What are the BaFin requirements for Insurance companies?
Much like with banks, BaFin split their requirements into key categories. They closely follow articles of MaRisk that govern minimum requirements for risk management.
Figure: IT deficiencies identified; © BaFin
IT strategy
BaFin explicitly requires that management not just come up with an IT strategy, but makes its target measurable for supervisory board and regulatory review. The strategy should be consistent with the company’s business goals and reviewed on a regular basis.
Management has direct responsibility for the implementation of the strategy.
Our testing strategy template will be a great aid for the QA part of your IT strategy. It summarises 20 years of our experience in Enterprise software testing with a practical, ready-to-apply guide. Download it below.
Get regulators-proof testing strategy template
IT governance
This section refers to the obligation of proactively monitoring development of IT systems. Insurance companies can’t afford to have their IT departments understaffed or underqualified. There should be a sufficient budget for development-related costs to meet the IT strategy.
Adaptability to new requirements is a major component of IT governance.
Information risk management
All IT risks should be identified on a consistent basis and categorised from low to very high. The infrastructure should have protections against risks where possible, and residual risks need to be properly managed.
You’ll need to produce written risk analysis reports at a minimum once yearly, plus whenever major system changes or security incidents hit your infrastructure. You have to set up automated alerts tied to your change management system so you’re never caught off-guard when a “significant change” triggers the reporting requirement. This way, you’re proving to BaFin that your risk identification process actually works. Nearly half of insurers stumble here by treating these as checkbox exercises rather than genuine risk management tools. Your reports should clearly show how you’ve classified each IT risk and what specific controls you’ve implemented under VAIT guidelines.
The Importance of Auditable Evidence and Traceability
BaFin’s inspection approach has shifted, and they’re not just checking if your systems work; they want proof. Hard evidence. Every control you’ve got needs a direct line back to a specific VAIT paragraph, complete with test cases, results, and documentation that actually holds up under scrutiny.
Here’s where it gets practical: throw everything into a traceability matrix that connects each regulatory requirement straight through to your execution results. Modern test management tools can automate these links, pulling in screenshots, logs, and reports automatically. One concrete tip that saves hours during audits? Set up your matrix so inspectors can click from any VAIT requirement directly to the corresponding test evidence. No hunting through folders or explanations needed.
Information security
Companies need to have a defined information security policy that is frequently updated to meet new risks. There should be plans to prevent security incidents, address them adequately, and communicate with affected parties while remedying the issue.
An information security officer is appointed to oversee this effort.
User access management
Following up on information security, BaFin requires adequate information access policies. Everyone should have access only to information relevant to their function. Access level can’t be changed without the approval of a supervisory unit.
You’ll need role-based access controls, but here’s what BaFin really scrutinises: your ability to quickly pull or modify permissions when staff changes happen.
Most firms stumble by treating access reviews as annual checkbox exercises. For this, you should set up quarterly mini-audits focusing on recent hires and departures. VAIT assessors expect documented proof that you’re actively managing these rights, not just granting them.
Start with your high-turnover departments first because that’s where access drift happens fastest.
IT projects & application development
This section formalises the modern process of software development. You should have clear functional and non-functional requirements, document the development process, conduct source code reviews, and set up a single source of truth for each project.
Software can’t be released or updated without testing. Test documentation is mandatory.
IT operations
This section governs day-to-day IT work. One of the key requirements is storing and updating inventory data on your infrastructure. Data backups are also a must, and you may be required to store them at several locations.
High-risk and low-risk change approval protocols are mandatory.
IT outsourcing
Our experience of serving Banking and Insurance companies says: IT outsourcing is fine until it is not. Risk analysis findings and proper contract structure are key criteria to stay in BaFin’s good books.
Information security risks should be addressed in any and all outsourcing agreements.
Testing Outsourcing and Exit Strategy: Real-World Scenarios
BaFin doesn’t just want to see your outsourcing contracts; they want proof you can handle the unexpected. You need to run actual stress tests that push your systems to their limits. This means deliberately triggering failovers to backup regions, checking whether your data stays separate from other clients in shared cloud environments, and proving you can pull all your data out of any SaaS platform within days, not weeks. Companies that run these tests quarterly find their compliance audits go nearly 40% smoother. Start with your most critical system and schedule a controlled failover test next month. Document everything, because these test results become your get-out-of-jail-free card when auditors come knocking.
What Insurance companies are at risk of BaFin scrutiny?
The highlights from BaFin requirements paint a portrait of an Insurance company risking sanctions from BaFin:
- Using legacy software that can’t adapt to new requirements
- Disorganised test management (=tests in Excel) and lacking test documentation
- Neglected user access restrictions or even no restrictions
- Informal, case-to-case change deployment
- Subpar risk identification and no response protocols
- Lack of up-to-date high-level overviews of risks and development process
While some problems will take more time to address than others, BaFin audits are inevitable and so are resulting demands to modernise your IT setup. It is better to act proactively than scramble to address identified faults.
How can Insurance companies meet BaFin IT requirements fast?
If you look at the requirements closely, you will find a pattern. Most of the requirements relate to what your QA & development tools can or cannot do. Some ALMs are more adaptive than others, e.g. offering REST API so you can connect modern tools even 20 years later. Some test management tools have better traceability by visualising proper test coverage. Adopting modern tools means you meet a lot of BaFin requirements for Insurance companies.
Meet aqua, a German AI-powered test management solution that has specialised in highly regulated industries for over 10 years. It is used by 15+ Enterprise-sized Banking and Insurance companies as well as 20+ government agencies. The client portfolio even includes BaFin.
Here is how adopting aqua TMS addresses all key requirements to Insurance companies from BaFin:
| IT strategy |
|
|
|
|
| IT governance |
|
|
|
|
| Information risk management |
|
|
|
|
| Information security |
|
|
|
|
| User access management |
|
|
|
|
| Development & QA |
|
|
|
|
| IT operations |
|
|
|
|
| Outsourcing |
|
Make your QA & development BaFin-ready
Conclusion
BaFin’s increased scrutiny is a threat to Insurance companies that use legacy tools without proper security, consistent deployment process, and user access controls. Passing regulatory audits requires both up-to-date procedures and modern tools to follow them. Luckily, aqua is a tool that was designed for strict compliance.
