MaRisk Penetration Testing: AT 7.2 Compliance for German Banks

MaRisk — Minimum Requirements for Risk Management (Mindestanforderungen an das Risikomanagement) — is BaFin's primary supervisory circular governing risk management at German credit institutions and financial services firms. MaRisk AT 7.2 establishes the IT risk management framework: it requires banks to identify, assess, and mitigate IT risks systematically, including through regular technical security testing of critical IT systems. In conjunction with BAIT (BaFin's IT supervisory requirements), DORA (since January 2025), and BSI IT-Grundschutz, MaRisk AT 7.2 creates a multi-layered penetration testing obligation for German financial institutions. This guide — written in English for international compliance teams — explains what MaRisk requires, how it interacts with DORA and BAIT, and what a compliant penetration testing programme looks like.

Run MaRisk scan

Written by Malte Wagenbach

Founder of Matproof Security. Specialized in AI-driven penetration testing and EU compliance (DORA, NIS2, ISO 27001, SOC 2).

Last reviewed: May 17, 2026

What MaRisk AT 7.2 requires for IT security testing

MaRisk was originally issued in 2005 as circular 18/2005 and has been substantially revised multiple times, most recently in 2022 (MaRisk 7th amendment, Rundschreiben 05/2022). AT 7.2 covers IT risk management in three paragraphs. AT 7.2.1 requires that banks have an IT strategy, IT governance framework, and IT risk inventory. AT 7.2.2 addresses IT security specifically: banks must identify, assess, and treat IT risks — and critically, they must 'regularly test the technical security of IT systems'. The phrase 'regelmäßig die technische Sicherheit von IT-Systemen testen' is the legal basis for penetration testing under MaRisk. While MaRisk does not specify penetration testing by name, BaFin examiners have consistently interpreted 'technical security testing' as requiring active exploitation attempts — not merely vulnerability scanning. AT 7.2.3 covers outsourcing of IT services, with requirements for maintaining visibility over security testing of outsourced systems. The 2022 revision of MaRisk also strengthened the alignment with EBA Guidelines on ICT and Security Risk Management (EBA/GL/2019/04) and anticipated DORA by explicitly requiring banks to assess their digital operational resilience. Since January 2025, DORA applies as lex specialis to most German financial institutions — but MaRisk continues to apply for governance framework requirements that go beyond DORA's scope. BaFin has published guidance clarifying that DORA compliance does not make MaRisk compliance redundant; both sets of requirements must be met simultaneously.

MaRisk AT 7.2.2 requires 'regular technical security testing of IT systems' — BaFin examiners interpret this as annual penetration testing at a minimum for critical banking systems, with risk-based augmentation for highly sensitive systems.
BAIT (Bankaufsichtliche Anforderungen an die IT, §6 'Identity and Access Management' and §8 'IT Operations') explicitly requires penetration testing as a technical security assessment measure — BAIT is the technical supplement to MaRisk's higher-level risk management requirements.
DORA Art. 24 (mandatory since January 2025) requires all EU financial entities to conduct regular penetration tests — this is additive to MaRisk AT 7.2, not a replacement. BaFin has confirmed that both sets of requirements apply simultaneously.
EBA Guidelines on ICT and Security Risk Management (EBA/GL/2019/04) — incorporated by reference in MaRisk 7th amendment — specifically call for penetration testing of critical ICT systems as an element of an effective ICT security management framework.
BaFin's examination practice (Prüfungsansatz) for special audits (Sonderprüfungen) under §44 KWG regularly finds AT 7.2 deficiencies related to absent or insufficient penetration testing. A BaFin special audit that finds no penetration testing programme typically results in a formal deficiency report and required corrective action.
DSGVO (German GDPR transposition) Art. 32 requires 'regular testing, assessment and evaluation of the effectiveness of technical and organisational measures' — for banks processing customer data, penetration testing is an expected technical measure under both DSGVO and MaRisk.
International banks operating German branches under CRD IV/CRR passporting must comply with MaRisk for their German operations. MaRisk applies to: credit institutions licensed under KWG, financial services institutions under KWG §1(1a), and investment firms under WpIG. This includes German subsidiaries and branches of non-German banks.

