With the publication of the Annual Report 2025 during the annual press conference on 12 May 2026, the German Federal Financial Supervisory Authority (BaFin) presents itself increasingly as a strategic crisis manager, digital supervisor and consumer protector. The report makes clear that regulatory challenges now extend far beyond traditional banking supervision: cyber risks, geopolitical tensions, artificial intelligence, sustainability regulation and new market participants are increasingly shaping supervisory practice.
Table of Contents
BaFin confidently formulates its supervisory vision: the goal is to create a “stable and fair financial system that people in Germany can trust”.
Focus on Financial System Stability
A key topic of the annual report is the resilience of the financial system in a geopolitically and economically volatile environment. BaFin emphasises that high interest rates, weak economic growth and geopolitical risks continue to place considerable pressure on banks, insurers and capital markets. In particular, the authority is observing heightened risks in commercial real estate financing as well as potential valuation risks.
From a legal perspective, the increasing use of macroprudential instruments is particularly noteworthy. BaFin increasingly understands supervision as the preventive stabilisation of the financial system as a whole. For supervised entities, this means more intensive scrutiny of governance structures, risk management and capital planning.
Digitalisation and Cyber Resilience as a Permanent Topic
Cyber risks are classified as a systemic threat. The implementation of the European DORA Regulation (Digital Operational Resilience Act) will therefore become a major focus in the coming years. Institutions must organise their IT governance, outsourcing structures and emergency processes in a significantly more professional manner.
BaFin explicitly announces a more data-driven and technologically advanced supervisory approach. Audits are intended to become faster, more digital and increasingly risk-oriented. At the same time, this raises the requirements for documentation and internal control systems.
In practice, this means that compliance is becoming increasingly technology-driven. Legal advice in the financial sector will need to be more closely aligned with IT compliance, data protection, information security law and outsourcing management.
Anti-Money Laundering Remains a Priority
The annual report makes clear that the risks of money laundering and terrorist financing in the German financial sector continue to be assessed as high. BaFin identifies geopolitical tensions, the increasing fragmentation of international payment systems and the strong growth of the crypto market as key drivers.
Particular attention is being paid to so-called circumvention transactions. These refer to transactions or business models designed to deliberately conceal or circumvent regulatory requirements — for example by disguising beneficial ownership or the actual country nexus of transactions. With regard to the Iran sanctions reintroduced in September 2025, BaFin expressly warned of increased risks associated with such structures. Institutions maintaining business relationships with high-risk jurisdictions are therefore under especially close supervisory scrutiny.
It is also noteworthy that BaFin believes many obliged entities are now comparatively well prepared for traditional anti-money laundering requirements, whereas combating terrorist financing often still does not receive the same level of attention.
Sustainability and ESG Regulation Remain in Focus
Although ESG topics are politically controversial in some areas, BaFin continues to regard sustainability risks as an integral part of financial supervision. The focus lies particularly on greenwashing risks and the proper disclosure of sustainability-related information.
The authority expects institutions to establish comprehensible ESG risk management processes and reliable data foundations. For legal departments and compliance officers, the interaction between SFDR, Taxonomy and CSRD requirements is becoming increasingly complex.
Remarkably, BaFin is increasingly treating sustainability not merely as a disclosure issue, but as a governance issue. Missing ESG strategies may therefore indirectly trigger supervisory concerns relating to organisational adequacy and management reliability.
Stronger Consumer Protection Supervision
The report also demonstrates a significantly more active role for BaFin in collective consumer protection. In 2025, the authority published several investigations concerning high-risk investment products and distribution practices. Leveraged products and certificates marketed to retail investors received particular attention.
The supervisory message is clear: providers and distributors must define target markets more precisely and communicate risks more transparently. This considerably increases liability and enforcement risks for institutions in the area of product governance.
Of particular relevance is the interaction between MiFID II requirements and supervisory organisational obligations. Incorrect target market definitions or insufficient risk disclosures are increasingly being sanctioned not only under distribution law but also within supervisory proceedings.
Less Complexity, More Proportionality
Alongside more intensive supervision, BaFin is also pursuing the goal of making regulation more practical and risk-oriented. This is intended to take place at both national and European level.
One example is the 9th MaRisk amendment. Furthermore, BaFin and the Deutsche Bundesbank developed a concept for an EU-wide small banking regime. The objective is to reduce the regulatory burden on smaller and non-complex institutions with traditional business models.
Supervisory practice itself is also intended to become more proportional — for example regarding the frequency and intensity of special audits.
At the same time, the annual report points towards a fundamental shift in supervisory methodology: away from a primarily formalistic “checklist supervision” towards a more data-driven, risk-oriented and impact-focused supervisory approach. While this may lead to somewhat more flexible regulatory requirements, institutions will face significantly higher expectations regarding the actual effectiveness of their governance, risk and control systems.
Greater Personal Responsibility for Management Bodies
Another focus concerns management responsibility. In the annual report, BaFin repeatedly emphasises the importance of effective governance structures and responsible corporate management. Senior executives are expected to identify and actively manage risks at an early stage.
At the same time, the authority is tightening its requirements regarding the qualification, reliability and expertise of management bodies (“fit and proper” requirements). In regulated institutions, this increases the personal liability risks for board members and managing directors.
This development reflects a broader trend within European financial supervision: responsibility is becoming increasingly individualised. Compliance breaches are no longer intended to be addressed solely at institutional level, but increasingly also at the personal level.
Europeanisation of Supervision Continues
The report once again illustrates the extent to which national financial supervision is embedded within the European framework. Whether bank resolution, anti-money laundering, DORA or ESG disclosure — key regulatory impulses increasingly originate at EU level.
BaFin increasingly sees itself as part of a European supervisory network. For supervised entities, this means greater harmonisation, but also increasing regulatory dynamics. National particularities are gradually fading into the background.
Conclusion: Financial Supervision Is Becoming More European, Digital and Interventionist
The BaFin Annual Report 2025 demonstrates that financial supervision is undergoing a structural transformation. BaFin places emphasis on forward-looking, risk-oriented and technology-supported supervision addressing financial stability, market integrity and consumer protection alike.
The stronger risk-oriented approach in the technology sector is generally to be welcomed. Innovation develops rapidly in this area — often faster than regulation and market participants can adapt. Considerably more critical, however, is the increasing emphasis on consumer protection. Traditionally, this area has not formed part of BaFin’s core mandate and responsibilities, as BaFin is not a classic consumer protection authority. If the authority expands its role in this direction, questions inevitably arise regarding the legal basis and institutional legitimacy of such an approach.
For supervised entities, this development results in significantly increased requirements regarding governance, data quality, IT structures and internal control mechanisms, which also reflects current regulatory developments through BRUBEG and the 9th MaRisk amendment.
At the same time, European harmonisation continues to increase, embedding national supervisory practice ever more deeply within a coordinated EU-wide regulatory and supervisory framework. From a German perspective, further harmonisation of supervision within the EU — a true “level playing field” — is to be welcomed if Germany no longer wishes to be regarded as the jurisdiction with particularly strict financial supervision that discourages financial companies and investment.
Supervisory law is therefore increasingly developing into a dynamic steering instrument extending far beyond mere compliance with formal requirements.
