Financial Regulation

The 9th MaRisk Amendment – an Overview of BaFin’s Envisaged Changes

The German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, “BaFin”) published the 9th amendment to the Minimum Requirements for Risk Management (Mindestanforderungen an das Risikomanagement, “MaRisk”) for consultation on 1 April 2026. The draft MaRisk amendment pursues the objective of designing the regulatory MaRisk framework in a more principle-based manner, implementing proportionality more consistently, and integrating current EU legal requirements, in particular regarding environmental, social and governance risks (“ESG risks”) and the Digital Operational Resilience Act (“DORA”), into MaRisk.

This contribution provides an overview of the key changes envisaged by the 9th MaRisk amendment (under the first section) as well as an initial assessment of whether and to what extent the MaRisk amendment would lead to a more principle-based regulatory approach (under the outlook section).

The 9th  amendment – an overview of the changes

The key changes by the 9th MaRisk amendment include an adjusted scope of application (under I.), the introduction of categories (Größenklassen) for less significant institutions and specific regulatory ease in this respect (under II.), as well as the specification of ESG requirements pursuant to section 26c of the German Banking Act (Kreditwesengesetz, “KWG”) (under III.). In addition, BaFin intends to introduce amendments relating to emergency management (under IV.) and outsourcing management (under V.). 

I. Adjusted scope of application

BaFin intends to adjust the scope of application of MaRisk, in particular for reasons of proportionality and in order to implement legislative changes in relation to third-country branches (“TCB”) under the Capital Requirements Directive (“CRD”).

  • MaRisk no longer applicable to significant credit institutions: BaFin intends to incorporate proportionality considerations into MaRisk in particular by excluding significant credit institutions subject to direct supervision by the European Central Bank (“ECB”) from the scope of MaRisk. This is consistent and plausible, as MaRisk constitute interpretative administrative guidelines (normeninterpretierende Verwaltungsvorschriften) which are self-binding commitmenta by BaFin vis-à-vis supervised institutions regarding the interpretation of section 25a KWG. MaRisk do not have any binding effect on the ECB. It remains to be seen, however, whether and to what extent a “voluntary” application of at least individual MaRisk requirements – such as the requirements relating to trading processes (cf. BTO 2.2) – by significant credit institutions (and their external auditors) will continue.
  • Inclusion of TCBs: BaFin extends the scope of MaRisk by making it applicable also to TCBs within the meaning of section 53c(1) KWG, i.e. branches of undertakings with their registered office in a third country that accept deposits, grant loans or conduct the guarantee business within Germany. This is consistent in light of the new regulatory requirements for TCBs introduced into the KWG by the Banking Directive Implementation and Bureaucracy Reduction Act (Bankenrichtlinienumsetzungs- und Bürokratieentlastungsgesetz, “BRUBEG”).

II. Introduction of categories for small and very small institutions and regulatory ease

BaFin intends to further incorporate proportionality considerations into MaRisk by classifying small institutions into two categories. For concerned institutions, this is supposed to be accompanied by a reduction of regulatory requirements in specific areas.

