9th MaRisk Amendment: Final Version Published – What Changed Between Consultation and Final Text?

BaFin has finalised the 9th MaRisk Amendment. Ten changes to AT 9 compared to the consultation draft — what has actually changed and what institutions need to do now.

Third-Party Management

9th MaRisk Amendment: Final Version Published – What Changed Between Consultation and Final Text?

9th MaRisk Amendment: Final Version Published – What Changed Between Consultation and Final Text?

On 30 June 2026, BaFin published the final version of the 9th MaRisk Amendment as Circular 06/2026 (BA). With that, the consultation phase that began on 1 April 2026 comes to a close — and the implementation phase begins. With immediate effect and no transitional arrangements.

In an earlier article, we analysed the consultation draft and set out the key changes to AT 9 — the outsourcing module. Today, we turn to the question that institutions are now asking in practice: What did BaFin actually change between the consultation draft and the final text?

The answer: ten changes to AT 9 alone — some editorial, some substantive, and several with immediate implications for institutions.

The Most Important Point First: No Transitional Arrangements

The final MaRisk applies with immediate effect. There is no grace period, no phased introduction. Institutions that have already been working on the basis of the consultation draft are well positioned — but must still incorporate the changes set out below. Those who have not yet begun should prioritise accordingly.

The Ten Changes to AT 9 at a Glance

1. DORA Demarcation: From Running Text to a Dedicated Explanatory Box

In the consultation draft, the demarcation from DORA was embedded as running text within Section 1 — without any particular emphasis. The final version elevates this to a standalone, named explanatory box: "DORA (Regulation (EU) 2022/2554)".

This is not a cosmetic change. BaFin is sending a clear signal: the boundary between ICT services governed by DORA and non-ICT outsourcing arrangements governed by AT 9 is not a peripheral matter — it is structurally fundamental to the entire outsourcing management framework. Institutions that have not yet clearly documented this demarcation should do so without delay.

2. Anti-Money Laundering: A New Requirement in AT 9

Entirely new in the final version is an explanatory box in Section 1 addressing anti-money laundering obligations. The final text makes clear that the German Money Laundering Act (GwG) and the new EU Anti-Money Laundering Regulation (AMLR, Regulation (EU) 2024/1624) must be applied when taking outsourcing decisions.

This provision was absent from the consultation draft entirely. The message is unambiguous: outsourcing decisions are not solely a risk management matter — they carry an AML dimension. Compliance functions and money laundering officers must be systematically involved in the risk analysis process.

Practical note: Review whether your outsourcing strategy and risk analysis processes already address GwG and AMLR requirements. If not, this represents a gap that supervisors are likely to raise in future examinations.

3. Risk Analysis: "Relevant" Replaces "Involved" Organisational Units

A seemingly minor change in wording with considerable practical effect: Section 2 replaces "organisational units involved in the workflows" with "relevant organisational units".

The term "relevant" is broader than "involved". It may encompass risk control, data protection and internal audit functions — even where these are not directly engaged in the outsourced processes. Institutions that have hitherto limited their risk analysis to the immediately affected business areas will need to revisit the scope of units to be consulted.

The term is not legally defined. Supervisory clarification or emerging examination practice will be needed. In the meantime, the prudent approach is to cast the net broadly and document the rationale for the scope chosen.

4. Internal Audit: An Explicit, Ongoing Monitoring Obligation

The consultation draft framed the internal audit function's obligations in relation to outsourcing in general terms. The final version is more precise: "The internal audit function of the outsourcing institution must satisfy itself on a regular basis that the relevant conditions are being met."

This constitutes an explicit, ongoing monitoring obligation — not a one-off review at the point of contract conclusion. For internal audit, this means that oversight of outsourcing conditions must be embedded as a recurring, standalone audit subject within the audit plan and documented accordingly — as, indeed, it should have been already.

5. Absence of Exit Options: Contingency Planning as a Minimum Requirement (New)

Entirely new is an explanatory box in Section 6: "Where no exit options exist, the institution must at minimum give appropriate consideration to this situation in its contingency planning."

This provision addresses a reality that arises frequently in practice: outsourcing arrangements with monopoly providers or highly concentrated cloud service providers, where exit is not feasible in practice. Until now, it was unclear what institutions were required to do in such situations. The final version provides a clear minimum answer: where exit is not possible, this must be appropriately reflected in contingency planning.

What "appropriate" means in this context remains open to interpretation. Supervisory guidance is to be expected. In the interim, a documented analysis of the affected outsourcing arrangements and their explicit integration into the contingency framework under AT 7.3 is advisable.

6. Outsourcing Contracts: "Text Form" Replaces "Written Form"

A legally significant clarification in Section 7: the formal requirement for outsourcing contracts has been changed from "written form" to "text form".

