BaFin and VDR Outsourcing

BaFin (Bundesanstalt für Finanzdienstleistungsaufsicht) supervises German banks, insurers, asset managers, and other financial-services firms. Its outsourcing expectations are set out in MaRisk (specifically AT 9) for banks, with parallel rules for insurance (VAIT) and asset management (KAMaRisk / KAIT).

When a BaFin-supervised firm uses a virtual data room to handle regulated client data, BaFin treats the relationship as a material outsourcing. The firm must (a) document a written outsourcing agreement, (b) maintain an outsourcing register, (c) ensure audit and information rights flow through to BaFin and the firm's external auditor, and (d) prepare a documented exit plan.

Last updated: May 2026.

Applicable BaFin Rule Sets

  • MaRisk AT 9. Banking outsourcing rules; aligned with EBA outsourcing guidelines.
  • BAIT (Bankaufsichtliche Anforderungen an die IT). Detailed IT-specific expectations including ICT risk management, identity and access, cryptography, network security.
  • VAIT, KAIT, ZAIT — equivalent for insurance, asset management, and payment institutions.
  • MaRisk AT 9 (revised 2023) — incorporates DORA-aligned expectations for ICT third-party risk.

Required Contractual Elements

  • Written outsourcing agreement before the outsourcing begins.
  • Audit and information rights for the bank, BaFin, and the bank's external auditor.
  • Sub-outsourcing transparency.
  • Service-level agreements with KPIs.
  • Data protection and confidentiality clauses.
  • Termination and exit clauses with transition assistance.

Providers Aligned with BaFin Expectations

  • [netfiles](/providers/netfiles) — Germany-only hosting, BSI C5, ISO 27001.
  • [idgard](/providers/idgard) — Germany-only, BSI C5, Sealed Cloud architecture.
  • [Brainloop](/providers/brainloop) — Germany hosting, ISO 27001, BSI C5.
  • [Drooms](/providers/drooms) — DE/CH hosting, ISO 27001 / 27018.

Frequently Asked Questions

Is using a VDR for a German bank deal an outsourcing under BaFin?

Yes when the VDR handles regulated client data. The bank must perform the MaRisk AT 9 analysis and document the engagement in its outsourcing register.

Does MaRisk require Germany-only hosting?

Not strictly, but combined with BSI C5 expectations and the audit-rights framework, Germany-only hosting is the path of least resistance for regulated counterparties.

How does MaRisk interact with DORA?

DORA applies in full to BaFin-supervised entities from 17 January 2025. The 2023 MaRisk revision aligned the German framework with DORA expectations; in practice the two are layered.

Further Reading