BaFin has finalised the 9th MaRisk Amendment. Ten changes to AT 9 compared to the consultation draft — what has actually changed and what institutions need to do now.
Blog
June 30, 2026
On 30 June 2026, BaFin published the final version of the 9th MaRisk Amendment as Circular 06/2026 (BA). With that, the consultation phase that began on 1 April 2026 comes to a close — and the implementation phase begins. With immediate effect and no transitional arrangements.
In an earlier article, we analysed the consultation draft and set out the key changes to AT 9 — the outsourcing module. Today, we turn to the question that institutions are now asking in practice: What did BaFin actually change between the consultation draft and the final text?
The answer: ten changes to AT 9 alone — some editorial, some substantive, and several with immediate implications for institutions.
The final MaRisk applies with immediate effect. There is no grace period, no phased introduction. Institutions that have already been working on the basis of the consultation draft are well positioned — but must still incorporate the changes set out below. Those who have not yet begun should prioritise accordingly.
In the consultation draft, the demarcation from DORA was embedded as running text within Section 1 — without any particular emphasis. The final version elevates this to a standalone, named explanatory box: "DORA (Regulation (EU) 2022/2554)".
This is not a cosmetic change. BaFin is sending a clear signal: the boundary between ICT services governed by DORA and non-ICT outsourcing arrangements governed by AT 9 is not a peripheral matter — it is structurally fundamental to the entire outsourcing management framework. Institutions that have not yet clearly documented this demarcation should do so without delay.
Entirely new in the final version is an explanatory box in Section 1 addressing anti-money laundering obligations. The final text makes clear that the German Money Laundering Act (GwG) and the new EU Anti-Money Laundering Regulation (AMLR, Regulation (EU) 2024/1624) must be applied when taking outsourcing decisions.
This provision was absent from the consultation draft entirely. The message is unambiguous: outsourcing decisions are not solely a risk management matter — they carry an AML dimension. Compliance functions and money laundering officers must be systematically involved in the risk analysis process.
Practical note: Review whether your outsourcing strategy and risk analysis processes already address GwG and AMLR requirements. If not, this represents a gap that supervisors are likely to raise in future examinations.
A seemingly minor change in wording with considerable practical effect: Section 2 replaces "organisational units involved in the workflows" with "relevant organisational units".
The term "relevant" is broader than "involved". It may encompass risk control, data protection and internal audit functions — even where these are not directly engaged in the outsourced processes. Institutions that have hitherto limited their risk analysis to the immediately affected business areas will need to revisit the scope of units to be consulted.
The term is not legally defined. Supervisory clarification or emerging examination practice will be needed. In the meantime, the prudent approach is to cast the net broadly and document the rationale for the scope chosen.
The consultation draft framed the internal audit function's obligations in relation to outsourcing in general terms. The final version is more precise: "The internal audit function of the outsourcing institution must satisfy itself on a regular basis that the relevant conditions are being met."
This constitutes an explicit, ongoing monitoring obligation — not a one-off review at the point of contract conclusion. For internal audit, this means that oversight of outsourcing conditions must be embedded as a recurring, standalone audit subject within the audit plan and documented accordingly — as, indeed, it should have been already.
Entirely new is an explanatory box in Section 6: "Where no exit options exist, the institution must at minimum give appropriate consideration to this situation in its contingency planning."
This provision addresses a reality that arises frequently in practice: outsourcing arrangements with monopoly providers or highly concentrated cloud service providers, where exit is not feasible in practice. Until now, it was unclear what institutions were required to do in such situations. The final version provides a clear minimum answer: where exit is not possible, this must be appropriately reflected in contingency planning.
What "appropriate" means in this context remains open to interpretation. Supervisory guidance is to be expected. In the interim, a documented analysis of the affected outsourcing arrangements and their explicit integration into the contingency framework under AT 7.3 is advisable.
A legally significant clarification in Section 7: the formal requirement for outsourcing contracts has been changed from "written form" to "text form".
The distinction is not trivial. "Written form" under Section 126 of the German Civil Code (BGB) requires a handwritten signature. "Text form" under Section 126b BGB requires only a legible declaration in a durable medium — which includes e-mail or PDF without a qualified electronic signature.
Existing contracts concluded in written form require no amendment — the higher form satisfies the lower. For new contracts and template agreements, the wording should be updated accordingly. Whether certain critical clauses continue to require written form remains an institution-specific question.
