BaFin BAIT Penetration Testing: IT Security Requirements for German Banks in English

BAIT — Bankaufsichtliche Anforderungen an die IT (Supervisory Requirements for IT at Financial Institutions) — is BaFin's operational guidance circular that translates MaRisk AT 7.2's high-level IT risk management requirements into specific, actionable IT security practices. Published in 2017 and substantially revised in 2021, BAIT establishes requirements across twelve areas including IT strategy, IT governance, information risk management, information security management, IT project management, application development, IT operations, and identity and access management. For penetration testing specifically, BAIT §8 (IT Operations) and §9 (Information Risk Management) create concrete testing obligations that BaFin examiners assess during §44 KWG special audits. This English-language guide explains what BAIT requires, how it interacts with DORA and MaRisk, and what international compliance teams at German financial institutions need to demonstrate.

Run BAIT-compliant scan

Written by Malte Wagenbach

Founder of Matproof Security. Specialized in AI-driven penetration testing and EU compliance (DORA, NIS2, ISO 27001, SOC 2).

Last reviewed: May 17, 2026

What BaFin BAIT requires for IT security testing

BAIT was issued as BaFin Circular 10/2017 and significantly revised as Circular 01/2021 to align with EBA Guidelines on ICT and Security Risk Management (EBA/GL/2019/04). The 2021 revision added two new sections (BAIT §11 on IT service provider management and BAIT §12 on critical infrastructure), introduced cloud service requirements, and strengthened the testing requirements. BAIT §9.2 (Information Risk Management, technical measures) is the primary source of penetration testing obligations: it requires banks to conduct 'regular testing of security mechanisms, including through penetration tests, to verify their effectiveness'. BAIT §9.4 (Penetration Testing) provides more specific guidance: tests must be conducted at least annually for critical IT systems, after significant changes to IT infrastructure or applications, and by parties with 'proven expertise and independence from the systems being tested'. BAIT §8.1 (IT Operations) addresses vulnerability management: it requires a process for 'timely identification, assessment and treatment of technical vulnerabilities' — complementary to the active exploitation evidence produced by penetration testing. BAIT §6 (Identity and Access Management) creates additional testing obligations: the IAM framework must be 'regularly verified for effectiveness', which includes testing authentication bypass vectors, privilege escalation paths, and session management weaknesses. The 2021 revision of BAIT also addressed cloud services explicitly — for banks running workloads in AWS, Azure, or GCP, the same IT security requirements apply, and penetration testing must cover cloud-hosted banking systems.

BAIT §9.2 and §9.4: penetration tests required at minimum annually for critical IT systems, after significant changes, conducted by independent parties with documented expertise — BaFin examiners verify both frequency and quality of testing.
BAIT §8.1 (Vulnerability Management): requires timely identification and treatment of technical vulnerabilities — penetration testing is evidence that the vulnerability management process is working, not just that scanners are running.
BAIT §6 (IAM): identity and access management controls must be regularly tested for effectiveness — penetration testing of authentication, authorisation, and session management directly evidences §6 compliance.
BAIT §11 (IT Service Provider Management): for outsourced IT services, the bank must ensure security requirements including penetration testing are contractually required and evidenced — this extends testing obligations to critical SaaS providers.
BAIT §12 (Critical Infrastructure): for KRITIS-classified banks, BAIT §12 aligns with BSI requirements including penetration testing as a standard security verification tool.
EBA/GL/2019/04 (incorporated by reference in BAIT 2021): §§68-74 specifically require that ICT security testing programmes include penetration testing of critical ICT systems, with documented results and remediation plans.
BaFin §44 KWG Special Audits: BaFin has conducted dedicated IT special audits at German banks since 2018. Published anonymised findings consistently show that absent, infrequent, or poorly documented penetration testing is among the most common BAIT §9 deficiencies.

