Prudential requirements for IT – BAIT

The prudential requirements for IT (Bankaufsichtliche Anforderungen an die IT – BAIT), which are mainly intended for the management boards of credit institutions, aim to provide a more transparent outline of supervisors’ expectations regarding IT security.

This Circular provides a flexible and practical framework for institutions’ technical and organisational resources on the basis of Section 25a(1) of the German Banking Act (Kreditwesengesetz) – in particular for IT resource management and IT risk management. Moreover, it specifies the requirements laid down in Section 25b of the Banking Act (outsourcing of activities and processes).

The Circular was amended on 14 September 2018 to include an optionally applicable module (“Kritische Infrastrukturen”), which describes solely for operators of critical infrastructures the additional conditions that must be met to enable the external auditor to substantiate compliance with requirements pursuant to Section 8a(3) of the BSI Act (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik).