BDO: BaFin Issues Guidance on AI Under DORA

Germany's financial regulator, BaFin, has issued new guidance for financial and insurance institutions on the implementation and management of Artificial Intelligence (AI) systems. The guidance aims to clarify the interplay between the EU's AI Act and the Digital Operational Resilience Act (DORA).

AI is increasingly integral to value chains in the financial sector, from internal controls to customer interfaces, but this integration also escalates risks. BaFin's guidance emphasizes that AI systems should not be treated as isolated innovation topics. Instead, they must be embedded within existing Information and Communication Technology (IKT) risk management frameworks. The directive requires consideration of the entire AI lifecycle, from development and training through operation to secure decommissioning and data deletion.

BaFin frames AI systems technically as network and information systems, aligning them with DORA's scope. This means AI components are subject to the same risks and management requirements as other IKT assets. Companies must ensure the operational resilience of AI systems against failures, manipulation (such as data poisoning), and cyberattacks, not just algorithmic transparency. This applies particularly to credit institutions and insurance undertakings subject to the full DORA requirements.

The guidance seeks to bridge the gap between the abstract requirements of the AI Act and the practical realities of financial sector data centers and cloud environments. By categorizing AI as IKT assets, BaFin ensures that existing digital operational resilience regulations are applied. Smaller entities falling under simplified DORA requirements may be subject to separate considerations.