At its annual press conference on 12 May 2026 in Frankfurt am Main, Germany's Federal Financial Supervisory Authority (BaFin) announced that it is accelerating its IT supervision. A new unit within the already enlarged directorate for cyber risks and technology will in future carry out so-called IT spotlight inspections: shorter and more frequent than the classic special audit, but faster wherever there is a fire. The term comes from BaFin President Mark Branson himself, so it is not a journalistic attribution but a supervisory coinage. Branson named the occasion just as clearly: AI models that can identify and exploit vulnerabilities in IT systems with remarkable speed. The message to supervised institutions is unmistakable. The supervisor expects defence to keep pace with the speed of the threat, and it intends to check this more often and at shorter notice in future.

In Brief

What: A new BaFin unit carries out IT spotlight inspections – shorter, more frequent IT examinations than the classic special audit; announced at the annual press conference on 12 May 2026

Term: "IT spotlight inspections" is a BaFin coinage, introduced by President Mark Branson

Trigger: Branson warns of AI models that find and exploit IT vulnerabilities very quickly; by BaFin's own finding, the focus of the inspections is patch management

Accompanying: As early as 18 December 2025, BaFin published a 35-page, non-binding guidance on ICT risks in the use of AI under the Digital Operational Resilience Act (DORA)

Background: In the first three quarters of 2025, 525 major ICT incidents were reported to BaFin, around 70 per cent from the credit sector; 31 per cent of attacks hit not the institution itself but its service providers

What IT Spotlight Is and What It Is Not

A sober assessment begins with what does not change. BaFin has not been examining institutions' IT only since yesterday; special audits under Section 44 of the Banking Act (KWG) and the established IT supervision under the banking IT requirements and under DORA have long existed. IT spotlight is conceptually the leaner variant of these examinations, not an entirely new form of audit. The directorate for cyber risks, too, is not new, but has merely been enlarged again and now comprises seven units. Anyone reading the announcement as a regulatory thunderclap overstates it.

What changes is the cadence. Branson described IT spotlight inspections as far shorter than full-scale examinations, which is why the supervisor can complete more of them and thus respond better to current developments and incidents. For institutions, this means a practically shortened lead time: where a classic special audit allowed months of preparation, spotlight inspections are meant to come quickly and without much advance notice. Branson's justification for the expected yield of these inspections was remarkably honest. In essence: when the supervisor examines, it will also find something, above all in patch management. It is precisely this perennial topic, the swift closing of known vulnerabilities, that is likely to become the focus of the spotlight inspections.

The Trigger: AI That Finds Vulnerabilities Faster

The real driver is not a new examination methodology, but a changed threat landscape. In his speech, Branson referred to a vendor that, only a few weeks earlier, had warned of the cyber implications of its new, very powerful AI model. He did not name it; from the context of the reporting, it concerned a model that had detected serious zero-day vulnerabilities in widely used operating systems and browsers. The supervisory conclusion is obvious: if an AI model finds vulnerabilities faster than defenders can close them, the balance shifts in the attacker's favour.

These new AI models can identify many vulnerabilities in both new and existing IT systems with remarkable speed. They will be able to exploit the vulnerabilities they find ever more rapidly. Mark Branson, President of BaFin, annual press conference on 12 May 2026

An important clarification easily lost in the first reporting: IT spotlight is not primarily an examination of AI systems, but a response to an AI-accelerated cyber threat in general. Branson put patch management to the fore, not the validation of models. For institutions this means: the spotlight inspection asks first about the cyber hygiene of the existing IT landscape, not about AI use. Anyone setting the focus wrongly and only polishing AI governance while patch management lags is preparing past the actual subject of the examination.

The Second Lever: the DORA AI Guidance

Accelerating the inspections is only one half of the supervisory move. The other is substantive. As early as 18 December 2025, BaFin had published a 35-page guidance on ICT risks in the use of artificial intelligence at financial entities. The document is explicitly non-binding, yet in fact supplies the benchmark against which AI use under DORA is measured. Its central framing is both connectable and uncomfortable: an AI system is, within the meaning of DORA, a regular network and information system and enjoys no special status. The requirements for ICT risk management and for managing third-party risks therefore apply along the entire AI lifecycle, from data sourcing through model development to operation and decommissioning.

In practice, both combine into a clear expectation. The guidance defines what AI use under DORA is measured against; the spotlight inspection is the instrument with which BaFin checks at short notice whether the expectation is met. Even though the guidance remains formally non-binding, no IT or compliance leader should dismiss it as a mere recommendation. In supervisory reality, it is the de facto examination catalogue.

What the Figures Show

That the supervisor's concern is not theoretical is borne out by the reporting data under DORA, which has been applicable since 17 January 2025 and makes BaFin the central ICT reporting point for the German financial sector. In the first three quarters of 2025, 525 major ICT incidents were received, around 70 per cent of them from the credit sector. The most frequent attack pattern was phishing at a good 31 per cent, followed by malware and hacking at just under a quarter. Particularly telling for the supervisory thrust is another figure: 31 per cent of the reported attacks hit not the financial institution itself, but its service providers. The third-party risk that the DORA guidance so emphasises is therefore no theoretical construct, but almost a third of the real incidents.

