A faster supervisor for a faster threat
On 12 May 2026, alongside its Annual Report 2025, Germany's Federal Financial Supervisory Authority (BaFin) used its annual press conference to announce a sharpened approach to information-technology and cyber supervision. President Mark Branson told reporters the regulator has expanded its Directorate for Cyber Risks and Technology to seven divisions and stood up a new unit dedicated to "IT spotlight" inspections — short, targeted reviews that, in his words, "take far less time than fully-fledged reviews," letting BaFin "complete more of them and thus respond more effectively to current developments and incidents."
The trigger is artificial intelligence. Branson warned that "these new AI models can identify many vulnerabilities in both new and existing IT systems with remarkable speed" and "will be able to exploit the vulnerabilities they find ever more rapidly." The practical consequence, he said, is that patch-management cycles once "measured in months" will have to be "completed within a few days, if not hours." That, he conceded, will be "very challenging, especially for small and medium-sized enterprises." The firms in scope are the ones BaFin supervises directly: banks, payment institutions, e-money issuers and the fintech platforms layered on top of them.
The case for moving now is strong
It is worth stating the regulator's case at full strength. If offensive AI tooling compresses the window between a vulnerability becoming known and being weaponised, then a supervisory model built on multi-year, comprehensive on-site reviews is structurally too slow. A bank examined exhaustively in 2024 may carry a clean bill of health into a 2026 threat environment that no longer resembles the one it was tested against. BaFin's own inspections, Branson noted, keep surfacing the same weakness — "particularly with patch management." Against that backdrop, more frequent, lighter-touch checks are a genuinely sensible design choice, and arguably more honest about how fast the ground is shifting than a thicker rulebook would be.
This is also, refreshingly, supervision rather than legislation. BaFin is not proposing a new statute or a fresh layer of prescriptive requirements. It is reallocating its own resources to look more often at the thing that actually matters — whether firms patch fast and run resilient systems. For a sector that already absorbed the EU's Digital Operational Resilience Act (DORA), which has applied since 17 January 2025 across some 20 categories of financial entity and their ICT providers, an enforcement-and-inspection response is far preferable to yet another compliance regime bolted on top.
Where proportionality has to hold the line
The risk is not the inspections themselves but how they are calibrated. Branson is right that hours-not-months patching is brutal for smaller firms, and that admission cuts both ways. A spotlight inspection that judges a three-person payments startup by the same patch-velocity standard as Deutsche Bank would not be agile supervision; it would be a barrier to entry dressed up as cyber hygiene. The whole point of a risk-based framework — the principle DORA itself enshrines — is that obligations scale with an entity's size, complexity and systemic footprint.
Faster inspections are only proportionate if their findings are proportionate. Speed at the front door must not become uniformity at the back end.
There is a real innovation cost if it goes wrong. Germany's fintech sector competes for capital and talent against London, Amsterdam and Dublin, and founders already cite regulatory drag as a reason to incorporate elsewhere. If "IT spotlight" inspections become unpredictable, document-heavy fishing expeditions, the marginal European payments firm relocates — and Germany loses the innovation while keeping none of the safety, because the systemic banks were never the fragile part of the chain.
Don't make firms pay for DORA twice
The clearest pitfall is duplication. DORA already imposes ICT risk-management, major-incident reporting, resilience testing and third-party oversight obligations on the same firms BaFin will now inspect more often. A spotlight regime that demands fresh evidence in formats that don't map onto DORA artefacts would impose a second, parallel compliance burden for no marginal security gain. The disciplined version of this initiative reuses what firms already produce under DORA and targets the genuine gap — execution speed — rather than re-auditing documentation.
Branson framed cybersecurity spending as "an urgent and essential investment that the financial industry could afford to make," and on the merits he is correct: a breach at a payment processor is a consumer-protection failure, not merely a corporate one. The defensible reading of BaFin's move is that it pushes that investment toward operational reality — can you actually patch in time? — rather than toward paperwork.
The test ahead
The honest truth is that AI cuts both ways. The same models that accelerate attackers can accelerate defenders: automated patch triage, continuous vulnerability scanning and anomaly detection are exactly how a small fintech might plausibly hit hours-not-months without a hundred-person security team. A supervisor that recognises this — that rewards firms for deploying defensive automation rather than penalising them for lacking legacy controls — will get both safety and dynamism. One that treats every spotlight as a compliance interrogation will get neither.
BaFin has chosen the right instrument: agile, targeted, resource-reallocating supervision over another prescriptive layer. Whether it stays the right instrument depends on a discipline regulators rarely advertise at press conferences — the discipline to inspect more without demanding more, and to let the smallest, most innovative firms meet the standard their own way.