What BAIT-compliant penetration testing must cover

BAIT §9.4 critical IT systems: online banking platforms (web and mobile), core banking APIs, payment processing endpoints, internal banking portals, customer data management systems — all internet-facing components at minimum
BAIT §6 IAM verification: authentication bypass testing — MFA implementation weaknesses, session fixation (CWE-384), JWT algorithm confusion attacks (CWE-347), OAuth 2.0 implicit flow vulnerabilities (RFC 9700), SAML XML Signature Wrapping (CVE-2023-36661)
BAIT §8.1 vulnerability management validation: CVE verification for banking technology stack — CVE-2024-6387 OpenSSH RegreSSHion (CVSS 8.1) on banking server infrastructure, CVE-2024-4577 PHP-CGI argument injection (CVSS 9.8) on legacy banking portals, Spring Framework CVEs for Java-based core banking systems
OWASP Top 10 for banking applications: A01 Broken Access Control (account IDOR — a critical risk given financial data sensitivity), A02 Cryptographic Failures (unencrypted PAN/IBAN data, weak TLS on API endpoints), A03 Injection (SQL injection against transaction databases), A07 Authentication Failures
OWASP API Security Top 10 for open banking: API1 BOLA (accessing other customers' account data), API2 Broken Authentication (OAuth 2.0 PSD2/Berlin Group NextGenPSD2 implementation weaknesses), API4 Unrestricted Resource Consumption (account enumeration via rate limit bypass)
BAIT §11 outsourcing security: testing of APIs and integration points with outsourced IT service providers — SaaS banking platforms, payment processors, cloud-hosted core banking systems, third-party KYC/AML providers
Network segmentation and access controls (BAIT §8 + BSI Grundschutz alignment): verification that internet-facing banking services cannot be used to pivot to internal banking infrastructure, testing that production databases are accessible only through authorised application paths
Cloud security (BAIT 2021 cloud additions): IAM misconfiguration in AWS/Azure/GCP hosting banking workloads, S3/Blob storage bucket access controls, container escape vulnerabilities (CVE-2024-21626 runc CVSS 8.6), serverless function security
Detection and monitoring capability (EBA/GL §§68-74): verifying that SIEM/SOC detects attack activities performed during the test — gaps in detection coverage are a finding under both BAIT §9 and EBA/GL §68
Business continuity threat simulation (DORA Art. 24 + MaRisk AT 7.3): availability impact assessment of discovered vulnerabilities, backup system access controls, recovery infrastructure security

Sample finding

High

BAIT §6 IAM violation: OAuth 2.0 implicit flow exposes banking session tokens in browser history

The mobile banking web application implements PSD2 open banking using OAuth 2.0 Implicit Flow (RFC 6749 §4.2). In this deprecated flow, the access token is returned directly in the URL fragment (#access_token=...). On Android devices using Chrome, URL fragments are stored in browser history and can be accessed by other applications with READ_HISTORY_BOOKMARKS permission. Additionally, the Referrer header from the banking app sends the URL fragment (including token) to embedded analytics scripts (Google Analytics). A malicious app or analytics provider with access to browser history or referrer data can extract valid OAuth tokens for active banking sessions. This token can be used to access the PSD2/Berlin Group API and retrieve account balances, transaction history, and initiate payments. The finding violates BAIT §6 (IAM: tokens must be protected from unauthorised access), EBA/GL §§41-43 (authentication and access controls), and DSGVO Art. 32.

Fix: Migrate from OAuth 2.0 Implicit Flow to Authorization Code Flow with PKCE (RFC 7636) — this is the current PSD2 and FAPI 2.0 standard. The Authorization Code Flow with PKCE never exposes the access token in URL fragments or referrer headers. Additionally: review all OAuth 2.0 implementations against the OAuth Security Best Current Practice (OAuth 2.0 Security BCP, RFC 9700, published 2023). Implement token binding where supported. Configure analytics SDKs to exclude URL parameters and fragments from data collection (implement referrer policy no-referrer on banking pages). After fix deployment, validate the PKCE implementation using the FAPI 2.0 conformance test suite (OpenID Foundation). Document the finding and remediation for the BaFin examination readiness file.

