9th MaRisk Amendment: What the New Institution Classification Means for Your Firm

Institution size, outsourcing, DORA boundaries and the practical steps firms should now take

On 1 April 2026, BaFin published the consultation draft of the 9th amendment to the Minimum Requirements for Risk Management (MaRisk). The consultation period runs until 8 May 2026. This amendment does not merely change the wording of the framework – it changes its underlying logic. For every affected institution, the questions are now very practical: Where do we stand? Which rules apply to us? And what do we actually need to do?

Why this amendment is different from its predecessors

Previous MaRisk amendments generally expanded the rulebook by adding new requirements, additional modules and further specification. The 9th amendment takes the opposite approach: it shortens, consolidates and streamlines. The consultation draft is reduced in length from 148 pages in the comparison version to 82 pages.

This is not a cosmetic exercise. The amendment brings together regulatory developments that have so far run in parallel and, in part, overlapped: the supervisory communication of 26 November 2024 on strengthening proportionality, the BRUBEG published on 30 March 2026 for the national implementation of CRD VI, and the continuing alignment with DORA and the current EBA guidelines.

At the same time, BaFin is making a fundamental shift: less detailed prescription, more principle-based regulation. For firms, this creates greater flexibility – but also greater responsibility for interpretation. Where a checklist once existed, there will now be a principle that must be interpreted and documented independently.

Does the new MaRisk still apply to my institution?

No, if the institution is classified as a Significant Institution (SI). Such institutions will in future be fully removed from the scope of MaRisk and will instead be subject exclusively to the EBA guidelines under direct ECB supervision. The objective is a consistent avoidance of duplicate regulation.

For all Less Significant Institutions (LSIs), MaRisk remains the central supervisory framework – but it will now differentiate much more clearly by institution size. The practical implications become clear in the new classification model.

The new institution classification: where does your firm fit?

The new classification is the core of the amendment – and the starting point for all further questions on how the framework applies. BaFin will in future distinguish between three categories within the LSI population (see AT 1 para. 3):

1. Very small institutions

• Average total assets of no more than EUR 1 billion over four years
• Special rule for factoring institutions: additionally, annual receivables purchase volume of no more than EUR 5 billion on a four-year average
• May use all MaRisk proportionality clauses available to them
• May also make use of SNCI reliefs even if the formal SNCI criteria are not met
• CRD third-country branches in risk class 2 may also be classified as very small

2. Small institutions (SNCIs)

• Classified as Small and Non-Complex Institutions under Article 4(1)(145) CRR
• Typically with total assets of no more than EUR 5 billion
• May use all proportionality clauses intended for small institutions

3. Other LSIs (non-SNCIs)

• This group may continue to use those proportionality clauses that are not expressly limited to very small or small institutions
• Use of such clauses remains at the discretion of management and must be justified and documented on an institution-specific basis

Practical point: Classification is not a formality. It directly determines which reliefs an institution may use – and which it may not. If a firm assumes the wrong size category, it either fails to comply or gives up efficiency potential. The classification should therefore be actively assessed, calculated and documented in writing.

Once this classification has been established, the key changes introduced by the amendment can be assessed more precisely. The most immediate practical impact for many firms will arise in outsourcing and continuity management, particularly where the new boundary with DORA is concerned.

Outsourcing (AT 9)

AT 9 is significantly streamlined in the consultation draft. Many detailed provisions and enumerations are removed. The key question is whether this also reduces the underlying requirements. The short answer is no – but the nature of the requirement changes.

Risk analysis: less guidance, the same responsibility

The previous list of specific aspects to be considered in the risk analysis under AT 9 para. 2 is removed. What remains is the principle that “all aspects relevant to the institution in connection with the outsourcing arrangement” must be considered. The risk analysis must be reviewed at least annually, or every two to three years for very small institutions, and updated where there is a material change in the risk situation.

In practice, conducting structured outsourcing risk analyses is already one of the greatest challenges in outsourcing management. Removing the specific list of factors does not make this easier – quite the opposite. Firms will now need to determine for themselves which aspects are relevant in their specific circumstances and document that reasoning. Institutions that have so far worked “to a list” will need an institution-specific framework for outsourcing risk analysis that properly reflects their own business and risk structure.

Service provider oversight: KPIs and monitoring remain mandatory

The requirement to monitor the performance of the outsourcing provider against defined criteria – such as Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) – remains unchanged under AT 9 para. 9. The requirement for contractually agreed information duties on the part of the provider also remains in place.