The distinction is not trivial. "Written form" under Section 126 of the German Civil Code (BGB) requires a handwritten signature. "Text form" under Section 126b BGB requires only a legible declaration in a durable medium — which includes e-mail or PDF without a qualified electronic signature.

Existing contracts concluded in written form require no amendment — the higher form satisfies the lower. For new contracts and template agreements, the wording should be updated accordingly. Whether certain critical clauses continue to require written form remains an institution-specific question.

7. Contingency Plans: A Standalone Mandatory Contract Provision

In the consultation draft, requirements relating to contingency plans were grouped together with service quality and insurance evidence under a single combined sub-clause. The final version elevates this to a standalone sub-clause g): "Requirements for the implementation and review of contingency plans."

This raises the profile of contingency planning in contract negotiations and supervisory examinations. Institutions that have addressed contingency plans only in passing within their outsourcing contracts should review and update their template agreements.

8. Sub-Outsourcing: Strengthened Reporting Obligations

Section 8 introduces a new sentence: the outsourcing undertaking must remain subject to reporting obligations towards the outsourcing institution even following sub-outsourcing to a sub-contractor.

This materially strengthens oversight of multi-layered outsourcing chains. Existing outsourcing contracts that permit sub-outsourcing should be reviewed to establish whether this reporting obligation is explicitly agreed. Where it is not, renegotiation is required.

9. Outsourcing Register: Correction of the KWG Reference and Explicit Designation

In Section 12(b), the erroneous reference to "Section 25 KWG" in the consultation draft has been corrected to Section 25b(1), sentence 4 KWG. The register is now also explicitly designated as the "outsourcing register".

There is no substantive change — but the correction of the legal basis is relevant for documentation purposes and for supervisory examinations. Institutions that reference the former provision in internal policies or register templates should update accordingly.

10. Group-Wide Outsourcing Register: A New Relief Provision (Section 14(e))

The most significant structural addition compared to the consultation draft: a wholly new Section 14(e) permits groups and financial networks to establish and maintain a central outsourcing register at group or network level.

The condition is that the individual institution and the competent supervisory authority must be able to retrieve the institution-specific register without undue delay. What "without undue delay" means is not defined — institutions should establish internal SLAs for retrieval and document them accordingly.

For banking groups, financial holding groups and financial networks — such as savings banks or cooperative banking associations — this represents a material simplification. The option should be assessed and, where appropriate, implemented.

Recommended Actions: What Institutions Should Do Now

The final MaRisk applies with immediate effect. Based on the delta analysis, the following priorities emerge:

Immediate Action Required

  • Update outsourcing contract templates to include contingency plans as a standalone mandatory provision (sub-clause g))
  • Review existing contracts permitting sub-outsourcing for explicit reporting obligations and renegotiate where necessary

Short-Term Action Required

  • Review the scope of organisational units involved in the risk analysis — in particular, actively engage compliance, risk control, data protection and internal audit
  • Establish and document a formalised, recurring oversight process for audit conditions in relation to outsourcing arrangements
  • Integrate AML requirements into the outsourcing strategy and risk analysis processes

Medium-Term Action Required

  • Identify outsourcing arrangements for which no practical exit options exist and integrate these into the contingency framework under AT 7.3
  • Assess whether a group-wide central outsourcing register can be established under the new relief provision in Section 14(e)

Conclusion

The final MaRisk is not a straightforward confirmation of the consultation draft. Ten changes to AT 9 — including an entirely new provision on group-wide outsourcing registers, a new AML requirement and strengthened reporting obligations for sub-outsourcing chains — make targeted follow-up work necessary.

The good news: institutions that have already been working on the basis of the consultation draft have completed the bulk of the work. What remains is a matter of precision — but that precision is supervisory relevant and will become visible in examinations.

9th MaRisk Amendment: Final Version Published – What Changed Between Consultation and Final Text?

9th MaRisk Amendment: Final Version Published – What Changed Between Consultation and Final Text?

On 30 June 2026, BaFin published the final version of the 9th MaRisk Amendment as Circular 06/2026 (BA). With that, the consultation phase that began on 1 April 2026 comes to a close — and the implementation phase begins. With immediate effect and no transitional arrangements.

In an earlier article, we analysed the consultation draft and set out the key changes to AT 9 — the outsourcing module. Today, we turn to the question that institutions are now asking in practice: What did BaFin actually change between the consultation draft and the final text?

The answer: ten changes to AT 9 alone — some editorial, some substantive, and several with immediate implications for institutions.

The Most Important Point First: No Transitional Arrangements

The final MaRisk applies with immediate effect. There is no grace period, no phased introduction. Institutions that have already been working on the basis of the consultation draft are well positioned — but must still incorporate the changes set out below. Those who have not yet begun should prioritise accordingly.