What MaRisk AT 7.2 penetration testing should cover

Critical banking IT systems (MaRisk AT 7.2.2 scope): core banking systems (CBS), online banking and mobile banking applications, payment processing systems (TARGET2, SEPA, SWIFT), customer data management platforms, trading and portfolio management systems
Authentication infrastructure (BAIT §6 IAM requirements): MFA implementation for privileged and customer-facing access, session management, password policy enforcement, certificate management — JWT implementation weaknesses (CWE-347), OAuth 2.0 flows for open banking APIs (PSD2/Berlin Group NextGenPSD2)
Online banking application security (AT 7.2.2 + BAIT §8): OWASP Top 10 full coverage for customer-facing web applications — A01 Broken Access Control (IDOR in account/transaction endpoints), A02 Cryptographic Failures (weak TLS, expired certificates), A03 Injection (SQL injection against transaction history), A07 Authentication Failures
Open banking API security (PSD2 integration): OWASP API Security Top 10 (2023) testing of TPP/PSD2 APIs — API1 Broken Object Level Authorization (access to other customers' account data), API2 Broken Authentication (OAuth 2.0 PKCE violation RFC 7636), API5 Broken Function Level Authorization
Network segmentation and internal access controls (BAIT §8): testing of network zones separating internet-facing banking services from internal core banking, verification that production databases are not directly accessible from DMZ, SWIFT network isolation testing
Third-party IT service provider security (MaRisk AT 7.2.3 outsourcing): assessment of security in outsourced IT services — SaaS providers' security posture, core banking system cloud hosting security, payment processor integration security
Incident detection capability (EBA/GL/2019/04 §§68-74): testing whether SOC/SIEM detects the attack activity conducted during the test — MaRisk AT 7.3 (emergency management) requires verified detection capabilities
Data protection controls (DSGVO + MaRisk interface): testing that customer PAN/IBAN data is appropriately protected from exfiltration — DLP effectiveness assessment, database access control review
Resilience testing (DORA Art. 24 + MaRisk AT 7.3): availability impact of attack scenarios, business continuity implications of identified vulnerabilities, backup system security
Regulatory reporting system security: testing of systems that generate regulatory reports to BaFin/Bundesbank — COREP, FINREP, AnaCredit — given that data integrity of regulatory reporting is explicitly a supervisory priority

Sample finding

Critical

MaRisk AT 7.2.2 violation: customer account IDOR in online banking transaction history API

The online banking API endpoint /api/banking/accounts/{accountId}/transactions returns transaction history based solely on the account ID path parameter, without verifying that the authenticated user is the account owner. An authenticated banking customer can enumerate other customers' transaction histories by substituting sequential account IDs in the URL path. Using a simple script iterating through 100 account IDs, the tester retrieved transaction histories for 87 different customer accounts, including names (from payee fields), IBAN numbers of payees, transaction amounts, and merchant names. This constitutes a mass data breach of personal financial data — a simultaneous violation of MaRisk AT 7.2.2 (IT risk inadequately managed), BAIT §6 (IAM failure), DSGVO Art. 32 (technical measures inadequate), and DORA Art. 24 (security testing failure). BaFin examiners who identify this type of finding during a §44 KWG special audit typically require immediate remediation and may trigger formal supervisory measures.

Fix: Implement server-side authorisation enforcement in every transaction API handler: the accountId in the request path must be validated against the authenticated user's list of owned accounts (derived from the JWT/session token). A request for an account the user does not own must return HTTP 403 Forbidden — not HTTP 200 with another user's data. Additionally: implement API-level logging that alerts on anomalous patterns (>3 unique account IDs accessed per session, sequential ID enumeration patterns). Conduct a code audit of all API endpoints handling account, customer, or transaction data to identify other IDOR vulnerabilities. Document the finding, remediation timeline, and re-test result for BaFin examination readiness.

