinguishes between very small institutions (with total assets of up to €1 billion), small and non-complex institutions (SNCIs), and less significant institutions (LSIs). Significant institutions are no longer within the scope of MaRisk.
This differentiation has a direct impact on how regulatory requirements must be implemented. In many areas, obligations are reduced or may, depending on an institution’s size and risk profile, be waived entirely. This applies, among other things, to the design of stress testing frameworks and certain organizational requirements within risk management.
At the same time, it is clear that these changes are not merely isolated regulatory relief measures. Rather, the concept of proportionality runs throughout large parts of the revised MaRisk framework. As a result, institutions are expected to take greater responsibility for assessing their own classification and for applying and justifying regulatory requirements accordingly. Supervisory reviews are therefore likely to become less standardized but more closely tailored to the specific circumstances and risk profile of each institution.
Clear Alignment with DORA
At the same time, MaRisk is being brought into closer structural alignment with the requirements of the Digital Operational Resilience Act (DORA). Terminology and regulatory logic are being harmonized, helping to reduce overlapping requirements and duplicate governance structures over time.
One visible outcome of this alignment is the increased flexibility to consolidate strategic documentation. For example, institutions may now combine their business strategy, risk strategy, ICT strategy, and DORA strategy into a single integrated document. While this creates opportunities for a more streamlined governance framework, it also requires institutions to manage interdependencies between these areas in a clear and consistent manner.
The boundaries between the two frameworks are also shifting from a substantive perspective. Certain outsourcing arrangements that fall within the scope of DORA will no longer be covered by the MaRisk outsourcing requirements. This reduces regulatory duplication and compliance effort. At the same time, however, institutions will need to ensure that both regulatory frameworks are carefully coordinated and applied consistently.
Changes to Outsourcing Requirements
Bafin is cautiously opening up the regulatory framework for outsourcing arrangements without diminishing the accountability of the institutions themselves. In particular, the role of Internal Audit is being made more flexible. Under certain conditions, institutions may engage qualified third parties to perform audits of outsourced functions. In addition, some requirements relating to sub-outsourcing arrangements are formulated less prescriptively than under the previous version of MaRisk.
Nevertheless, the overall framework remains demanding. Responsibility for the effective oversight and proper management of outsourced activities continues to rest unequivocally with the institution. Institutions must therefore ensure that governance structures, monitoring mechanisms, and control processes remain sufficiently robust, regardless of whether activities are performed internally or by external service providers.
Governance and Reporting Move into Focus
While simplifications are being introduced in other areas, Bafin is significantly tightening its expectations regarding governance structures with the 9th amendment to MaRisk. In particular, the roles of management and the supervisory body are being defined more clearly. Going forward, regular reports, at least quarterly, to the supervisory body are required. These reports are to focus clearly on the current risk situation as well as on planned and ongoing measures. At the same time, escalation procedures are defined more precisely, making decision-making and accountability structures more transparent.
The requirements for control functions are also changing. For example, the scope of reporting by the compliance function will be reduced in the future to identified deficiencies and corresponding corrective measures. At the same time, the internal audit function will be strengthened, for example, through clearer guidelines on audit planning, the completeness of audits within a defined time frame, and regular reporting to management.
Overall, this results in a more structured and verifiable governance model that is less focused on formal completeness and more on the effectiveness of governance.
Broader Focus on Risk and Resilience
In addition to the organizational and structural changes, Bafin is also sharpening its substantive perspective on risk, bringing MaRisk into closer alignment with the EBA Guidelines. One notable development is the explicit recognition of ESG risks as drivers of traditional risk categories within the risk inventory process. Rather than being assessed in isolation, these factors are now systematically integrated into existing risk assessments. For the time being, the focus remains pragmatic and is primarily directed toward environmental risks.
Bafin is also further enhancing established risk management tools. In particular, the requirements for stress testing are being refined. Reverse stress tests are defined more clearly and are more explicitly geared toward scenarios that could threaten an institution’s viability.
Another new element is the introduction of a long-term perspective on resilience. Institutions will be expected to assess how different plausible future scenarios could affect their stability over an extended time horizon. This shifts the focus beyond the management of short-term risks and toward the ability to anticipate and address longer-term developments at an early stage.
The 9th amendment to MaRisk can be found here:
Startseite - Rundschreiben 06/2026 (BA) - Bafin
Your organization is regulated by Bafin and you need assistance with a harmonization project or with the implementation of individual information security requirements? Contact us, we are happy to help.


