Germany's Federal Financial Supervisory Authority (BaFin) published a new circular setting out its binding interpretation of governance and business organisation requirements for Solvency II insurance undertakings under the German Insurance Supervision Act and Commission Delegated Regulation (EU) 2015/35, with the aim of ensuring consistent supervisory application across firms and groups. The circular applies broadly to direct and reinsurance undertakings in scope of Solvency II, and also operates at group level where group supervision applies, including certain insurance holding and mixed financial holding companies. It incorporates the EIOPA guidelines on the governance system as a baseline and positions the guidance alongside other BaFin publications (including on the prudent person principle, sustainability risks, and cloud outsourcing), while noting the role of the Digital Operational Resilience Act and the EU AI Act for ICT and AI risks. Substantively, it sets expectations on proportional, risk-based implementation; collective management body responsibility; materiality thresholds across core risk categories (with potential separate thresholds for concentration and sustainability risks); risk culture and segregation of duties; the four-eyes principle and decision documentation; written policies and periodic governance reviews; governance of automated business processes; requirements and reporting lines for key functions (internal audit, compliance, independent risk control and actuarial); risk management (including firm-specific stress testing, with climate/sustainability stress testing where such risks are material); internal controls; and outsourcing governance including pre-outsourcing risk analysis, management body approvals for outsourcing of important functions or activities, and the role of an outsourcing officer. The circular enters into force on 14 October 2025 and simultaneously repeals BaFin Circular 02/2017 (VA).

Original source View in tracker