MaRisk Requirements in 2026: Minimum Requirements for Risk Management

Introduction

BaFin's MaRisk -- Mindestanforderungen an das Risikomanagement -- is the single most influential supervisory document shaping how German banks manage risk. First published in 2005 and updated through seven major revisions (most recently the 7th MaRisk amendment in 2023), this circular defines the minimum requirements for risk management at credit institutions and financial services institutions under KWG Section 25a. Every bank operating in Germany, regardless of size or complexity, must demonstrate compliance with MaRisk. It is the standard against which BaFin auditors, Bundesbank examiners, and Section 26 KWG external auditors assess the adequacy of a bank's risk management framework.

In 2026, MaRisk occupies a unique position in the German regulatory landscape. DORA has introduced EU-wide requirements for ICT risk management that partially overlap with and in some areas supersede the technology-related modules of MaRisk and its companion circulars (BAIT, ZAIT, VAIT). BaFin has confirmed that BAIT will be withdrawn and that DORA's implementing technical standards will take precedence for ICT-specific requirements. However, MaRisk itself remains fully in force for all non-ICT risk management requirements, and its general organizational framework continues to provide the structural foundation within which DORA's ICT requirements operate. Understanding what MaRisk requires in 2026 -- and what it no longer covers because DORA has taken over -- is essential for every compliance team at a German bank.

What Is MaRisk?

MaRisk is a BaFin circular (Rundschreiben) that specifies the requirements of KWG Section 25a regarding the proper business organization of credit institutions. While technically an administrative interpretation rather than a law, MaRisk is treated as binding in supervisory practice. BaFin auditors assess compliance against MaRisk during routine and special examinations, and external auditors evaluate MaRisk compliance as part of the annual audit under KWG Section 26.

MaRisk is structured in two main parts:

AT (Allgemeiner Teil -- General Part): Establishes the overarching framework for risk management, including governance, strategy, risk appetite, organizational structure, and general requirements for processes, IT systems, and documentation.

BT (Besonderer Teil -- Specific Part): Contains detailed requirements for specific risk types and business functions, organized into BTO (Besonderer Teil Organisation -- organizational requirements) and BTR (Besonderer Teil Risikosteuerung und -controlling -- risk management and controlling requirements).

The 7th MaRisk amendment (November 2023) incorporated several significant changes: enhanced requirements for ESG (Environmental, Social, and Governance) risk management, updated expectations for data aggregation and risk reporting (aligned with BCBS 239), strengthened outsourcing requirements, and adjustments to reflect the emerging DORA framework. These changes reflect the evolving expectations of both BaFin and the ECB's Single Supervisory Mechanism.

MaRisk applies to all credit institutions and financial services institutions in Germany under the proportionality principle (Proportionalitatsprinzip). This means that the specific implementation of each requirement may vary based on the institution's size, complexity, risk profile, and business model. A large universal bank will implement MaRisk differently from a small specialized credit institution, but both must address the substance of every requirement.

Key Requirements

AT -- General Requirements

AT 1 -- Preliminary Remark and Scope (Vorbemerkung): Establishes the scope of MaRisk and the proportionality principle. All requirements must be implemented in a manner appropriate to the institution's nature, scale, complexity, and risk profile.

AT 2 -- Overall Responsibility of Management (Gesamtverantwortung der Geschaftsleitung): The management board (Geschaftsleitung) bears overall responsibility for risk management. It must define a coherent business strategy and a consistent risk strategy derived from it. The management board must understand the institution's risk profile and ensure that the risk management framework is adequate.

AT 3 -- Risk Management (Risikomanagement): Requires a comprehensive risk management framework that covers all material risks. The framework must include risk identification, measurement, aggregation, monitoring, and reporting processes. The internal capital adequacy assessment process (ICAAP) must demonstrate that the institution holds adequate capital for its risk profile. AT 3 also addresses risk culture and the expectation that risk awareness is embedded throughout the organization.

AT 4 -- Organizational and Operational Structure (Aufbau- und Ablauforganisation):

• AT 4.1 -- Organizational Guidelines: Requires clear organizational structures with defined responsibilities and competencies. The "three lines of defense" model is expected: business lines as the first line, risk management and compliance as the second line, and internal audit as the third line.

• AT 4.2 -- Risk Management and Controlling Function: An independent risk controlling function is mandatory. It must have direct access to the management board and must not be subordinate to business line management.

• AT 4.3 -- Internal Audit (Interne Revision): The internal audit function must be independent, adequately resourced, and cover all activities and processes. It must conduct risk-based audit planning and report directly to the full management board.

• AT 4.4 -- Special Functions: Includes requirements for the compliance function (AT 4.4.2), which must be independent and have adequate resources, and the data protection function.