Reference: OWASP API1:2023 Broken Object Level Authorization · MaRisk AT 7.2.2 IT risk management · BAIT §6 IAM · DSGVO Art. 32 · CWE-639 Authorization Bypass Through User-Controlled Key · DORA Art. 24

MaRisk penetration testing options

—	Free scan	Matproof Sentinel	Traditional consultancy
Automated scan engine	✓ (3-min preview)	✓ Full scan	✗ Manual only
OWASP Top 10 coverage	Partial	✓ Complete	✓ Complete
Proof-of-exploit evidence	✗	✓ Per finding	✓ Per finding
Regulatory mapping (DORA/NIS2/ISO 27001)	✗	✓ Automated	✓ Manual
Audit-ready PDF report	✗	✓ Instant	✓ 2–4 weeks delivery
Continuous / recurring scans	✗	✓ Per deploy	✗ Annual engagement
Time to first result	~3 min	~30 min full scan	2–4 weeks
Price	€0	From €149	€8,000–€25,000
Source code review (SAST)	✗	✓ On Growth plan	✓ Scoped engagement
API testing (REST/GraphQL)	✗	✓ Automated	✓ Manual

Matproof Sentinel for MaRisk AT 7.2 compliance

Single Run

€149 one-time

1 full pentest scan
AI-prioritized findings with CVSS 3.1
Proof-of-exploit per finding
Audit-ready PDF report
Regulatory mapping (DORA, NIS2, ISO 27001)

Unlimited scans (up to 3 domains)
Continuous monitoring
CI/CD integration (GitHub, GitLab)
All regulatory mappings
Priority support

Start Starter →

Growth

€799 / month

Unlimited scans + domains
Authenticated / White-Box testing
API & cloud infrastructure tests
Dedicated security account manager
24h SLA response time

Contact for Growth →

Frequently asked questions about MaRisk penetration testing

What is MaRisk and which financial institutions must comply?

MaRisk — Mindestanforderungen an das Risikomanagement (Minimum Requirements for Risk Management) — is BaFin's administrative circular governing risk management at German financial institutions. It is issued under BaFin's supervisory authority (§25a KWG for credit institutions, §80 WpHG for investment firms). MaRisk applies to: all credit institutions licensed under KWG §1(1) (including German subsidiaries and branches of foreign banks), financial services institutions under KWG §1(1a), and investment firms under WpIG. The scope includes online banks (neobanks, challenger banks), traditional retail banks, cooperative banks (Volksbanken, Raiffeisenbanken), savings banks (Sparkassen), investment banks, and foreign bank branches operating in Germany. MaRisk AT 7.2 IT requirements apply proportionally — larger, more complex institutions face more stringent supervisory expectations.

How does MaRisk AT 7.2 interact with DORA for German banks?

DORA (Digital Operational Resilience Act) applies to all EU financial entities — including all German banks — since January 17, 2025. BaFin has explicitly confirmed that DORA and MaRisk apply simultaneously (they are not alternatives). The relationship is: DORA provides the EU-level floor for digital operational resilience requirements, including penetration testing (Art. 24). MaRisk AT 7.2 provides additional German-specific risk management governance requirements that go beyond DORA's scope. In practice: DORA Art. 24 establishes minimum test frequency and documentation requirements; MaRisk AT 7.2 requires that testing be embedded in a broader IT risk management framework. A German bank must satisfy both. The good news: a well-structured penetration testing programme that satisfies DORA Art. 24 (scoped to critical ICT systems, CVSS-rated findings, remediation tracking, annual testing) also satisfies the technical testing element of MaRisk AT 7.2.

Does MaRisk require a specific penetration testing frequency?

MaRisk AT 7.2.2 says 'regular' but does not specify a frequency. BaFin's examination practice and the complementary BAIT document (§8 IT operations) indicate that annual penetration testing of critical banking systems is the de facto minimum. 'Critical banking systems' in BaFin's interpretation typically includes: core banking systems, customer-facing online banking platforms, payment processing infrastructure, and systems storing customer financial data. After significant changes to IT systems (major release, cloud migration, new product launch), an ad hoc penetration test is expected. For digital-native banks (neobanks) with frequent deployments, continuous automated testing (as provided by Matproof Sentinel) supplemented by annual structured external testing is the emerging supervisory expectation.

What is BAIT and how does it relate to MaRisk?

