Germany’s Federal Financial Supervisory Authority (BaFin) has published new guidance outlining how financial institutions should manage ICT risks when deploying artificial intelligence, providing practical direction on compliance with the EU’s Digital Operational Resilience Act (DORA).
The 35-page document, “Guidance on ICT Risks in the Use of AI at Financial Entities,” is intended as non-mandatory advice for institutions subject to DORA’s ICT risk management requirements, including Capital Requirements Regulation (CRR) institutions and Solvency II insurers . BaFin said the guidance aims to help supervised entities integrate AI systems into existing ICT risk frameworks while addressing risks unique to AI technologies.
Financial entities are increasingly using AI across their value chains, from customer service chatbots and fraud detection to credit risk assessment and automated claims processing. BaFin notes that while AI can improve efficiency and risk modeling, it also introduces heightened ICT risks, particularly where systems rely on cloud infrastructure or third-party providers .
The guidance emphasizes that AI systems should be treated as part of the broader network and information systems covered under DORA. Institutions must embed AI within their ICT risk management framework, including identification, protection, detection, response, recovery, and continuous improvement measures .
BaFin highlights several areas of concern, including data integrity, cybersecurity threats such as adversarial attacks and model manipulation, third-party ICT risk, and potential vendor lock-in in cloud-based AI deployments . It also underscores the importance of governance, board-level oversight, employee training, and clearly defined roles when AI systems are used in critical or important functions .
The guidance further addresses secure development and testing of AI systems, logging and monitoring during operation, resilience testing, encryption and data classification requirements, and incident reporting obligations for major ICT-related events .
BaFin said the document is intended as a “living” framework that can evolve alongside technological advances and regulatory developments.
Need Help?
If you have questions or concerns about any global guidelines, regulations and laws, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.
