From BAIT/VAIT/KAIT/ZAIT to DORA

From German Sectoral Requirements to DORA

German financial entities have long been subject to sector-specific ICT requirements issued by BaFin: BAIT (Bankaufsichtliche Anforderungen an die IT) for banks, VAIT (Versicherungsaufsichtliche Anforderungen an die IT) for insurers, KAIT (Kapitalverwaltungs- aufsichtliche Anforderungen an die IT) for asset managers, and ZAIT (Zahlungsdiensteaufsichtliche Anforderungen an die IT) for payment service providers.

With DORA (EU Regulation 2022/2554) applying since 17 January 2025, these German regulations are being superseded by a unified European framework. This guide explains what changes, what stays the same, and how to manage the transition effectively.

Transition Timeline

The transition from BAIT/VAIT/KAIT/ZAIT to DORA follows a phased approach:

• 17 January 2025: DORA enters into application. All financial entities within scope must comply with the regulation.
• 2025-2026: Transition period where BaFin aligns its supervisory practices with DORA. BAIT, VAIT, KAIT, and ZAIT remain formally in effect for areas not yet covered by DORA RTS/ITS, but DORA takes precedence as directly applicable EU law.
• 1 January 2027: BaFin plans to formally withdraw BAIT, VAIT, KAIT, and ZAIT once all DORA Level 2 measures (RTS/ITS) are fully applicable. After this date, DORA and its technical standards will be the sole regulatory framework for ICT requirements.

During the transition period, entities should comply with DORA as the primary framework while maintaining existing BAIT/VAIT controls until formal withdrawal. In case of conflict, DORA prevails as directly applicable EU regulation.

What Changes: BAIT/VAIT vs. DORA

While BAIT/VAIT and DORA share many conceptual similarities (both address ICT risk management, outsourcing, and incident management), DORA introduces several significant differences:

Scope and Legal Status

BAIT/VAIT are German supervisory circulars (Rundschreiben) with interpretive character. DORA is a directly applicable EU regulation with the force of law. This means DORA requirements are binding and enforceable, not merely supervisory expectations. The scope is also broader: DORA covers 21 entity types, including crypto-asset service providers and crowdfunding platforms that were not covered by BAIT/VAIT.

Incident Reporting

BAIT required incident reporting under MaSI (Mindestanforderungen an die Sicherheit von Internetzahlungen) with sector-specific timelines. DORA introduces a harmonised three-stage reporting regime with tight deadlines (4h/72h/30d) and standardised templates. The classification criteria under Art. 18 are more prescriptive than the previous German approach. See our Incident Reporting guide for details.

Resilience Testing

BAIT addressed penetration testing under the "Operative Informationssicherheit" chapter but did not mandate Threat-Led Penetration Testing. DORA introduces a formal two-tier testing regime: basic tests for all entities (Art. 25) and TLPT for significant entities (Art. 26-27). The TLPT requirement is entirely new for most German financial entities. See our Resilience Testing page.

Third-Party Risk and Information Register

BAIT addressed outsourcing under the "Auslagerungen und sonstiger Fremdbezug von IT-Dienstleistungen" chapter. DORA significantly expands these requirements. The mandatory information register under Art. 28(3) has no equivalent in BAIT/VAIT. The contractual requirements under Art. 30 are more detailed than the BAIT outsourcing clauses. The CTPP oversight framework (Art. 31-44) is entirely new. See our Third-Party Risk and Information Register pages.

Management Body Accountability

BAIT referenced management responsibility through MaRisk (Mindest- anforderungen an das Risikomanagement) but did not impose explicit training requirements on the management body. DORA Art. 5(4) explicitly requires management body members to undergo regular ICT risk training. The personal accountability provisions are more prescriptive than under the BAIT/MaRisk framework.

BAIT to DORA Mapping

The mapping shows that entities with mature BAIT compliance have a solid foundation for DORA. However, significant gaps exist in incident reporting, TLPT, the information register, and management body training. These areas require dedicated attention.

What Stays the Same

Good news for BAIT/VAIT-compliant entities: many foundational elements carry over directly to DORA:

• ICT risk management: The core concepts of identification, protection, detection, and response remain the same. Your existing ICT risk assessments and security controls are directly applicable.
• Access management: Requirements for identity management, role-based access, and privileged access management are conceptually identical.
• Change management: BAIT change management processes map well to DORA Art. 9 requirements.
• Business continuity: BCP and DR planning requirements under BAIT transfer well, though DORA adds more specificity around RTO/RPO and crisis communication.
• Outsourcing basics: The fundamental approach to outsourcing risk management, including due diligence, contract management, and monitoring, remains similar.

Migration Checklist

For entities migrating from BAIT/VAIT to DORA, prioritise the following delta items:

• Build the information register (Art. 28(3)) for all ICT third-party arrangements
• Establish the three-stage incident reporting process with 4h/72h/30d deadlines
• Implement or enhance the management body training programme on ICT risk
• Develop a formal resilience testing programme, including assessment of TLPT applicability
• Review all ICT third-party contracts against Art. 30 mandatory clauses
• Assess and document concentration risk across ICT providers
• Develop and test exit strategies for critical ICT services
• Formulate a digital operational resilience strategy (Art. 6(8))
• Establish learning and evolving processes (Art. 13) for post-incident review

For a complete step-by-step guide, see our DORA Checklist. For cost estimates, see our DORA Costs and Timeline page.