Germany is moving toward a leaner version of MaRisk, the national minimum requirements for bank risk management. That does not mean German banks are moving into a lighter supervisory cycle.
The Bundesbank’s event notice for the 19 June 2026 digital supervisory briefing, “Die 10. MaRisk”, says BaFin and the Bundesbank have fundamentally revised MaRisk, making it more principle-oriented and less complex. The draft of the ninth amendment was put out for consultation on 1 April 2026. After the consultation, BaFin and the Bundesbank are reviewing submissions before the official new version is expected around mid-2026.
That is the immediate calendar point for German bank boards, compliance teams and international investors watching the German supervisory perimeter. A rulebook simplification is coming. But the surrounding risk file has become more demanding, not less. The same supervisors are operating in a market where operational resilience, DORA implementation, ICT outsourcing, cloud concentration and cyber risk have moved from specialist IT topics into core prudential supervision.
The tension is important. A more principle-based MaRisk can reduce unnecessary detail and make the framework easier to apply across different bank sizes and business models. It can also push more judgement back onto institutions. When a rule is less prescriptive, the question for the bank becomes harder in another way: can management explain why its chosen control design is appropriate for its risk profile, its outsourced service chain and its critical functions?
That is not deregulation. It is a shift from checklist compliance toward evidence-led supervision.
BaFin’s strategic objectives for 2026 to 2029 point in that direction. The authority says it wants supervised companies and their material service providers to strengthen operational resilience. It says ICT and outsourcing risks are firmly in view, and that interconnections and concentration risks in outsourcing are watched across business lines, sectors and borders. That language matters for MaRisk because risk management is no longer only about capital, liquidity, credit files and internal governance documents. It is also about whether a bank can keep critical operations running when technology dependencies fail.
DORA supplies the European legal floor for much of that expectation. BaFin’s DORA materials describe a regime covering ICT risk management, serious ICT incident reporting, digital operational resilience testing and ICT third-party risk. Since January 2025, DORA has applied across the EU financial sector. For German institutions, the practical effect is that MaRisk governance now sits next to a more explicit operational-resilience rulebook. The two are not substitutes. They are adjacent evidence files.
The outsourcing angle is where the supposedly simpler MaRisk story becomes most concrete. In its article on DORA and ICT third-party providers, “Nicht jede Konzentration ist ein Risiko”, BaFin says European financial supervision will oversee ICT third-party providers on which the industry depends. It also says BaFin’s IT supervision has dealt for years with concentration risks in IT outsourcing, especially cloud outsourcing. Under national powers, the supervisor can request documents and information directly from systemically relevant service providers, conduct on-site inspections at those providers and order measures to prevent or remedy deficiencies.
That is the control bill behind the MaRisk rewrite. If a bank uses fewer, broader principles to organise risk management, it still has to map who performs critical services, where the technology sits, which contracts and exit options support continuity, how incidents are reported, and how management receives evidence that controls are working. A leaner MaRisk text does not make those dependencies disappear. It may make them more visible because institutions can no longer hide weak judgement behind a dense procedural checklist.
For smaller and medium-sized German banks, this is a particular management problem. Proportionality is supposed to matter in principle-based supervision. A cooperative bank, savings bank or specialist lender should not be expected to run the same control architecture as a global bank. But proportionality is not an exemption from understanding outsourced ICT risk. A smaller institution may be more dependent on shared service providers, core-banking vendors or cloud platforms precisely because it cannot build everything itself.
For large banks, the problem is different. They have more internal control capacity, but also more complex group structures, cross-border service chains and critical processes. Their MaRisk answer has to join board oversight, business-line risk ownership, outsourcing registers, cyber testing, operational resilience and recovery planning. The official text may become less complex; the evidence trail across the institution will not.
The June briefing is therefore more than a technical update for regulatory specialists. It is a signal about Germany’s preferred supervisory style after DORA has gone live. BaFin and the Bundesbank appear to be simplifying the national risk-management framework while keeping pressure on the parts of the system where recent failures would hurt most: technology resilience, supplier concentration and management accountability.
There is a useful way to read the coming MaRisk version. The relevant question is not whether the document contains fewer detailed instructions. The relevant question is whether a bank can explain, with evidence, how its own risk-management system meets the principle under current conditions. Current conditions include faster cyber threats, cloud concentration, DORA incident reporting and a supervisory agenda that treats operational resilience as part of financial-market safety.
That is why the phrase “less complex” should not be mistaken for “less demanding.” A clearer rulebook can be easier to read and harder to satisfy. It gives supervisors fewer narrow boxes to tick and more room to ask whether the institution’s risk choices make sense.
For German banks, the work before mid-2026 is consequently practical. They should use the MaRisk transition to reconcile old risk-management documentation with DORA artefacts, outsourcing registers, resilience tests and board reporting. The expensive failure would be to treat MaRisk simplification as a paper exercise while operational-resilience evidence remains scattered across IT, compliance, procurement and business units.
Germany’s bank supervisors are not loosening the risk-management frame. They are trying to make it more usable. In a DORA world, usability comes with a sharper question: if the principle is clear, can the bank prove it is living by it?
Discussion
Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.