Reference: RFC 9700 OAuth 2.0 Security BCP · RFC 7636 PKCE · CVE-2022-22600 (Safari OAuth implicit flow token exposure) · BAIT §6 IAM · EBA/GL/2019/04 §§41-43 · OWASP API2:2023 Broken Authentication · FAPI 2.0 Security Profile (OpenID Foundation)

BAIT penetration testing options

—	Free scan	Matproof Sentinel	Traditional consultancy
Automated scan engine	✓ (3-min preview)	✓ Full scan	✗ Manual only
OWASP Top 10 coverage	Partial	✓ Complete	✓ Complete
Proof-of-exploit evidence	✗	✓ Per finding	✓ Per finding
Regulatory mapping (DORA/NIS2/ISO 27001)	✗	✓ Automated	✓ Manual
Audit-ready PDF report	✗	✓ Instant	✓ 2–4 weeks delivery
Continuous / recurring scans	✗	✓ Per deploy	✗ Annual engagement
Time to first result	~3 min	~30 min full scan	2–4 weeks
Price	€0	From €149	€8,000–€25,000
Source code review (SAST)	✗	✓ On Growth plan	✓ Scoped engagement
API testing (REST/GraphQL)	✗	✓ Automated	✓ Manual

Matproof Sentinel for BaFin BAIT compliance

Single Run

€149 one-time

1 full pentest scan
AI-prioritized findings with CVSS 3.1
Proof-of-exploit per finding
Audit-ready PDF report
Regulatory mapping (DORA, NIS2, ISO 27001)

Unlimited scans (up to 3 domains)
Continuous monitoring
CI/CD integration (GitHub, GitLab)
All regulatory mappings
Priority support

Start Starter →

Growth

€799 / month

Unlimited scans + domains
Authenticated / White-Box testing
API & cloud infrastructure tests
Dedicated security account manager
24h SLA response time

Contact for Growth →

Frequently asked questions about BaFin BAIT penetration testing

What is BaFin BAIT and which institutions must comply?

BAIT — Bankaufsichtliche Anforderungen an die IT (Supervisory Requirements for IT in Financial Institutions) — is BaFin's circular that provides specific IT requirements implementing MaRisk AT 7.2. BAIT applies to all institutions subject to MaRisk: credit institutions licensed under KWG §1(1), financial services institutions under KWG §1(1a), and investment firms under WpIG. This includes German retail banks, investment banks, online banks (neobanks), cooperative banks, savings banks, insurance companies (subject to VAIT — the insurance equivalent of BAIT), payment institutions (subject to ZAIT), and German branches and subsidiaries of foreign banks. For international banks with German operations: if your German entity holds a German KWG licence or is directly supervised by BaFin, BAIT applies in full. If you operate under a passport without a German licence, you must comply with MaRisk/BAIT-equivalent requirements from your home jurisdiction.

What is the difference between BAIT, VAIT, and ZAIT?

These are BaFin's three IT supervisory circulars for different regulated sectors: BAIT (Bankaufsichtliche Anforderungen an die IT) applies to credit institutions and financial services institutions supervised under KWG/WpIG. VAIT (Versicherungsaufsichtliche Anforderungen an die IT) applies to insurance undertakings supervised under VAG. ZAIT (Zahlungsdiensteaufsichtliche Anforderungen an die IT) applies to payment institutions and e-money institutions supervised under ZAG. All three have closely parallel structures (mirroring each other and the EBA guidelines) but differ in sector-specific requirements. For a German bank that also operates a captive insurance subsidiary, both BAIT and VAIT apply to the respective entities. The penetration testing requirements across all three circulars are materially similar — annual testing of critical systems, by independent qualified testers, with documented results and remediation.

What does a BaFin §44 KWG special audit check regarding BAIT §9 penetration testing?

BaFin has published anonymised findings from §44 KWG special audits focused on IT (Prüfungsbericht §44 KWG). Recurring BAIT §9 penetration testing deficiencies include: (1) no documented annual penetration testing programme (the most common finding), (2) penetration tests conducted too narrowly — only internet-facing perimeter tested, core banking APIs and internal systems excluded, (3) tester independence not demonstrated — internal team testing systems they are also responsible for, (4) CVSS risk ratings absent from findings, (5) no remediation tracking — findings from prior tests not closed and no evidence of follow-up, (6) no re-test verification that Critical/High findings were actually fixed, (7) cloud-hosted banking systems excluded from scope. BaFin examiners typically request: the last 2 years of penetration test reports, the tester's CV/qualifications, the remediation register, and re-test reports for Critical/High findings.

How has BAIT changed with the 2021 revision and how does DORA affect it further?