BAIT — Bankaufsichtliche Anforderungen an die IT (Supervisory Requirements for IT in Financial Institutions) — is BaFin's technical supplement to MaRisk AT 7.2. While MaRisk provides the governance framework, BAIT provides specific IT security requirements. BAIT §8 (IT Operations) explicitly addresses penetration testing: it requires 'regular testing of security mechanisms in IT operations' and specifies that this includes penetration tests of internet-facing systems. BAIT was revised in 2021 and again updated in 2024 to align with EBA guidelines and anticipate DORA. BAIT applies to the same institutions as MaRisk. In a BaFin §44 KWG special audit or annual supervisory assessment, examiners review both MaRisk AT 7.2 compliance (risk management framework) and BAIT §8 compliance (technical testing implementation) — you need to satisfy both.

Can a German bank's compliance team use Matproof Sentinel to satisfy MaRisk AT 7.2?

Matproof Sentinel's automated penetration testing directly addresses the technical testing requirement of MaRisk AT 7.2.2 and BAIT §8. The audit-ready PDF report includes OWASP Top 10 and API Top 10 coverage, CVSS 3.1 ratings, proof-of-exploit for each finding, and remediation tracking — all elements that BaFin examiners and internal auditors expect to see. For MaRisk compliance purposes, the most defensible approach combines: Matproof Sentinel for continuous/monthly automated testing (which maintains a continuous evidence record) and annual structured external penetration testing by a qualified provider (which provides human-expert depth and institutional independence documentation). The continuous Sentinel scanning ensures that the bank is not caught with a 12-month-old test report when a new critical vulnerability is disclosed — a risk that has caught several German banks in recent BaFin examinations.

What happens if BaFin finds MaRisk AT 7.2 deficiencies related to penetration testing?

BaFin uses §44 KWG (special audits) and §44b KWG (information requests) to examine compliance. If examiners find MaRisk AT 7.2 deficiencies — including inadequate or absent penetration testing — the typical BaFin response is: (1) formal deficiency letter (Mängelschreiben) requiring a corrective action plan within 6 weeks, (2) follow-up supervision to verify remediation, (3) for repeated or serious deficiencies, a formal supervisory order (Anordnung) requiring specific measures by a deadline. In extreme cases, BaFin can impose additional capital requirements on the basis of Pillar 2 operational risk charges. Personal liability of management board members (Vorstand) is also possible under §25a(5) KWG if deficiencies reflect a systemic governance failure. The practical incentive: a documented penetration testing programme with annual reports and remediation tracking is far less expensive than a BaFin special audit finding.

How should an international bank's German subsidiary document MaRisk AT 7.2 compliance?

International banks operating German subsidiaries or branches face a common challenge: the global cybersecurity programme may not produce documentation in the format expected by BaFin. Recommended approach: (1) produce a MaRisk/BAIT gap analysis mapping the global programme to MaRisk AT 7.2 requirements, (2) for penetration testing specifically, ensure that German-scope systems are explicitly included in test scope (BaFin expects German entities to test German systems, not rely entirely on global tests that may not cover German-specific infrastructure), (3) penetration test reports that reference German regulatory requirements (MaRisk AT 7.2, BAIT §8, DORA Art. 24) are viewed more positively by BaFin examiners than generic reports, (4) maintain a German-language remediation log that a BaFin examiner can review, (5) brief the German management board (Geschäftsleitung) on penetration test results — BaFin expects board-level visibility of material IT risks.

What is the relationship between MaRisk penetration testing and DSGVO Art. 32?

DSGVO (German GDPR transposition) Art. 32 requires that data controllers and processors implement 'appropriate technical and organisational measures' including 'a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing'. For German banks processing extensive personal financial data, this creates an independent legal obligation for regular security testing that runs in parallel to MaRisk AT 7.2. In practice, a comprehensive penetration testing programme satisfies both: the MaRisk requirement for IT risk management and the DSGVO requirement for testing effectiveness of security measures. When a penetration test reveals that customer financial data was accessible to unauthorised parties (e.g., an IDOR finding exposing account details), this is simultaneously a MaRisk AT 7.2 finding and a potential DSGVO Art. 32 finding — and depending on data volume, may require notification to BfDI (Federal Commissioner for Data Protection) under DSGVO Art. 33.

Go deeper — related blog articles

Start your MaRisk-compliant penetration test

Matproof Sentinel delivers audit-ready penetration test reports mapped to MaRisk AT 7.2, BAIT §8, and DORA Art. 24 requirements — with German-regulatory context built in. Start with a free scan or get a full report from €149.