AT 5 -- Risk Appetite Framework (Risikoappetit): Introduced more prominently in the 7th amendment, this requires institutions to define their risk appetite in quantitative and qualitative terms, approved by the management board and monitored on an ongoing basis.

AT 7 -- Resources (Ressourcen):

• AT 7.1 -- Personnel: Adequate staffing in both quantity and quality for all risk management functions.
• AT 7.2 -- Technical and Organizational Resources: This is the module most directly affected by DORA. It historically covered IT security, data integrity, contingency planning, and IT risk management. With DORA now in force, BaFin has indicated that the IT-specific requirements of AT 7.2 will be interpreted through the lens of DORA's Articles 5-16, and BAIT (which further specified AT 7.2) will be withdrawn.
• AT 7.3 -- Contingency Planning: Requires business continuity management including business impact analysis, continuity plans, and regular testing. This module interacts with DORA's resilience testing requirements under Articles 24-27.

AT 9 -- Outsourcing (Auslagerungen): Comprehensive requirements for outsourcing risk management, including risk assessment before outsourcing, contractual requirements, ongoing monitoring, and exit strategies. The 7th amendment strengthened these requirements and aligned them with EBA's outsourcing guidelines. DORA Article 28 adds further requirements for ICT third-party providers that supplement AT 9.

BTO -- Organizational Requirements

BTO 1 -- Credit Business (Kreditgeschaft): Detailed requirements for the organization of credit business, including separation of front office and back office (Markt und Marktfolge), credit approval processes, credit monitoring, and problem loan management. This is one of the most granular modules in MaRisk.

BTO 2 -- Trading Business (Handelsgeschaft): Requirements for trading activities, including the separation of front office, back office, and risk controlling, mark-to-market valuation, and trading limits.

BTR -- Risk Management and Controlling

BTR 1 -- Counterparty and Credit Risk (Adressenausfallrisiken): Requirements for credit risk identification, measurement, and monitoring, including portfolio management, concentration risk, and country risk.

BTR 2 -- Market Price Risk (Marktpreisrisiken): Requirements for market risk management, including VaR models, stress testing, and limit systems.

BTR 3 -- Liquidity Risk (Liquiditatsrisiken): Requirements for liquidity risk management, including funding plans, liquidity buffers, and stress testing across different time horizons.

BTR 4 -- Operational Risk (Operationelle Risiken): Requirements for identifying, assessing, and managing operational risks, including loss data collection, scenario analysis, and risk indicators.

Relationship to DORA and Other Frameworks

The interaction between MaRisk and DORA is the most significant regulatory development for German banks in 2026. The key principle is that DORA takes precedence for ICT-related requirements while MaRisk remains authoritative for all other risk management requirements.

Specifically:

• AT 7.2 (Technical and Organizational Resources) and BAIT are being superseded by DORA Articles 5-16 (ICT risk management framework), Articles 17-23 (ICT incident reporting), and Articles 24-27 (digital operational resilience testing).
• AT 7.3 (Contingency Planning) overlaps with DORA's resilience testing requirements but retains relevance for non-ICT business continuity scenarios.
• AT 9 (Outsourcing) is supplemented by DORA Article 28 (ICT third-party risk management) for technology outsourcing, but remains the primary framework for non-ICT outsourcing.
• BTR 4 (Operational Risk) continues to apply for all operational risks, with DORA providing additional specificity for ICT-related operational risks.

The companion circulars BAIT (Bankaufsichtliche Anforderungen an die IT), ZAIT (Zahlungsdiensteaufsichtliche Anforderungen an die IT), and VAIT (Versicherungsaufsichtliche Anforderungen an die IT) -- collectively referred to as xAIT -- are being withdrawn as DORA's implementing and regulatory technical standards take full effect. This simplifies the regulatory landscape in some ways but requires banks to re-map their compliance controls from the familiar xAIT structure to DORA's framework.

ISO 27001 remains a recognized approach for demonstrating the "state of the art" IT security that both MaRisk and DORA reference. An ISO 27001-certified ISMS provides a structured foundation for meeting the technical requirements of both frameworks.

CRR/CRD requirements for capital adequacy and risk management operate alongside MaRisk. MaRisk specifies how the risk management framework should be organized and operated, while CRR/CRD prescribe the quantitative capital and liquidity requirements. Together, they form the complete prudential framework for German banks.

Compliance Automation with Matproof

MaRisk compliance is fundamentally about demonstrating that risk management processes are not just designed but actually operating effectively. The annual audit under KWG Section 26, regular BaFin examinations, and Bundesbank inspections all require evidence that MaRisk requirements are met on an ongoing basis -- not just at a point in time.

