Skip to main content
ITSMx
MaRisk & BAIT — German financial-supervision requirements

Hand the auditor a hash-verified log and a structured Berechtigungskonzept — not a screenshot folder.

ITSMx produces the audit evidence BaFin-supervised entities need — extended retention, role/permission exports, enforced segregation of duties, and information classification — from the same ITSM records your team works daily.

Request a demo
What the regulation requires → what ITSMx produces

Capabilities

MaRisk
AT 4.3.4Extended audit retention

Configurable retention periods meeting MaRisk minimums. Audit log entries are append-only and hash-chained, providing tamper-evident evidence for external auditors.

BAIT
BAIT 5Berechtigungskonzept export (PDF + JSON)

Export the full role and permission model — who can do what, in which module, with which segregation constraints — as a structured Berechtigungskonzept per BAIT 5.

BAIT
BAIT 5Segregation of duties (SoD)

Enforced in code, not just policy: developer ≠ approver ≠ basis admin. SoD constraints apply to change approvals, CAB membership, and transport promotion in SAP workflows.

BAIT
BAIT 8Information classification (IDV)

CIs carry an information-classification level and an IDV (individuelle Datenverarbeitung) flag. Classification drives visibility rules and audit depth per BAIT requirements.

MaRisk
AT 7.2Change governance

CAB workflow with approval chains, test evidence, rollback documentation, and full traceability from request through implementation — the audit trail MaRisk expects.

Common questions

MaRisk / BAIT FAQ

PDF for human review (suitable for auditor handoff) and JSON for machine processing. Both contain the same data: roles, permissions, SoD constraints, and assignment history.
The platform enforces SoD at the code level. For example, a user who submits a change cannot approve it; a developer cannot promote their own transport. Constraints are configurable per tenant and visible in the Berechtigungskonzept.
Yes. MaRisk/BAIT and DORA toggles are independent. German financial entities subject to both can enable all applicable capabilities on one tenant.
MaRisk and BAIT are German financial-supervision requirements (BaFin). The capabilities (audit retention, SoD, permission export) are useful beyond Germany, but the specific regulatory framing targets BaFin-supervised entities.

Informational only — not legal advice. Consult qualified counsel for regulatory obligations specific to your organization.

See the Berechtigungskonzept export from a live tenant.

30 minutes. We'll walk through SoD constraints, audit retention, and the permission model.

Request a demoTalk to us