The Ten Changes to AT 9 at a Glance

1. DORA Demarcation: From Running Text to a Dedicated Explanatory Box

In the consultation draft, the demarcation from DORA was embedded as running text within Section 1 — without any particular emphasis. The final version elevates this to a standalone, named explanatory box: "DORA (Regulation (EU) 2022/2554)".

This is not a cosmetic change. BaFin is sending a clear signal: the boundary between ICT services governed by DORA and non-ICT outsourcing arrangements governed by AT 9 is not a peripheral matter — it is structurally fundamental to the entire outsourcing management framework. Institutions that have not yet clearly documented this demarcation should do so without delay.

2. Anti-Money Laundering: A New Requirement in AT 9

Entirely new in the final version is an explanatory box in Section 1 addressing anti-money laundering obligations. The final text makes clear that the German Money Laundering Act (GwG) and the new EU Anti-Money Laundering Regulation (AMLR, Regulation (EU) 2024/1624) must be applied when taking outsourcing decisions.

This provision was absent from the consultation draft entirely. The message is unambiguous: outsourcing decisions are not solely a risk management matter — they carry an AML dimension. Compliance functions and money laundering officers must be systematically involved in the risk analysis process.

Practical note: Review whether your outsourcing strategy and risk analysis processes already address GwG and AMLR requirements. If not, this represents a gap that supervisors are likely to raise in future examinations.

3. Risk Analysis: "Relevant" Replaces "Involved" Organisational Units

A seemingly minor change in wording with considerable practical effect: Section 2 replaces "organisational units involved in the workflows" with "relevant organisational units".

The term "relevant" is broader than "involved". It may encompass risk control, data protection and internal audit functions — even where these are not directly engaged in the outsourced processes. Institutions that have hitherto limited their risk analysis to the immediately affected business areas will need to revisit the scope of units to be consulted.

The term is not legally defined. Supervisory clarification or emerging examination practice will be needed. In the meantime, the prudent approach is to cast the net broadly and document the rationale for the scope chosen.

4. Internal Audit: An Explicit, Ongoing Monitoring Obligation

The consultation draft framed the internal audit function's obligations in relation to outsourcing in general terms. The final version is more precise: "The internal audit function of the outsourcing institution must satisfy itself on a regular basis that the relevant conditions are being met."

This constitutes an explicit, ongoing monitoring obligation — not a one-off review at the point of contract conclusion. For internal audit, this means that oversight of outsourcing conditions must be embedded as a recurring, standalone audit subject within the audit plan and documented accordingly — as, indeed, it should have been already.

5. Absence of Exit Options: Contingency Planning as a Minimum Requirement (New)

Entirely new is an explanatory box in Section 6: "Where no exit options exist, the institution must at minimum give appropriate consideration to this situation in its contingency planning."

This provision addresses a reality that arises frequently in practice: outsourcing arrangements with monopoly providers or highly concentrated cloud service providers, where exit is not feasible in practice. Until now, it was unclear what institutions were required to do in such situations. The final version provides a clear minimum answer: where exit is not possible, this must be appropriately reflected in contingency planning.

What "appropriate" means in this context remains open to interpretation. Supervisory guidance is to be expected. In the interim, a documented analysis of the affected outsourcing arrangements and their explicit integration into the contingency framework under AT 7.3 is advisable.

6. Outsourcing Contracts: "Text Form" Replaces "Written Form"

A legally significant clarification in Section 7: the formal requirement for outsourcing contracts has been changed from "written form" to "text form".

The distinction is not trivial. "Written form" under Section 126 of the German Civil Code (BGB) requires a handwritten signature. "Text form" under Section 126b BGB requires only a legible declaration in a durable medium — which includes e-mail or PDF without a qualified electronic signature.

Existing contracts concluded in written form require no amendment — the higher form satisfies the lower. For new contracts and template agreements, the wording should be updated accordingly. Whether certain critical clauses continue to require written form remains an institution-specific question.

7. Contingency Plans: A Standalone Mandatory Contract Provision

In the consultation draft, requirements relating to contingency plans were grouped together with service quality and insurance evidence under a single combined sub-clause. The final version elevates this to a standalone sub-clause g): "Requirements for the implementation and review of contingency plans."

This raises the profile of contingency planning in contract negotiations and supervisory examinations. Institutions that have addressed contingency plans only in passing within their outsourcing contracts should review and update their template agreements.

8. Sub-Outsourcing: Strengthened Reporting Obligations

Section 8 introduces a new sentence: the outsourcing undertaking must remain subject to reporting obligations towards the outsourcing institution even following sub-outsourcing to a sub-contractor.

This materially strengthens oversight of multi-layered outsourcing chains. Existing outsourcing contracts that permit sub-outsourcing should be reviewed to establish whether this reporting obligation is explicitly agreed. Where it is not, renegotiation is required.

