DORA vs BAIT: how Germany's banking IT rules transitioned to EU law
BAIT was BaFin's regulatory-supervisory IT framework for German banks. DORA is the EU-wide regulation that now primarily governs financial-sector ICT risk management. BAIT has been largely absorbed into DORA through regulatory convergence — BaFin enforces DORA while BAIT-specific items remain relevant for supervisory practice.
Side-by-side
| Dimension | DORA | BAIT |
|---|---|---|
| Type | EU Regulation (directly applicable since Jan 2025) | German regulatory circular (BaFin) |
| Scope | All EU financial entities + critical ICT third parties | German banks, also transferred patterns to VAIT (insurance), KAIT (asset mgmt), ZAIT (payment) |
| Legal force | Directly binding, no transposition needed | BaFin-supervisory expectation — binding via supervisory practice |
| Key structure | 5 pillars + technical standards (RTS/ITS) | 9 chapters covering ICT strategy, governance, risk, operations, outsourcing, etc. |
| Third-party management | Art. 28-30 + Critical ICT Third-Party Provider framework | Chapter 9 — outsourcing controls with specific BaFin notification obligations |
| Testing requirements | Explicit TLPT for significant entities (Art. 26-27) | Penetration testing expected but less prescriptive than DORA |
| Incident reporting | Tiered: initial → intermediate → final to BaFin | BAIT incident reporting + German KWG § 25b notifications |
| Status post-DORA | Primary regulatory framework | Still referenced by BaFin but DORA takes precedence |
When to choose which
DORA
Every German financial entity should be DORA-compliant from Jan 2025 onward. BAIT-only compliance is no longer sufficient.
BAIT
BAIT elements remain relevant for supervisory practice and areas where BaFin expectations exceed or specify beyond DORA (e.g., specific outsourcing notification thresholds, §44 KWG). BAIT is not dead — it's supervisory-practice guidance layered on DORA.
Both
Practical approach: build DORA-compliant programs, reference BAIT where BaFin supervisory practice adds specifics. Many German banks run a unified program that satisfies DORA at EU level + BAIT's BaFin-specific emphasis.
The overlap
~85% — most BAIT chapters have direct DORA equivalents. ICT governance, risk management, information security, ICT operations, change management, outsourcing — all present in both frameworks. The real question for German banks isn't 'do I need both?' but 'how do I run one program that satisfies both supervisory layers?'
Key differences
- DORA is EU-wide and supersedes national approaches. BAIT is German-specific.
- DORA has formal legal force as a Regulation. BAIT has supervisory-practice force via BaFin enforcement.
- DORA explicitly mandates TLPT for significant entities. BAIT has broader penetration-testing guidance without the TLPT specificity.
- DORA introduces the Critical ICT Third-Party Provider framework (direct EU-level oversight). BAIT's outsourcing framework doesn't have this EU-level oversight layer.
- DORA incident reporting is aligned with ECB/EBA EU-level flows. BAIT flows are BaFin-specific.
Frequently asked questions
Is BAIT still in force after DORA?+
Yes — BAIT hasn't been formally withdrawn. BaFin continues to reference BAIT in supervisory practice, but DORA takes precedence where they conflict or where DORA is more specific. Practically, BaFin has communicated that its supervisory expectations are aligned to DORA. BAIT-specific items that exceed DORA (some outsourcing notification procedures, German-specific requirements) remain relevant.
If I was BAIT-compliant, am I DORA-compliant?+
Mostly yes. ~85% overlap. Gaps typically: explicit TLPT framework (DORA Art. 26-27), Critical ICT Third-Party Provider alignment (DORA Art. 28+), specific DORA technical standards (RTS/ITS on registers, incident classifications). German banks that were BAIT-mature are closer to DORA than banks from jurisdictions without equivalent regulations.
What about VAIT and KAIT and ZAIT?+
Similar story. VAIT (insurance), KAIT (asset management), ZAIT (payment/e-money) are sector-specific BaFin supervisory frameworks that preceded DORA. DORA now covers all financial-sector entities including insurance, asset management, and payment institutions. The sector-specific BaFin frameworks remain referenced for supervisory-practice specifics but DORA is the primary framework.
Matproof covers all major EU frameworks.
One platform, 11 frameworks, EU-hosted. 30-minute demo tailored to your framework mix.