Table of Contents

1. BAIT for banks simply explained – plus the impact of DORA
2. What is BAIT? Meaning, basics and classification
3. Current BAIT version and DORA: Two pillars of information security for banks
4.  Why DORA does not replace BAIT, but develops it further
5. The 7 central subject areas of BAIT – with a view to DORA
6.  What do these IT requirements mean for those in charge?
7.  Support in complying with BAIT and DORA
8. Conclusion: BAIT and DORA are not hurdles, but opportunities

BAIT for the IT of banks simply explained – plus the impact of DORA 

The IT infrastructure of modern banks contributes significantly to the digital transformation in finance and accounting. At the same time, it is under strict supervision: because the Supervisory Requirements for IT in Financial Institutions (BAIT) provide clear specifications in terms of IT security, transparency and traceability.

And with the Digital Operational Resilience Act (DORA), another regulatory framework is moving into focus. The EU regulation is intended to strengthen the digital resilience of financial companies – with impacts on existing IT and compliance structures.

But what exactly do BAIT and DORA require, and how do they interlink? This article provides you with a well-founded overview of the BAIT requirements, shows the connection to DORA and explains why information risk management and digital operational resilience are among the most important compliance goals today.

What is BAIT? Meaning, basics and classification 

The BAIT were published in 2017 by the Federal Financial Supervisory Authority (BaFin). They supplement the Minimum Requirements for Risk Management (MaRisk) and have already been adapted several times.

At its core, it is about this: the BAIT define the expectations the supervisory authority has for IT governance, information security management and outsourcing management at banks and financial service providers. In doing so, they create a binding framework for secure, controlled and traceable IT management.

The BAIT are binding for all institutions – regardless of size or business model. They thus represent a central set of rules for German banking supervision. The BAIT serve as a binding guideline for audits by BaFin. As such, they are an essential element for compliance, information risk management and secure IT governance.

Current BAIT version and DORA: Two pillars of information security for banks 

With the introduction of DORA on 17 January 2025, uniform rules for the digital resilience of financial companies apply in the EU for the first time. The regulation is intended to effectively protect institutions from cyberattacks, IT disruptions and other digital risks – and thus strengthen the stability of the European financial system.

DORA and BAIT overlap in terms of content in many places. Overlaps exist primarily in topics such as IT security, governance structures and the management of third-party providers. Therefore, the BAIT were published in a new version on 16 December 2024. This current BAIT version explicitly refers to DORA in its changes. Institutions that already fall under the DORA requirements (according to Articles 5 to 15 or 16) have since been excluded from the scope of the BAIT.

From 1 January 2027 at the latest, DORA will become mandatory for all affected institutions in Germany. Until then, the requirements of the current BAIT version will apply on an interim basis. This further increases their importance. For IT and compliance teams, this means: existing measures according to BAIT must be reviewed and, if necessary, adapted to the new, sometimes more broadly defined requirements from DORA.

Why DORA does not only replace BAIT, but also develops it further

Although DORA will take over many BAIT aspects in the long term, this does not mean the end of the BAIT. Rather, they are an important transition and supplementary tool on the way to full DORA compliance. They continue to provide specific requirements for institutions that do not yet fall under the EU regulation and help with the operational implementation of regulatory specifications.

In addition, BAIT requirements function like a compliance construction kit: they support institutions in systematically implementing IT governance, information security and outsourcing management. At the same time, they provide optimal preparation for DORA. For many banks, this is a perfect opportunity to improve existing structures and prepare for the new requirements in good time.

The 7 central subject areas of BAIT – with a view to DORA 

 The BAIT are divided into seven essential subject areas. These define how banks and financial service providers must design their IT processes to be secure, controllable and compliant with regulations. With DORA coming into force, complexity is increasing: national specifications such as the BAIT must harmonise with European requirements in the future. This can present institutions with additional challenges – particularly in the transition phase until 2027. IT and compliance managers must familiarise themselves with both sets of rules. 

IT Strategy & IT Governance

BAIT Requirements:

• Central element: Design of a documented IT strategy
• IT strategy must be closely interlinked with the business strategy
• Support through a solid IT governance structure. This includes:
  • Defined roles
  • Clear responsibilities
  • Transparent decision-making paths

Expansion through DORA:

• Increased requirements for the strategic management of IT
• Particular priorities:
  • Digital resilience
  • ICT risk management
  • Cross-departmental coordination

Information Security Management (ISMS) 

BAIT Requirements:

• Regular risk analyses
• Binding security policies
• Targeted training
• Key role for the Information Security Officer (ISO)

Expansion through DORA:

• Broadening of focus:
  • Alongside classic security, operational resilience takes centre stage

• Integration of:
  • Information risk management
  • Cybersecurity
  • Recoverability

These aspects must be thought of and implemented integratively.