In the consultation draft, requirements relating to contingency plans were grouped together with service quality and insurance evidence under a single combined sub-clause. The final version elevates this to a standalone sub-clause g): "Requirements for the implementation and review of contingency plans."
This raises the profile of contingency planning in contract negotiations and supervisory examinations. Institutions that have addressed contingency plans only in passing within their outsourcing contracts should review and update their template agreements.
Section 8 introduces a new sentence: the outsourcing undertaking must remain subject to reporting obligations towards the outsourcing institution even following sub-outsourcing to a sub-contractor.
This materially strengthens oversight of multi-layered outsourcing chains. Existing outsourcing contracts that permit sub-outsourcing should be reviewed to establish whether this reporting obligation is explicitly agreed. Where it is not, renegotiation is required.
In Section 12(b), the erroneous reference to "Section 25 KWG" in the consultation draft has been corrected to Section 25b(1), sentence 4 KWG. The register is now also explicitly designated as the "outsourcing register".
There is no substantive change — but the correction of the legal basis is relevant for documentation purposes and for supervisory examinations. Institutions that reference the former provision in internal policies or register templates should update accordingly.
The most significant structural addition compared to the consultation draft: a wholly new Section 14(e) permits groups and financial networks to establish and maintain a central outsourcing register at group or network level.
The condition is that the individual institution and the competent supervisory authority must be able to retrieve the institution-specific register without undue delay. What "without undue delay" means is not defined — institutions should establish internal SLAs for retrieval and document them accordingly.
For banking groups, financial holding groups and financial networks — such as savings banks or cooperative banking associations — this represents a material simplification. The option should be assessed and, where appropriate, implemented.
The final MaRisk applies with immediate effect. Based on the delta analysis, the following priorities emerge:
The final MaRisk is not a straightforward confirmation of the consultation draft. Ten changes to AT 9 — including an entirely new provision on group-wide outsourcing registers, a new AML requirement and strengthened reporting obligations for sub-outsourcing chains — make targeted follow-up work necessary.
The good news: institutions that have already been working on the basis of the consultation draft have completed the bulk of the work. What remains is a matter of precision — but that precision is supervisory relevant and will become visible in examinations.
On 30 June 2026, BaFin published the final version of the 9th MaRisk Amendment as Circular 06/2026 (BA). With that, the consultation phase that began on 1 April 2026 comes to a close — and the implementation phase begins. With immediate effect and no transitional arrangements.
In an earlier article, we analysed the consultation draft and set out the key changes to AT 9 — the outsourcing module. Today, we turn to the question that institutions are now asking in practice: What did BaFin actually change between the consultation draft and the final text?
The answer: ten changes to AT 9 alone — some editorial, some substantive, and several with immediate implications for institutions.
The final MaRisk applies with immediate effect. There is no grace period, no phased introduction. Institutions that have already been working on the basis of the consultation draft are well positioned — but must still incorporate the changes set out below. Those who have not yet begun should prioritise accordingly.
In the consultation draft, the demarcation from DORA was embedded as running text within Section 1 — without any particular emphasis. The final version elevates this to a standalone, named explanatory box: "DORA (Regulation (EU) 2022/2554)".
This is not a cosmetic change. BaFin is sending a clear signal: the boundary between ICT services governed by DORA and non-ICT outsourcing arrangements governed by AT 9 is not a peripheral matter — it is structurally fundamental to the entire outsourcing management framework. Institutions that have not yet clearly documented this demarcation should do so without delay.
Entirely new in the final version is an explanatory box in Section 1 addressing anti-money laundering obligations. The final text makes clear that the German Money Laundering Act (GwG) and the new EU Anti-Money Laundering Regulation (AMLR, Regulation (EU) 2024/1624) must be applied when taking outsourcing decisions.
This provision was absent from the consultation draft entirely. The message is unambiguous: outsourcing decisions are not solely a risk management matter — they carry an AML dimension. Compliance functions and money laundering officers must be systematically involved in the risk analysis process.
Practical note: Review whether your outsourcing strategy and risk analysis processes already address GwG and AMLR requirements. If not, this represents a gap that supervisors are likely to raise in future examinations.
A seemingly minor change in wording with considerable practical effect: Section 2 replaces "organisational units involved in the workflows" with "relevant organisational units".
The term "relevant" is broader than "involved". It may encompass risk control, data protection and internal audit functions — even where these are not directly engaged in the outsourced processes. Institutions that have hitherto limited their risk analysis to the immediately affected business areas will need to revisit the scope of units to be consulted.