  • Categories: The MaRisk amendment classifies institutions that are not significant credit institutions into two categories: (i) very small institutions and TCBs that do not exceed a four-year average total balance sheet of EUR 1 billion, and (ii) small institutions (small and non-complex institutions, “SNCIs”) pursuant to Article 4(1) point 145 of Regulation (EU) No. 575/2013 (Capital Requirements Regulation, “CRR”) and so-called class 2 TCBs, i.e. institutions or TCBs in particular with assets of EUR 5 billion or less during the past four-year period or for the preceding annual reporting period (cf. AT 1, para. 3).
  • Regulatory ease: The classification into the above categories results in regulatory ease that is expressly provided in the relevant sections of MaRisk, in particular as follows:
    • Stress tests: In the case of stress tests, very small institutions may opt out from risk type-specific stress tests if all material risks are adversely affected in the stress test for the overall risk profile (cf. AT 4.3.3, para. 2). In addition, small institutions are not required to conduct reverse stress tests (cf. AT 4.3.3, para 4). As regards stress tests to be conducted for liquidity risks, small institutions need to analyse only the scenario that regularly has the greatest impact (cf. BTR 3, para. 6).
    • Risk control function: In small institutions with no more than three management board members, it is generally sufficient that the front office (Markt) for “non-risk-relevant” credit business and the risk control function are segregated up to directly below the management board level, provided that there are no material conflicts of interest and there is no concentration of responsibilities in the management board member concerned (cf. AT 4.4.1, para. 1). In addition, small institutions may, by way of derogation from the principle of segregating the risk control function and the back office (Marktfolge) up to directly below the management board level, allocate both functions under joint management, provided that no material conflicts of interest exist (cf. AT 4.4.1, para. 4).
    • Compliance function: In the case of very small institutions, the function of the compliance officer may also be assigned to a management board member, provided that measures to avoid conflicts of interest have been implemented (cf. AT 4.4.2, para. 4).
    • Internal audit function: In the case of very small institutions, the internal audit function may be performed by a management board member if establishing a dedicated unit for internal audit would be disproportionate and measures to avoid conflicts of interest have been implemented (cf. AT 4.4.3, para. 1).
    • Risk reporting: With regard to risk reporting (BT 2.2, para. 1), small institutions are not required to provide interim reports in case of stable risks and they may refer to previous reports where the risk situation remains unchanged, though the frequency of reporting needs to be adjusted during stress phases.
    • Credit business: For very small institutions, a clear organisational segregation of the front office (Markt) and back office (Marktfolge) up to and including management board level is not necessary for the credit business to the extent that the voting by both is not required if the management board is directly involved in the granting of risk-relevant loans and that credit business is ensured to be handled in a proper manner; in such cases, the management board itself is required to process and approve risk-relevant loans (cf. BTO 1.1, para. 1).

III. ESG-Integration: scenario and resilience analyses as well as stress tests

The MaRisk amendment specifies the requirements of section 26c KWG on ESG risk management, which entered into force on 1 April 2026, and implements the EBA Guidelines on the management of ESG risks (EBA/GL/2025/01) and on environmental scenario analysis (EBA/GL/2025/04) into MaRisk. In this respect, the MaRisk amendment contains a definition of ESG risks (cf. AT 2.2, para. 3) which are understood as events or conditions related to environment, social or governance factors that act as risk drivers or risk factors and may impact the material risk types, i.e. counterparty and credit risk, market risk, liquidity risk and operational risk, as well as other material risk types. This essentially corresponds to the definition pursuant to Article 4(1) point 52d CRR.

When integrating ESG risks, institutions are required in particular to observe the following requirements:

  • Risk inventory: In order to specify the materiality of ESG risks relevant to the risk inventory, the MaRisk amendment envisages a materiality threshold of 5 % of the risk coverage potential (Risikodeckungspotenzials); risks related to information and communication technology (“ICT”) are included in operational risks (cf. AT 2.2, para. 1).
  • Assessment of the impact of ESG risks: When assessing the impact of ESG risks, institutions are required to use a combination of different methods (in particular risk position-, sector-, portfolio- and scenario-based methods). Institutions are required to consider various plausible scenarios that are consistent with scientific findings; reliance solely on historical data is not sufficient (cf. AT 2.2, para. 3).
  • ESG-related stress tests: MaRisk emphasise that material environmental risks are required to be appropriately taken into account in the design of stress tests. In addition, resilience analyses need to be conducted over a time horizon of at least ten years. Institutions may also use sensitivity analyses to take environmental risks into account in their stress test programme, whereby small institutions may use qualitative approaches in this respect (cf. AT 4.3.3, para. 7).
  • Resilience analyses: In resilience analyses, various scenarios must be compared. In this respect, the scenario which reflects the most likely scenario of environmental conditions (i.e. the reference scenario) must be compared with at least one adverse alternative scenario from the spectrum of plausible future scenarios. For the analysis of long-term resilience, institutions may rely on qualitative approaches (cf. AT 4.3.3, para. 7).

In general, the complexity and frequency of scenario analyses are required to be consistent with the materiality of ESG risks, the current state of development and maturity of the available methods and procedures, and the institution’s internal capacities (cf. AT 4.3.3, para. 7).

