BaFin has a supervisory problem that is not about law or framework coverage. It is about speed.
Traditional IT audits at financial institutions are thorough. They are also slow. A full-scope review takes months to plan, resource, and complete. By the time findings are processed and controls tested, the threat landscape that prompted the review has moved on.
BaFin President Mark Branson put the problem plainly at the regulator’s annual press conference on 12 May 2026: “The new AI models can identify and even exploit many vulnerabilities in IT systems with remarkable speed.”
The implication is a timing mismatch. Regulators designed to audit annual control cycles are facing attackers who iterate on weekly or even daily cycles. The old inspection rhythm was built for a different threat model.
BaFin’s answer is a format change, not just a resource increase.
What “IT spotlight” means in practice
Branson described a new inspection category designed for exactly this problem. “IT spotlight” inspections, in his framing, “take far less time than fully-fledged reviews.” The practical consequence: “We can therefore complete more of them and thus respond more effectively to current developments and incidents.”
This is not a minor calibration. It is a structural redesign of the supervisory cycle.
A traditional BaFin IT inspection runs across multiple control domains — infrastructure, access management, incident response, third-party dependencies — over an extended engagement. IT spotlight inspections by contrast are targeted. They focus on a defined perimeter, complete within a compressed timeframe, and are repeatable: BaFin can run multiple rounds on the same institution, or sweep across a sector cohort, within a window where a full audit would still be in fieldwork.
The format serves a different analytical purpose. Full audits answer “is this institution’s IT control environment sound overall?” Spotlight inspections answer “is this specific risk or control type performing as declared, right now?”
For AI and cyber risk specifically, the second question is increasingly the one that matters.
Why the format change is the policy move
BaFin’s cyber supervision until recently operated largely on the same cadence as broader prudential work: periodic reviews, thematic inspections across a sample of institutions, and regulatory correspondence when incidents are disclosed.
That model works when threats compound slowly. It does not work when AI-assisted attack tools are shortening the distance between vulnerability identification and exploitation to hours or days.
Branson’s framing at the press conference positioned this as an investment necessity: cyber resilience is “an urgent and essential investment.” The implication for supervised institutions is that BaFin is moving from assessing controls at a moment in time to verifying their operational continuity across repeated shorter checks.
The doctrinal frame for this is already in place. BaFin’s DORA implementation guidance treats ICT-risk management as a lifecycle discipline — continuous rather than cyclical. The IT spotlight format operationalises that posture at the supervisory level. BaFin is not inventing new expectations; it is building an inspection machinery capable of verifying adherence to expectations that already exist in writing.
What the DORA ICT perimeter adds
The connection to DORA matters because it narrows the question BaFin has to answer.
Under DORA’s ICT-risk management framework, German financial institutions are already required to maintain live incident registers, test continuity arrangements, and manage third-party concentration risk as ongoing obligations — not as once-per-year exercises. BaFin’s own guidance material on ICT-risk management frames these as continuous, with board-level ownership of evidence quality.
An IT spotlight inspection can arrive at any point in that cycle and ask: is the register accurate today? Was the last test completed on schedule? Does the control map match what third-party dependencies actually look like?
That is a harder question to answer from an annual-audit posture. Institutions that have treated DORA compliance as a filing exercise — completing submissions on deadline but without continuous operational ownership — will find repeated short inspections more demanding than a single comprehensive audit.
The firms that will handle it most easily are those that have already unified their evidence model: one incident dictionary, one third-party register, one continuity log, all maintained as live documents rather than pre-audit reconstructions.
What this means for German banks and insurers
BaFin has not published a schedule for the expanded IT spotlight programme or specified which institution cohort it will target first. What is clear from the May 12 press conference is that allocation of additional resources for inspections at financial firms has begun, and that the design intent is speed and repeatability, not breadth.
For institutions under BaFin supervision, three adjustments are worth making now.
First, treat every ICT-risk control as potentially subject to a spot check, not only to annual verification. If internal test cycles are structured around audit prep windows, they will not match the cadence BaFin is signalling.
Second, review whether evidence documentation is maintained continuously or reconstructed. A spotlight inspection that arrives without advance notice has no preparation window. Institutions that rely on pre-audit evidence assembly will face a different kind of pressure than those with live record-keeping.
Third, confirm that board-level and senior-management accountability for ICT risk is operationally real, not only stated in policy. BaFin has been explicit — in DORA guidance and in Branson’s public statements — that executive ownership of cyber resilience is a supervisory expectation, not a best practice.
The inspection format is changing because the threat model changed first.
Institutions that adjust their internal cycle to match the new supervisory rhythm will spend less time managing examination logistics. Those that do not will find shorter inspections arriving more often, each one testing a narrower question more directly.
Discussion
Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.