Firms that have not yet established a robust KPI/KRI framework should treat the amendment as a prompt to do so. The more principle-based drafting will give supervisors and auditors greater room to assess whether oversight arrangements are in fact “appropriate”.

The ICT boundary: the end of double treatment

The most important substantive change in AT 9 concerns the boundary with DORA. Outsourced or externally sourced ICT services within the meaning of Article 3(21) of Regulation (EU) 2022/2554 (DORA), which are subject to ICT third-party risk management under Articles 28 to 30 DORA, will no longer fall within the scope of AT 9.

This is a logical development and materially simplifies practical handling. Until now, firms often had to treat ICT services twice: first as outsourcing or another external procurement arrangement under MaRisk, and secondly as an ICT third-party service under DORA. That duplication will now fall away.

This only works, however, if the institution draws a clear distinction between ICT and non-ICT services. Only if that boundary is properly defined can each service be treated consistently and coherently. In practice, this means:

• Every existing outsourcing arrangement and every external procurement must be assessed to determine whether it constitutes an ICT service within the meaning of Article 3(21) DORA – and therefore falls under DORA – or whether it remains a non-ICT service to be treated under MaRisk AT 9
• Mixed arrangements are particularly sensitive: services that contain both ICT and non-ICT elements should be analysed at service level rather than simply at contract level
• The outcome of the classification should be documented and reviewed regularly, as the nature of a service may change over time

Outsourcing officer: the formal requirement falls away, the practical need remains

The explicit requirement to appoint a central outsourcing officer is removed from AT 9 para. 12. That does not mean the function disappears. The amendment still requires a central outsourcing management function with clearly defined responsibilities under AT 9 para. 10: implementing and developing outsourcing management, maintaining complete documentation of all outsourcing arrangements, reporting to management, and overseeing outsourcing providers.

Outsourcing management requires a responsible person. In practice, most institutions will therefore continue to have an outsourcing officer, even if the formal obligation no longer exists. For very small institutions, the task may be discharged within the framework of a management board meeting, which represents a meaningful simplification.

Important: the role of the outsourcing officer under MaRisk will in future relate exclusively to non-ICT services. For the management of ICT third-party risks, DORA still requires separate governance through the Third-Party Risk Manager. This function is not identical to that of the outsourcing officer, even if the same individual may perform both roles in smaller institutions. What matters is that responsibilities are clearly separated and documented: the outsourcing officer manages non-ICT outsourcing under MaRisk AT 9, while the Third-Party Risk Manager is responsible for ICT third-party risk management under Articles 28 to 30 DORA.

Register: deleted, but still indispensable

The provisions on the outsourcing register in AT 9 para. 14 are removed in full. However, the obligation to maintain a register still follows from the EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02) and – for ICT third-party services – from the Information Register under Article 28(3) DORA.

The practical recommendation is to maintain a consolidated register for ICT and non-ICT services that can be filtered by category. This allows firms to differentiate according to the relevant reporting and supervisory obligation – both for DORA reporting based on the Information Register and for supervisory reporting under MaRisk. Again, this depends on a clear distinction between ICT and non-ICT services.

A register for managing third-party providers will in any event remain necessary, regardless of whether MaRisk expressly requires it. From BaFin’s perspective, such a register is more than a database – it should be understood as a risk management tool.

Reliefs for small and very small institutions in outsourcing

The amendment introduces tangible reliefs for smaller institutions in the area of outsourcing:

• Very small institutions may fully outsource the compliance function or internal audit (AT 9 para. 5). In addition, the entire outsourcing management function may be transferred in full to a central group entity (AT 9 para. 10)
• Small institutions (SNCIs) may only outsource the compliance function or internal audit in full on a more limited basis, subject to additional proportionality requirements
• For intra-group and intra-network outsourcing arrangements, firms may dispense with exit strategies and contingency options (AT 9 para. 13(d))

Technical and organisational resources (AT 7.2)

The amendment removes the previous MaRisk requirements on IT permissions, IT systems and IT risks from AT 7.2. The reason is straightforward: DORA has regulated these areas directly and in detail since 17 January 2025. BaFin is therefore avoiding duplicate regulation and applying the same principle as in AT 9 for ICT services.

AT 7.2 is reduced to its core. The scope and quality of technical and organisational resources must be aligned with internal needs, business activities and the risk situation of the institution. Appropriate capacities must also be maintained for generating data and information relating to material risk types, together with effective processes to ensure data quality.