The term is not legally defined. Supervisory clarification or emerging examination practice will be needed. In the meantime, the prudent approach is to cast the net broadly and document the rationale for the scope chosen.
The consultation draft framed the internal audit function's obligations in relation to outsourcing in general terms. The final version is more precise: "The internal audit function of the outsourcing institution must satisfy itself on a regular basis that the relevant conditions are being met."
This constitutes an explicit, ongoing monitoring obligation — not a one-off review at the point of contract conclusion. For internal audit, this means that oversight of outsourcing conditions must be embedded as a recurring, standalone audit subject within the audit plan and documented accordingly — as, indeed, it should have been already.
Entirely new is an explanatory box in Section 6: "Where no exit options exist, the institution must at minimum give appropriate consideration to this situation in its contingency planning."
This provision addresses a reality that arises frequently in practice: outsourcing arrangements with monopoly providers or highly concentrated cloud service providers, where exit is not feasible in practice. Until now, it was unclear what institutions were required to do in such situations. The final version provides a clear minimum answer: where exit is not possible, this must be appropriately reflected in contingency planning.
What "appropriate" means in this context remains open to interpretation. Supervisory guidance is to be expected. In the interim, a documented analysis of the affected outsourcing arrangements and their explicit integration into the contingency framework under AT 7.3 is advisable.
A legally significant clarification in Section 7: the formal requirement for outsourcing contracts has been changed from "written form" to "text form".
The distinction is not trivial. "Written form" under Section 126 of the German Civil Code (BGB) requires a handwritten signature. "Text form" under Section 126b BGB requires only a legible declaration in a durable medium — which includes e-mail or PDF without a qualified electronic signature.
Existing contracts concluded in written form require no amendment — the higher form satisfies the lower. For new contracts and template agreements, the wording should be updated accordingly. Whether certain critical clauses continue to require written form remains an institution-specific question.
In the consultation draft, requirements relating to contingency plans were grouped together with service quality and insurance evidence under a single combined sub-clause. The final version elevates this to a standalone sub-clause g): "Requirements for the implementation and review of contingency plans."
This raises the profile of contingency planning in contract negotiations and supervisory examinations. Institutions that have addressed contingency plans only in passing within their outsourcing contracts should review and update their template agreements.
Section 8 introduces a new sentence: the outsourcing undertaking must remain subject to reporting obligations towards the outsourcing institution even following sub-outsourcing to a sub-contractor.
This materially strengthens oversight of multi-layered outsourcing chains. Existing outsourcing contracts that permit sub-outsourcing should be reviewed to establish whether this reporting obligation is explicitly agreed. Where it is not, renegotiation is required.
In Section 12(b), the erroneous reference to "Section 25 KWG" in the consultation draft has been corrected to Section 25b(1), sentence 4 KWG. The register is now also explicitly designated as the "outsourcing register".
There is no substantive change — but the correction of the legal basis is relevant for documentation purposes and for supervisory examinations. Institutions that reference the former provision in internal policies or register templates should update accordingly.
The most significant structural addition compared to the consultation draft: a wholly new Section 14(e) permits groups and financial networks to establish and maintain a central outsourcing register at group or network level.
The condition is that the individual institution and the competent supervisory authority must be able to retrieve the institution-specific register without undue delay. What "without undue delay" means is not defined — institutions should establish internal SLAs for retrieval and document them accordingly.
For banking groups, financial holding groups and financial networks — such as savings banks or cooperative banking associations — this represents a material simplification. The option should be assessed and, where appropriate, implemented.
The final MaRisk applies with immediate effect. Based on the delta analysis, the following priorities emerge:
The final MaRisk is not a straightforward confirmation of the consultation draft. Ten changes to AT 9 — including an entirely new provision on group-wide outsourcing registers, a new AML requirement and strengthened reporting obligations for sub-outsourcing chains — make targeted follow-up work necessary.
The good news: institutions that have already been working on the basis of the consultation draft have completed the bulk of the work. What remains is a matter of precision — but that precision is supervisory relevant and will become visible in examinations.

On 30 June 2026, BaFin published the final 9th MaRisk Amendment as Circular 06/2026. The amendment takes effect immediately, with no transitional arrangements. AT 9 — the outsourcing module — has been revised: anti-money laundering considerations are now an explicit requirement in outsourcing decisions, sub-outsourcing chains are subject to tightened reporting obligations, and a minimum contingency planning standard applies where no viable exit option is available. A new relief provision permits group-wide outsourcing registers under defined conditions.