IT Risk Management and Information Risk Management 

BAIT Requirements:

• IT risk management as a supporting pillar
• Threats such as system failures, data breaches and risks from third parties must be continuously identified, assessed and managed

Expansion through DORA:

• Focus on information risk management
• Banks must be able to prove resilience against digital risks
• Proof of resilience under all operating conditions

Results for BAIT compliance:

• High requirements for BAIT compliance through DORA
• Proactive measures are required (instead of reactive processes)

IT Projects and Application Development  

BAIT Requirements:

• High degree of structure, quality assurance and documentation for IT projects
• Every software introduction/adaptation must be planned, tested and documented

Expansion through DORA:

• Consideration of project resilience and escalation management
• Project structures must remain capable of action, even during ICT disruptions
• Fulfilment of regulatory requirements necessary

IT Operations and Infrastructure 

BAIT Requirements:

• Monitoring
• Patch management
• Emergency planning
• Business Continuity Management (BCM)

Expansion through DORA:

• Focus on continuous operational resilience
• Dealing with cyberattacks
• Recovery management
• Proof of restart capability (Operational Continuity) These aspects are now explicitly part of regulatory audits – even beyond the BAIT specifications

Outsourcing and Third-Party Provider Management 

BAIT Requirements:

• Mandatory third-party management for banks
• Includes selection, contract design, monitoring and risk analysis

Expansion through DORA:

• Identification of "Critical ICT Third-Party Providers" (e.g. cloud service providers)
• Close monitoring of these third-party providers

Combination of BAIT and DORA:

• Establishment of BAIT-DORA compliance as an overriding goal

Critical Infrastructures (KRITIS) 

BAIT Requirements:

• Special requirements for institutions that count as critical infrastructures (KRITIS)
• Focus on availability, data protection and reliability as core goals

Expansion through DORA:

• Transfer of these requirements to the European level
• Emergence of an overarching protection architecture

Overarching protection architecture includes:

• IT governance
• Cyber resilience
• Reporting obligations

What do these IT requirements mean for those in charge? 

Many BAIT specifications are not new, but they increase the pressure on IT managers to ensure clean and audit-proof implementation.

Three central tasks are in focus:

1. Documentation of all IT processes: from risk analysis to service provider management, to ensure transparency for inspections and audits.
2. Assignment of responsibilities: Important roles such as the Information Security Officer and outsourcing coordinator must be named and equipped with the appropriate powers.
3. Traceability: To pass audits, all measures must be verifiable and documented in a traceable manner at all times.

In addition, with DORA coming into force, the situation is becoming more complex, as European specifications for digital operational stability in the financial sector must now also be taken into account.

Support in complying with BAIT and DORA 

With i-doit, you have a powerful software solution for IT documentation that provides optimal support for companies in the field of critical infrastructures (KRITIS), for example. Or to put it another way: with i-doit, you keep an eye on your entire IT infrastructure. The central recording and management of all IT assets ensures transparent documentation – the basis for effective risk management and compliance with specifications such as BAIT and DORA.

i-doit supports you, among other things, in:

• the identification and assessment of risks
• the implementation of measures for digital resilience
• the recording of security-relevant information
• the fulfilment of regulatory requirements

In short: you promote IT security and governance in your company and at the same time create more transparency and traceability.

Conclusion: BAIT and DORA are not hurdles, but opportunities 

When implemented correctly, BAIT help to set up the IT organisation in banks to be not only compliant with regulations but also future-proof. Those who ensure clear structures early on benefit twice: external audits become easier, and internal advantages also arise – for example, more efficient processes, better coordination between teams and more transparency over the institution's own IT landscape.

With DORA, this ambition is defined even more broadly: the regulation brings a uniform Europe-wide framework that thinks about regulatory requirements holistically – with a strong focus on operational resilience against IT risks.

Institutions that have already built up BAIT-compliant structures thus have an ideal starting point for efficiently integrating DORA requirements. The spectrum ranges from automated incident reporting to the strategic management of third-party providers.

Would you like to find out how to specifically design your IT to be BAIT and DORA compliant? We would be happy to advise you on suitable solutions and show you how i-doit can be a sustainable building block in your IT security strategy.