Business continuity management (AT 7.3): why the boundary is challenging in practice

At the same time, the general business continuity framework in AT 7.3 remains fully in place. This creates a genuine practical challenge that may not be obvious at first glance.

Previous position: under the previous MaRisk framework, IT and business continuity management were treated as a connected topic. In many institutions, responsibility for both sat within the same organisational unit, the same documentation covered IT security and continuity management, and both were reviewed together in audits.

New position: by removing the IT-related requirements from AT 7.2 and shifting them to DORA, two separate regulatory responsibility areas now emerge:

• ICT-related continuity management – governed fully by DORA, in particular Article 11 DORA, including ICT business continuity policy, response and recovery plans, communication plans for ICT-related incidents, and regular testing of digital operational resilience
• General business continuity management – still governed by MaRisk AT 7.3. This covers preparedness for all activities and processes supporting critical or important functions, including scenarios such as staff outages, building outages, physical infrastructure failure or external threats beyond ICT

In practice, this means:

• Organisationally: who is internally responsible for DORA-compliant ICT continuity management, and who is responsible for the general continuity framework under AT 7.3? Until now, this was often the same unit – or even the same individual. In future, responsibilities must be clearly delineated so that no gaps arise and no unnecessary duplication occurs.
  
  Importantly, the regulatory separation of the two areas does not necessarily require two separate departments or two separate individuals. Particularly in small and very small institutions, continuity management for both ICT and non-ICT matters may still be organised within one unit or assigned to one person. What matters is not the formal organisational structure, but whether both regulatory strands – DORA and MaRisk – are fulfilled properly, distinguished clearly and documented separately.
• Procedurally: business impact analyses under MaRisk AT 7.3 must still cover all functions, including ICT systems and other required resources. At the same time, DORA requires its own resilience analyses and testing. The point at which the MaRisk business impact analysis ends and DORA testing begins is not self-evident and will become relevant in supervisory reviews.
• From a documentation perspective: the general continuity framework under AT 7.3 must include business continuity and recovery plans based on plausible scenarios. The DORA ICT business continuity policy contains similar requirements – but specifically for the ICT environment. If a supervisor asks which scenario falls under DORA and which under MaRisk AT 7.3, the institution must be able to provide a clear answer. Firms that merge both areas into one undifferentiated master document risk findings not because something is missing, but because the regulatory allocation is unclear.

A practical relief: for critical or important functions, the effectiveness of the continuity framework must be reviewed annually under AT 7.3 para. 3. Management must be informed at least quarterly and on an ad hoc basis about the status of continuity management. It is also notable that MaRisk now refers to critical or important functions rather than, as previously, time-critical activities and processes. In doing so, MaRisk adopts DORA terminology and concepts into supervisory practice. For institutions that have already fully implemented DORA, this creates an opportunity for alignment: DORA testing results may serve as input for MaRisk reporting, provided the distinction is documented clearly.

Size-specific outsourcing reliefs at a glance

Important: the use of proportionality clauses is not automatic. It requires an institution-specific risk assessment and clear documentation showing why the relief is appropriate in the individual case.

Recommended actions: what should firms do now?

The amendment is still in the consultation phase, with the deadline set for 8 May 2026. Finalisation is expected in the second half of 2026. As the changes consist predominantly of reliefs, it is reasonable to assume that the amendment will become effective immediately upon entry into force and without transitional periods.

1. Determine your size category: calculate the four-year average of total assets. Compare the result against the SNCI criteria under Article 4(1)(145) CRR and document the classification in writing.
2. Take stock of proportionality clauses: which reliefs are available to you under the new classification, which are you already using, and are they properly justified and documented?
3. Differentiate ICT and non-ICT services: review every existing outsourcing arrangement and external procurement to determine whether it constitutes an ICT service within the meaning of Article 3(21) DORA. Document the results and pay particular attention to mixed arrangements.
4. Consolidate your registers: maintain a combined register for ICT and non-ICT services with appropriate filtering options so that you can report correctly depending on the applicable supervisory and reporting obligation.
5. Update the risk analysis framework: develop an institution-specific framework for outsourcing risk analysis that is no longer checklist-based, but properly reflects your own business and risk structure.
6. Review service provider oversight: have you defined KPIs and KRIs for your material service providers, are these contractually anchored, and are they actually being evaluated?
7. Review continuity management: when implementing DORA, did you also identify critical or important functions for non-ICT services? If not, do so now and build on the methodology already developed for your DORA implementation.
8. Capture efficiency potential: where can you reduce validation effort, simplify processes or adjust reporting intervals? Document the rationale.