The ninth amendment to the Minimum Requirements for Risk Management is on the cusp of consultation – and it will fundamentally reshape the supervisory framework for risk management at German credit institutions like no revision before it. The core of the transformation lies not in individual new requirements, but in a systemic shift: away from rule-based detailed regulation, towards a principles-based justification logic that obliges every institution to document its individual solutions in a traceable and auditable manner.
For German credit institutions active in capital markets, asset management or traditional lending, the amendment means far more than a regulatory update. For the first time, it bundles three major European regulatory waves into a single national supervisory framework: the transposition of the Capital Requirements Directive VI (CRD VI) through the Banking Directive Transposition and Bureaucracy Reduction Act (Bankenrichtlinienumsetzungs- und Bürokratieentlastungsgesetz, BRUBEG), the European Banking Authority (EBA) guideline EBA/GL/2025/01 on the management of ESG risks, and the delineation from the Digital Operational Resilience Act (DORA). Anyone who fails to consider these three strands in an integrated manner will not grasp the full significance of the 9th MaRisk amendment.
What: 9th amendment to the Minimum Requirements for Risk Management (MaRisk), BaFin circular
When: Consultation draft expected Q1/Q2 2026, entry into force anticipated late 2026/early 2027
Drivers: CRD VI transposition (BRUBEG), EBA guideline EBA/GL/2025/01 (ESG risks), DORA delineation
Scope: All nationally supervised credit institutions in Germany
Relief: Approx. 950 institutions (around 75% of all German credit institutions) benefit from the new institution classification
The Paradigm Shift: From Checkbox to Justification Chain
Anyone who has followed previous MaRisk amendments knows the pattern: European guidelines are transposed into national law, detailed rules are added, audit standards are tightened. The 9th amendment breaks with this pattern. It executes a shift from imperative detailed prescriptions to three guiding principles that reorder the entire regulatory framework.
First Principle – Complexity Reduction
Duplications, redundancies and repetitions of statutory provisions are being removed. Dynamic references to EBA guidelines are reduced to avoid norm collisions. Modules are being consolidated – most visibly in the former AT 7.2 on technical and organisational equipment, which is being almost entirely deleted because the DORA regulation covers this subject matter under EU law.
Second Principle – Double Proportionality
Requirements will in future be calibrated not only by institution size, but also by business model, complexity and risk profile. "Double" means: both the scope of requirements and the availability of flexibility clauses scale with the institution category. A credit institution with one billion euros in total assets and a simple business model faces different expectations than a universal bank with complex trading operations.
Third Principle – Justification Obligation Instead of Rule Compliance
Institutions no longer need to work through rigid checklists. Instead, they must be able to justify why their institution-specific solution is appropriate. Open formulations such as "appropriate" or "suitable" become the norm. The consequence: auditable documentation chains become more important than formal rule compliance. This significantly increases management board liability under Section 25a of the German Banking Act (Kreditwesengesetz, KWG) – incorrect or inconsistent justifications constitute organisational fault.
The New Institution Classification
One of the most tangible innovations is the introduction of a uniform three-tier classification that permeates the entire MaRisk scope of application.
| Category | Total Assets | Share (approx.) |
|---|---|---|
| Very small institutions | up to EUR 1bn | 40–45% |
| Small institutions (SNCI) | EUR 1bn to 5bn | together approx. 75% (~950 institutions) |
| Other nationally supervised institutions (LSI) | above EUR 5bn | full requirements |
The increase is remarkable: the previous informal size threshold stood at around EUR 500 million in total assets. The new EUR 5 billion threshold massively expands the circle of institutions that benefit from relief. Significant Institutions (SI) under direct European Central Bank (ECB) supervision are largely removed from the MaRisk scope of application.
For day-to-day practice, the classification means: very small institutions may bundle functions – for instance, the compliance officer and outsourcing officer in a single role. They may use group or association-internal solutions when assessing service providers. And they need to conduct significantly fewer stress tests.
