GAP compliance analysis according to BaIT and ZaIT regulations

What are BaIT and ZaIT regulations?

At the end of 2017, the German Federal Financial Supervisory Authority (BaFin) published the Supervisory Requirements for IT in Financial Institutions (“Bankaufsichtliche Anforderungen an die IT”, BAIT), a binding set of rules for safeguarding IT in the finance industry. The aim was to ensure the secure design of systems and processes and to create transparent governance.

In mid-August 2021, BaFin also updated the "Zahlungsdiensteaufsichtliche Anforderungen an die IT von Zahlungs- und E-Meld-Instituten - ZAIT" (Payment Services Supervisory Requirements for the IT of Payment and Electronic Money Institutions). The circular specifies the IT requirements specifically for these institutions. The requirements are very close to the already existing IT requirements for banks (BAIT) and include in particular the EBA requirements from the EBA Guidelines on ICT and Security Risk Management (GL/2017/17) and the EBA Guidelines on Outsourcing (GL/2019/02)

The requirements for BaIT and ZaIT regulations apply to the following areas:

  • IT Strategy
  • IT Management
  • Managing information risk
  • Manage information security
  • Security of operational information
  • Manage identity and access
  • IT projects and application development
  • IT Operations
  • Entrusting services and other external IT services
  • Manage the continuity of IT services
  • Manage relationships with payment service users
  • Critical infrastructure

How can Deloitte help?

  • We assist our clients in compliance with BaIT and ZeIT regulations
  • We can conduct compliance review through GAP analysis in relation to regulatory requirements. After the analysis, we issue a compliance report in relation to the requirements of the regulations with recommendations for improvement and achieving compliance.