These figures explain why BaFin is not relying on a single large examination, but on many small, fast ones. A threat landscape that changes within weeks cannot be captured with an examination rhythm of years. Spotlight inspections are the attempt to bring the supervisory frequency closer to the speed of the threat.

Assessment: Acceleration, Not a Break

For all the sharpness of the announcement, the differentiation is worth it. IT spotlight is no paradigm shift, but a consistent build-out of an already established supervisory strategy. AI-driven cyber risks have been a declared focus topic of BaFin since the report "Risks in Focus 2026", the cyber directorate exists, the examination instruments exist. New is the cadence, not the direction. This framing is no relativisation, but the key to the right preparation: anyone reacting to the announcement with a hectic special project misunderstands it. The appropriate answer is to set up ongoing cyber hygiene so that it can pass a short-notice examination at any time.

What IT and Compliance Leaders Should Do Now

Four work packages follow from the announcement. None requires a major project, all require being examination-ready at any time.

1. Make patch management examination-proof

Now: Branson explicitly named patch management as a recurring finding. Anyone with gaps here should close them before the first spotlight inspection: traceable deadlines for applying security updates, a reliable overview of open vulnerabilities and an escalation logic for critical cases.

2. Align AI use with the DORA guidance

By the next examination cycle: The 35-page guidance is the de facto examination catalogue. Every productively deployed AI system should be documented along its lifecycle, treated as a regular ICT system and integrated into ICT risk management. Anyone running AI outside the DORA framework so far should now make up for it.

3. Actively manage third-party risk

Ongoing: Almost a third of the reported attacks hit service providers, not the institutions themselves. The overview of critical ICT service providers, their security posture and the contractual audit and reporting obligations belongs at a current state. This is no new DORA topic, but one a spotlight inspection can address quickly.

4. Establish short-notice examination readiness

Permanently: Spotlight inspections come with short notice. The relevant evidence – patch levels, incident reports, provider overviews, AI documentation – should be retrievable at any time, not gathered only on request. Examination readiness thereby moves from project mode to a permanent state.

Risks and Open Questions

Three caveats belong to an honest evaluation. First, the level of detail: BaFin has not yet specified the precise scope of the spotlight inspections – which types of institution, from when, at what frequency; only the thrust of "more and shorter" is clear. Second, the conceptual clarity: IT spotlight is a BaFin coinage, but not yet a supervisory instrument codified beyond speeches; its operational design will only become apparent in practice. Third, proportionality: more frequent, short-notice examinations increase the effort on both sides; whether the supervisor can scale the necessary examination capacity in the long run is open.

The strategic consequence: BaFin has shifted the rule of the game without rewriting it. Anyone who has so far treated IT security as a periodically examined topic must in future treat it as one examinable at any time. The difference sounds small but is operationally considerable: it separates the institutions that pass a spotlight inspection as routine from those for which it becomes a stress test of their own cyber hygiene.

Timeline: From DORA to the Spotlight Inspection
How BaFin is accelerating its IT supervision
17 January 2025
DORA becomes applicable
BaFin becomes the central ICT reporting point; institutions must report major ICT incidents, AI systems count as regular ICT.
18 December 2025
DORA AI guidance published
BaFin issues a 35-page, non-binding guidance on ICT risks in the use of AI – in effect the examination catalogue for AI under DORA.
12 May 2026
IT spotlight announced
At the annual press conference, Mark Branson announces a new unit for shorter, more frequent IT examinations and warns of AI-accelerated cyber attacks.
2026 onwards
Spotlight inspections at scale
More frequent, short-notice examinations focused on patch management; the precise scope and frequency are not yet specified.
Disclaimer: This article was created partly with the help of AI, but edited, reviewed and fact-checked by a human. As of 26 June 2026. Sources are Mark Branson's speech at the BaFin annual press conference of 12 May 2026, the BaFin guidance on ICT risks in the use of AI of 18 December 2025, the BaFin report "Risks in Focus 2026", and reporting by Reuters and Finextra of May 2026; the vendor of an AI cyber warning mentioned by Branson was not named by him, the attribution rests on the reporting.
Christian Schablitzki

Christian Schablitzki

Strategy & Management Consultant · Agentic AI expert for financial institutions

Over 20 years in investment banking and derivatives trading, followed by more than 10 years advising financial institutions. Currently a Partner at Infosys Consulting in Germany. Certified in Google AI, Generative AI Leader (Google Cloud) and IBM RAG and Agentic AI.

LinkedIn profile →
newsletter
the agentic banker

Read on – every 14 days in your inbox.

Capital markets insights, regulatory updates and AI trends. Concise, well-founded, free.

GDPR-compliant. Unsubscribe at any time.

← Back to overview