ESG Risks: From Optional to Mandatory
The 7th MaRisk amendment first mentioned Environmental, Social and Governance (ESG) risks. The 9th amendment makes them a statutory obligation – and now has a parliamentary basis for doing so.
The Banking Directive Transposition and Bureaucracy Reduction Act (BRUBEG), adopted by the Bundestag on 29 January 2026, anchors ESG risks directly in the Banking Act. Section 26c KWG requires ESG risks to be considered across all phases of risk management – identification, measurement, control and monitoring. Section 26d KWG obliges every institution to produce an ESG risk plan with institution-specific targets and metrics.
The MaRisk amendment translates these statutory requirements into supervisory practice: ESG risks are explicitly embedded in the risk inventory and risk strategy. They are treated as drivers of all traditional risk categories within the Internal Capital Adequacy Assessment Process (ICAAP). An annual materiality analysis of the financial impacts of ESG risks on the business model becomes mandatory.
However, proportionality applies here too: very small and small institutions may focus solely on climate risks until 31 December 2029. Qualitative targets are initially sufficient; social and governance risks are optional at first. Small and Non-Complex Institutions (SNCI) need not submit their ESG risk plan until January 2027.
The EBA guideline EBA/GL/2025/01 on the management of ESG risks, published on 9 January 2025, applies to larger institutions from January 2026. BaFin has clarified that it will not independently apply this guideline to less significant institutions – instead, national implementation occurs through the MaRisk amendment with proportional relief.
DORA–MaRisk Delineation: Who Regulates What?
The 9th amendment resolves a regulatory overlap that has occupied the industry since DORA Regulation (EU) 2022/2554 took effect on 17 January 2025: the overlap between MaRisk and DORA on IT-related requirements.
The new architecture is clear: DORA conclusively governs information and communications technology (ICT) risks, ICT third-party risks, the digital operational resilience strategy and ICT incident reporting obligations. MaRisk retains jurisdiction over non-ICT outsourcing, non-ICT operational risks, and ESG risks, governance, credit and market risks.
DORA: ICT risk management, ICT third-party risks, digital resilience strategy, ICT incident reporting
MaRisk: Non-ICT outsourcing (AT 9), ESG risks, credit/market risks, governance, operational risks (non-ICT)
Bridge: ICT strategy in MaRisk links business strategy with DORA resilience strategy
The most concrete consequence: AT 7.2, the former module on technical and organisational equipment, is being almost entirely deleted. A clean separation between ICT third parties (DORA) and traditional service providers (MaRisk AT 9) becomes mandatory for all institutions. Simultaneously, an ICT strategy is being integrated into MaRisk as a bridge between the business strategy and the digital resilience strategy – to ensure IT governance remains anchored at management board level.
For the existing outsourcing section AT 9, this means restructuring: ICT outsourcing arrangements will in future fall under DORA, including requirements for critical ICT third-party service providers with registration obligations and EBA supervisory powers. MaRisk AT 9 focuses on non-ICT outsourcing and retains the core principles: no uncontrollable risks through outsourcing; steering, control and audit capability must be preserved at all times.
Governance: New Requirements from CRD VI
Through BRUBEG, Sections 25c and 25d of the Banking Act are being revised. MaRisk provides the regulatory flanking for these governance requirements. Three innovations stand out.
First: holders of key functions face new qualification and fitness-and-propriety requirements (Fit & Proper). Second: heads of internal control functions – risk management, compliance, internal audit – receive strengthened rights. These include a direct reporting line to the supervisory body and dismissal protection requiring the supervisory body's consent. Third: large institutions must notify BaFin of intended appointments to key functions 30 working days before the date of taking office.