Matproof automates the evidence collection that makes this ongoing demonstration possible. The platform maps MaRisk modules to specific controls and evidence items across the AT and BT sections. For AT 4.1 organizational requirements, it collects evidence of role definitions, access controls, and segregation of duties. For AT 7.2/DORA, it monitors IT security controls, backup procedures, and system availability. For AT 9 outsourcing, it tracks outsourcing documentation, SLA compliance, and vendor risk assessments.

The platform's cross-framework capability is particularly valuable given the MaRisk-DORA transition. Matproof maintains mappings between MaRisk AT 7.2, the former BAIT requirements, and the corresponding DORA articles. As banks transition from the xAIT framework to DORA, the platform ensures that evidence collected under the old structure is correctly mapped to the new requirements, avoiding compliance gaps during the transition period.

For the Section 26 annual audit, Matproof generates structured evidence packages organized by MaRisk module. Auditors receive a clear, traceable evidence trail for each requirement rather than a collection of disparate documents. This reduces audit preparation time from weeks to days and significantly reduces the risk of audit findings caused by documentation gaps rather than actual control deficiencies.

All compliance data is stored in German data centers with full EU data residency, meeting BaFin's expectations for data sovereignty and the data protection requirements that apply to the sensitive risk management information that MaRisk evidence contains.

Implementation Roadmap

Phase 1 (Weeks 1-4): MaRisk Mapping and Gap Analysis. Create a comprehensive mapping of all MaRisk requirements applicable to your institution, taking into account the proportionality principle. For each AT and BT module, identify the current state of compliance and document any gaps. Pay particular attention to the boundary between MaRisk and DORA -- determine which requirements are now addressed by DORA and which remain purely MaRisk obligations.

Phase 2 (Weeks 5-8): Control Framework Alignment. Align your internal control framework with the MaRisk mapping. Ensure that each MaRisk requirement has at least one control, that each control has defined evidence, and that evidence collection is either automated or has a clear manual process with assigned ownership. Address the BAIT-to-DORA transition by re-mapping IT controls from the former BAIT structure to DORA's article structure.

Phase 3 (Weeks 9-12): Automation Deployment. Deploy automated evidence collection for controls that can be monitored electronically. Connect the compliance platform to IT infrastructure, HR systems, risk management systems, and governance documentation repositories. Configure dashboards that provide management with real-time visibility into MaRisk compliance status.

Phase 4 (Ongoing): Continuous Monitoring and Audit Readiness. Maintain automated evidence collection year-round. Conduct quarterly internal reviews of MaRisk compliance. Prepare for the Section 26 annual audit by generating pre-structured evidence packages from the compliance platform. Update the MaRisk mapping whenever BaFin publishes circular amendments or new supervisory guidance.

FAQ

Will MaRisk be replaced by DORA?

No. DORA replaces the ICT-specific components of MaRisk (primarily AT 7.2 and its detailed specification through BAIT), but MaRisk as a whole remains fully in force. The general organizational requirements (AT 1-6, AT 8-9), all BTO modules for credit and trading business organization, and all BTR modules for specific risk types continue to apply without change. MaRisk is the overarching risk management framework; DORA addresses the ICT-specific subset within that framework.

How often is MaRisk audited?

MaRisk compliance is assessed annually as part of the KWG Section 26 external audit. Additionally, BaFin and the Bundesbank conduct routine and special supervisory examinations that include MaRisk compliance assessment. The frequency of special examinations depends on the institution's risk profile and BaFin's supervisory priorities. Significant institutions under ECB direct supervision are subject to on-site inspections coordinated through the SSM framework, which also assess MaRisk compliance.

What are the consequences of MaRisk non-compliance?

MaRisk non-compliance results in supervisory findings (Feststellungen) that the institution must remediate within a timeframe specified by BaFin. Persistent non-compliance can escalate to formal supervisory measures under KWG Section 25a(2), including restrictions on business activities, capital surcharges, or requirements to strengthen the management board. In severe cases, BaFin can impose administrative fines under KWG Section 49 of up to EUR 5 million per violation. Section 26 external auditors are required to report MaRisk deficiencies in their audit report, which BaFin reviews and may act upon.

How does the proportionality principle work in practice?

The proportionality principle (Proportionalitatsprinzip) in MaRisk AT 1 means that the specific implementation of each requirement should be commensurate with the institution's nature, scale, complexity, and risk profile. A small savings bank (Sparkasse) with straightforward retail banking operations implements MaRisk differently from a large universal bank with complex trading activities. However, proportionality does not mean exemption -- every institution must address the substance of every MaRisk requirement. BaFin evaluates proportionality on a case-by-case basis during supervisory examinations and expects institutions to document their reasoning for how they have applied the principle.