ISMS Copilot for German fintech compliance
DORA is now the primary ICT regime for German financial entities — here is the residual national layer (MaRisk, residual BAIT, KRITIS-finance).
The post-January-2025 German fintech stack
- Implement DORA as the lead ICT regime: risk-management framework, incident classification, resilience testing, third-party register
- Identify what survives the BaFin alignment — residual BAIT scope and the MaRisk requirements DORA does not displace (notably outsourcing under AT 9)
- Confirm KAIT / VAIT / ZAIT are withdrawn for DORA-covered entities and avoid maintaining repealed-circular controls
- Run the KRITIS finance-sector applicability test against BSI sector thresholds (separate from DORA)
- Reconcile the DORA RTS/ITS technical standards with any remaining national expectation onto one ISO 27001 Annex A control set
- Draft incident-reporting procedures aligned to the DORA timeline, plus §8b BSIG reporting if KRITIS applies
Built for the German fintech compliance lead
DORA ICT risk-management, testing, and third-party register modules
BaFin-alignment map: which BAIT clauses remain vs which moved to DORA RTS/ITS
MaRisk AT 9 outsourcing-governance documentation
KRITIS finance-sector threshold and BSI registration assessment
ISO 27001 ↔ DORA ↔ residual-BAIT cross-mapping
DORA + (where applicable) §8b BSIG incident-reporting workflow templates
What changed in January 2025 — and what is still German-specific
Until 2025 a German fintech worked from BaFin's national IT circulars — BAIT (banks), KAIT (capital-management companies), ZAIT (payment/e-money institutions), VAIT (insurers). DORA changed that. With DORA applicable from 17 January 2025, BaFin acted to prevent double regulation: it withdrew the standalone KAIT, VAIT, and ZAIT circulars for entities in DORA scope and substantially reduced BAIT, since the DORA Regulation and its RTS/ITS now carry the ICT risk-management, testing, and third-party requirements directly. What remains genuinely German is narrower: MaRisk (general risk management, and outsourcing under AT 9), any residual BAIT applicability for institutions or topics not fully captured by DORA, and KRITIS-finance — a separate BSI regime triggered by sector thresholds, with registration, attack-detection (SzA), and §8a/§8b BSIG obligations that DORA does not replace. ISMS Copilot runs DORA as the spine and layers only the residual national requirements on top, rather than maintaining repealed circulars.
DORA framework details →Free DORA scope checker — start from the EU regulation
Now that BaFin has retracted KAIT/VAIT/ZAIT and slimmed BAIT, the DORA regulation itself drives ICT obligations for in-scope German financial entities. The free DORA Applicability Checker walks the Regulation 2022/2554 financial-entity scope test as a structured first pass — a starting point for the post-17-January-2025 German layer above, not a final legal determination of BaFin supervisory category.
Open the free DORA Applicability Checker →Frequently Asked Questions
Did DORA replace BAIT, KAIT, VAIT, and ZAIT?
Largely, for entities in DORA scope. With DORA applicable from 17 January 2025, BaFin withdrew the standalone KAIT, VAIT, and ZAIT circulars and substantially slimmed BAIT to avoid double regulation — the DORA Regulation and its RTS/ITS now carry the ICT requirements directly. ISMS Copilot maps which national clauses were superseded so you stop maintaining repealed controls and focus on the residual German layer.
What is still German-specific for a fintech after January 2025?
Mainly MaRisk (general risk management, and outsourcing under AT 9), any residual BAIT applicability not fully captured by DORA, and KRITIS-finance. ISMS Copilot separates the DORA-governed controls from this residual national layer so each is documented once.
When does a German fintech fall under KRITIS?
When its finance-sector activities and volumes exceed the BSI's defined thresholds, the entity becomes a KRITIS operator with BSI registration, attack-detection (SzA), and §8a/§8b BSIG obligations. This is separate from DORA and not displaced by it. ISMS Copilot runs the sector and threshold test so you know whether KRITIS is in scope.
Ready to streamline your compliance work?
Built for speed, accuracy, and audit-ready output.