IV. Stricter requirements for emergency management

BaFin intends to tighten the requirements for emergency management:

  • Enhanced emergency plan: As in the current version of MaRisk, arrangements are required to be made through an emergency plan for activities and processes that support critical or important functions. The emergency plan needs to include business continuity and recovery plans and, in addition, be based on plausible scenarios and reasonable assumptions (cf. AT 7.3, para. 2). What is new under the 9th MaRisk amendment is the express requirement that the emergency plan needs to determine responsibilities, objectives and measures for continuing or restoring operations, as well as define classification criteria and criteria for triggering the plans (cf. AT 7.3, para. 1).
  • Introduction of business impact analyses: Also new is the express requirement to conduct business impact analyses, which examine the consequences for business operations of impairments of activities and processes over different time periods. The nature and scale of the material or immaterial losses as well as the point in time of the failure need to be taken into account (cf. AT 7.3, para. 1).

V. Outsourcing – New organisational structure and adaptations to DORA

Furthermore, the 9th MaRisk amendment envisages several changes in AT 9 regarding outsourcing requirements.

1. Definition of the MaRisk and DORA scope of application

A key amendment is the explicit delineation of the MaRisk requirements from ICT third-party risk management pursuant to DORA. Outsourced or externally procured (fremdbezogene) ICT services within the meaning of Article 3 point 21 DORA that are subject to ICT third-party risk management pursuant to Articles 28 to 30 DORA will no longer fall within the scope of AT 9 (cf. AT 9, para. 1). This creates a clear regulatory separation between the general outsourcing requirements of MaRisk and the specific DORA requirements for ICT third-party risk management.

2. Introduction of a central outsourcing management function 

The current version of MaRisk requires a central outsourcing officer within the organisation of the institution itself. The MaRisk amendment does no longer envisage the appointment of a central outsourcing officer and instead requires the establishment of a central outsourcing management function, the dimension of which depends on the nature, scale and complexity of the outsourcing activities (cf. AT 9, para. 12). The tasks of the central outsourcing management function pursuant to AT 9, para. 12 include in particular:

  • implementing and further developing an appropriate outsourcing management and corresponding control and monitoring processes,
  • creating and maintaining full documentation of outsourcing arrangements (including subcontracted activities and processes),
  • supporting the business units with regard to internal and statutory requirements for outsourcing, and
  • coordinating and reviewing the risk analysis conducted by the responsible units.

Further, BaFin intends to lift the requirement to maintain a register of outsourcing arrangements in accordance with the minimum content requirements of the EBA Guidelines on outsourcing (EBA/GL/2019/02). A register of outsourcing arrangements, however, remains required pursuant to section 25b(1) sentence 4 KWG. Furthermore, the consultation paper on the EBA Draft Guidelines on the sound management of third-party risk maintains the requirement to keep a register of outsourcing arrangements. While a possible merger with the register of information on ICT third-party service arrangements under DORA is being considered, the 9th MaRisk amendment does not contain any specific guidance on the technical implementation in this respect. Against this background, it remains to be seen whether a separate register of outsourcing arrangements within the meaning of the EBA Guidelines will continue to be required in the future.

Conclusion and outlook

BaFin announced a paradigm shift for the 9th MaRisk amendment at its Digital Supervisory Briefing on 5 February 2026. The amended MaRisk are intended to be significantly leaner and, with the objective of a more principles-based approach, to contain less regulatory detail. In the 9th MaRisk amendment, an enhanced principles-based approach is most visible by proportionality considerations, in particular through the classification of institutions into certain categories with corresponding regulatory ease. In addition, many requirements are intended to be consolidated and also simplified, in particular for very small institutions. However, the level of detail would be increased in certain areas through the implementation of new EBA Guidelines and the specification of new KWG requirements.

BaFin’s consultation process for the 9th MaRisk amendment runs until 8 May 2026. It is unclear when an updated version of MaRisk can be expected. Since BaFin also implements the EBA Guidelines on internal governance, which are currently available only in draft form, it can be assumed that MaRisk will not be finalised until after the final EBA Guidelines have been published.

Forward
Expertise
Financial Regulation Financial Institutions
Experts
Dr. Christian Hissnauer Aike I. Würdemann Tobias Kempf Daniel W. Adolph
Keep in Touch

Keep in Touch
Gleiss Lutz keeps you informed

We would be pleased to add you to our mailing list so that we can keep you informed about current legal developments and events.

Subscribe now