9. Outsourcing Register: Correction of the KWG Reference and Explicit Designation

In Section 12(b), the erroneous reference to "Section 25 KWG" in the consultation draft has been corrected to Section 25b(1), sentence 4 KWG. The register is now also explicitly designated as the "outsourcing register".

There is no substantive change — but the correction of the legal basis is relevant for documentation purposes and for supervisory examinations. Institutions that reference the former provision in internal policies or register templates should update accordingly.

10. Group-Wide Outsourcing Register: A New Relief Provision (Section 14(e))

The most significant structural addition compared to the consultation draft: a wholly new Section 14(e) permits groups and financial networks to establish and maintain a central outsourcing register at group or network level.

The condition is that the individual institution and the competent supervisory authority must be able to retrieve the institution-specific register without undue delay. What "without undue delay" means is not defined — institutions should establish internal SLAs for retrieval and document them accordingly.

For banking groups, financial holding groups and financial networks — such as savings banks or cooperative banking associations — this represents a material simplification. The option should be assessed and, where appropriate, implemented.

Recommended Actions: What Institutions Should Do Now

The final MaRisk applies with immediate effect. Based on the delta analysis, the following priorities emerge:

Immediate Action Required

  • Update outsourcing contract templates to include contingency plans as a standalone mandatory provision (sub-clause g))
  • Review existing contracts permitting sub-outsourcing for explicit reporting obligations and renegotiate where necessary

Short-Term Action Required

  • Review the scope of organisational units involved in the risk analysis — in particular, actively engage compliance, risk control, data protection and internal audit
  • Establish and document a formalised, recurring oversight process for audit conditions in relation to outsourcing arrangements
  • Integrate AML requirements into the outsourcing strategy and risk analysis processes

Medium-Term Action Required

  • Identify outsourcing arrangements for which no practical exit options exist and integrate these into the contingency framework under AT 7.3
  • Assess whether a group-wide central outsourcing register can be established under the new relief provision in Section 14(e)

Conclusion

The final MaRisk is not a straightforward confirmation of the consultation draft. Ten changes to AT 9 — including an entirely new provision on group-wide outsourcing registers, a new AML requirement and strengthened reporting obligations for sub-outsourcing chains — make targeted follow-up work necessary.

The good news: institutions that have already been working on the basis of the consultation draft have completed the bulk of the work. What remains is a matter of precision — but that precision is supervisory relevant and will become visible in examinations.

Request whitepaper now

Vielen Dank! Wir haben Ihre Nachricht erhalten und senden Ihnen das Whitepaper schnellstmöglich zu
Oops! Bitte überprüfen Sie Ihre Eingaben oder versuchen Sie es in wenigen Minuten erneut. Sollte das Problem bestehen bleiben, kontaktieren Sie uns bitte direkt
Diagram illustrating the distinction between MaRisk (non-ICT outsourcing) and DORA (third-party ICT services), with a three-tier classification of institutions in accordance with the 9th amendment to MaRisk

9th MaRisk Amendment: What the New Institution Classification Means for Your Firm

The 9th MaRisk Amendment marks a genuine shift in regulatory logic: fewer detailed rules, greater reliance on principles, and a new institution classification that determines which proportionality reliefs a firm may actually use. At the same time, the amendment draws a clearer boundary between MaRisk and DORA: ICT services will no longer fall within AT 9, removing the previous double treatment. What this means in practice: more discretion in outsourcing risk analysis, a revised role for the outsourcing officer, continued register obligations despite the deletion of the formal MaRisk provision, and a sharper distinction between ICT-related and non-ICT continuity requirements.

More information
Treppenstufen-Diagramm mit vier Phasen des Projektmanagements: Gap-Analyse, Projektplan, Ressourcen und Umsetzung, dargestellt mit passenden Icons.

EBA Guideline 2025: Paradigm shift in third-party risk management

The new EBA guideline on third-party risk management marks a paradigm shift: in future, all non-ICT third-party relationships must be managed according to stricter standards – not just traditional outsourcing. Specific changes include new registration requirements in line with the DORA standard, explicit strategic commitments on the part of management, expanded due diligence (ESG, AML/CFT, supply chains) and stricter contractual requirements. The transition period until 2028 may seem long, but it is ambitious given the organisational and contractual adjustments that will be required.

More information
BA Expansion 2028", "Third-Party Relationships", "Transformation" und "Banking Industry

EBA Guidelines - Sound Management of Third-Party Risk

The EBA is extending its outsourcing rules to cover All third-party relationships by 2028 — meaning institutions must now redefine their entire third-party strategy.

Our white paper Outlines the concrete steps to take and shows you how to leverage this transformation strategically.

More information