The 2021 BAIT revision (Circular 01/2021) made several important changes: added cloud service requirements (§9a), strengthened testing requirements in §9.4, added IT service provider management requirements (§11), and explicitly referenced EBA/GL/2019/04 as the EU baseline. Since January 2025, DORA (the Digital Operational Resilience Act) applies as EU regulation. BaFin has confirmed that BAIT continues to apply alongside DORA — they are not alternatives. DORA provides EU-level minimum requirements for digital operational resilience; BAIT provides German-specific IT governance requirements. DORA Art. 24 (penetration testing) and BAIT §9.4 both require annual testing — satisfying both is not duplicative effort if the testing programme is structured to produce documentation referencing both requirements. BaFin is expected to issue a BAIT update in 2025/2026 that explicitly maps BAIT sections to corresponding DORA articles.

What qualifications should a BAIT §9.4 penetration tester have?

BAIT §9.4 requires testers with 'proven expertise and independence from the systems being tested'. BaFin examiners look for: professional certifications (OSCP, OSWE, OSCE3, GPEN, CREST CRT or CCT are all accepted), relevant experience (typically 3+ years of penetration testing, preferably in financial sector environments), independence documentation (written statement that the tester has no involvement in designing, building, or operating the tested systems), and professional indemnity insurance. For TIBER-EU/TLPT tests (DORA Art. 26), there are additional ECB/Bundesbank accreditation requirements for the red team provider. For standard BAIT §9.4 tests, no BaFin-specific accreditation exists — it is a qualified professional judgement of competency that BaFin examiners make when reviewing the tester's credentials alongside the test report.

Does BAIT require penetration testing of mobile banking applications?

Yes, explicitly. BAIT §9.4 requires testing of 'critical IT systems' — and mobile banking applications are explicitly included in BaFin's interpretation of critical IT systems given they are the primary banking interface for retail customers and process authentication credentials, account data, and payment instructions. BAIT §6 (IAM) additionally requires testing of mobile authentication mechanisms. The OWASP Mobile Security Testing Guide (MSTG) and OWASP Mobile Application Security Verification Standard (MASVS) are the accepted methodologies for mobile banking testing. Common mobile banking findings include: SSL pinning bypass enabling MITM (CVE-2023-28205 iOS WebKit), hardcoded API credentials in decompiled app bundles (CWE-798), insecure local storage of session tokens on Android (CWE-312), and intent-based attacks leaking authentication data on Android.

How should a German bank document BAIT §9.4 penetration testing for a BaFin examination?

The ideal BAIT §9.4 examination documentation package includes: (1) an IT security testing policy document naming penetration testing as required annual activity, listing covered systems and tester independence requirements, (2) an annual penetration test report with: tester credentials, CVSS-rated findings, proof-of-exploit for material findings, scope documentation confirming coverage of critical systems, (3) a remediation register showing status of every finding (open, in progress, resolved, risk-accepted with written justification), (4) for Critical/High findings: re-test reports confirming remediation, (5) board/management presentation or summary showing that management reviewed test results (satisfies MaRisk AT 7.2 management oversight requirement), (6) for outsourced systems: evidence that IT service providers have been tested (BAIT §11). Matproof Sentinel's report structure directly addresses items 2, 3, and 4.

Is there an English version of BAIT and where can I find it?

BaFin publishes BAIT in German only (as it applies to German-supervised institutions). BaFin does publish an English version of its website and English translations of some key documents, but BAIT itself is only official in German. BaFin's website (bafin.de) includes an English-language overview of BAIT requirements. For working with BAIT in English-language compliance teams, the most practical approach is to use: (1) the EBA Guidelines on ICT and Security Risk Management (EBA/GL/2019/04) as the English-language baseline — BAIT explicitly incorporates and extends these guidelines; (2) unofficial translations of BAIT provided by major German law firms (Freshfields, Linklaters, White & Case all publish BAIT summaries in English); (3) this guide as a reference for the penetration testing requirements specifically.

Go deeper — related blog articles

Start your BaFin BAIT-compliant penetration test

Matproof Sentinel delivers penetration test reports structured to satisfy BaFin BAIT §9.4 examination requirements — CVSS ratings, proof-of-exploit, remediation tracking, and re-test capability. Start with a free scan or get a full audit-ready report from €149.