Stress Test Relief and Credit Process
Proportionality is particularly visible in stress testing. Very small institutions will in future need to conduct only one cross-risk-category test plus one test per material risk category – sensitivity analyses are sufficient. Small institutions conduct three to five tests per year; reverse stress tests may be qualitative or omitted entirely; instead of three liquidity stress tests, one suffices.
| Institution Category | Stress Test Requirements |
|---|---|
| Very small institutions | 1 cross-risk test + 1 per material risk category; sensitivity analyses sufficient |
| Small institutions (SNCI) | 3–5 tests p.a.; reverse stress tests qualitative or omitted; only 1 liquidity stress test p.a. (instead of 3) |
| Large institutions (LSI) | Full programme, mandatory reverse stress tests, 3 liquidity stress tests p.a. |
The credit process also sees relief: risk model validation can be extended to a two-to-three-year cycle, and recourse to external validation reports is permissible. For small institutions, collateral valuation is required only every two years instead of annually.
A new materiality threshold is introduced: five per cent of economic risk-bearing capacity serves as the reference point for classifying material risks. A cumulation proviso ensures that the sum of several immaterial risks may not constitute a material risk.
What the Relief Really Means – and Where the Pitfalls Lie
The relief measures are real – but they are not a carte blanche. Three aspects deserve particular attention.
First: justification logic is more demanding than rule compliance. Those who previously worked through checklists could identify and correct errors. Those who must in future justify why a particular solution is appropriate need a deeper understanding of their own risk position and must document this assessment without gaps. The auditability of the justification chain becomes the central quality criterion – and thus the primary focus of internal audit and supervisory examinations.
Second: the superimposition of three regulatory waves – CRD VI, DORA and ESG – creates substantial implementation complexity despite the proclaimed simplification. Institutions whose total assets sit just above the EUR 5 billion threshold face the full force of all three waves simultaneously. For them, the 9th amendment is not relief but a triple implementation challenge.
Third: the consultation draft had not been officially published at the time of this analysis. All substantive details are based on the results of the MaRisk Expert Committee session of 11 September 2025, BaFin supervisory communications and industry analyses. Specific module numbering and final wording may still change during the consultation process. Institutions that begin preparations now should therefore design their action plans in a deliberately modular fashion – with fixed core building blocks and flexible supplementary modules.
Recommendations
The time remaining until the expected entry into force in late 2026 or early 2027 is tighter than it may initially appear. Five measures should be prioritised by credit institutions now:
Every institution should immediately assess which category it falls into, which flexibility clauses are applicable and where existing practice needs adjustment. Total assets alone are not decisive – business model and risk profile feed into the classification. Those unfamiliar with the materiality threshold of five per cent of risk-bearing capacity cannot correctly calibrate their risk inventory.
The statutory obligation through Sections 26c and 26d KWG is established. Small institutions should start with climate risks and define qualitative targets. Larger institutions must already be fully implementing EBA/GL/2025/01 and integrating all ESG dimensions into the risk inventory. The annual materiality analysis should be conducted for the first time in 2026 to build experience.
The distinction between ICT third parties and traditional service providers must be reflected in the contract landscape, the outsourcing register and operational governance. Those without a clean mapping risk duplication of effort and supervisory findings. The ICT strategy as the new bridge between business strategy and DORA resilience strategy should be developed promptly.
The shift from rule catalogue to justification logic requires new documentation standards. Institutions must document their risk strategy, limit-setting and organisational decisions such that appropriateness is traceable and auditable at all times. A structured legal register linking MaRisk modules, DORA articles and KWG sections becomes an indispensable steering instrument.
The new fitness-and-propriety requirements, the strengthened reporting rights of control functions and the pre-notification obligation for key functions require adjustments to articles of association, rules of procedure and organisational guidelines. Large institutions should factor the 30-working-day notification period into their personnel planning for key function holders.
Keep reading – in your inbox every two weeks.
Capital markets insights, regulatory updates and AI trends. Concise, substantive, free.
GDPR-compliant. Unsubscribe anytime.