As of this week, BaFin Circular 09/2025 (VA) on the regulatory minimum requirements for the business organisation of insurance undertakings under Solvency II (MaGo for SII insurers) has come into force.
Table of Contents
Implementation Period Has Ended
Now that the implementation deadline has passed, BaFin expects that the affected primary and reinsurance companies, as well as the addressed holding undertakings – each in a proportional and principles-based manner – have adjusted their governance, structural and procedural organisation, and particularly their risk management, to meet the revised requirements. These adjustments must be documented and, above all, must now be reflected in day-to-day practice.
Although BaFin has stated that no fundamental changes were made, some elements have been consolidated (notably including FAQs), and certain governance-related topics have essentially been carved out. For example, requirements relating to the business organisation with respect to own funds have been shifted to the new Guidance Notice 2-2025 (VA) – as has previously been the case with the requirements on the “Prudent Person Principle” (PPP, Circular 05/2025 (VA)) or those relating to the “Own Risk and Solvency Assessment” (ORSA). These and other publications alongside MaGo remain in force and must still be observed.
Other changes are more nuanced but clearly indicate which fundamental aspects are gaining prominence in BaFin’s supervisory practice.
Focus on Documentation
For instance, BaFin is placing an increasing focus on sufficiently transparent documentation of structures, processes, and decision-making criteria within undertakings. This was also evident recently – across sectors – in DORA or anti-money laundering audits: deficiencies in documentation make it harder for auditors to trace relevant facts and result in findings in the audit report.
In the new MaGo, this is reflected, for example, in relation to the materiality principle in risk management. Already, the entire management board had to define all material risks based on appropriate and comprehensible criteria and establish company-specific materiality thresholds appropriate to the risk profile. Now, these thresholds and, in particular, the criteria used to determine them must be explicitly recorded in writing.
Overall Responsibility of the Management Board
Another key point for understanding BaFin’s perspective can also be seen in the context of materiality thresholds: While BaFin previously assumed that although the entire management board ensures the consistent application of materiality thresholds, this responsibility could be delegated to one or more board members, there is no longer any mention of such delegability in the revised MaGo.
Instead, BaFin emphasises the importance of overall responsibility, clarifying that the overall responsibility of the whole management board exists regardless of the allocation of responsibilities. Moreover – in contrast to the previous MaGo version – there is no longer any suggestion that deviating from this overall responsibility is possible. Consistently, the delegation of determining triggers for ad-hoc reviews of individual (written) policies has also been eliminated.
Further Changes
In addition to the above-mentioned principles-based aspects, content-related or operational topics have naturally found their way into MaGo. These include, for example:
- references to sustainability risks, which reflect the increased regulatory requirements over the years in the governance of insurance undertakings,
- comments regarding key functions; or
- detailed requirements for (insurance) groups aimed at improving group supervision.
Automated business processes, which are becoming increasingly important in times of AI and DORA, now have their own sub-section 9.5. Similarly, passive reinsurance and other risk mitigation techniques are addressed in a new subsection 11.2.2 within the risk management system.
Finally, BaFin, referring to Sec. 7 no. 2 VAG, has removed the term “typical of insurance” when referring to functions and activities subject to its oversight in the context of outsourcing. Now, the focus is solely on whether the insurance undertaking would otherwise perform the respective function or activity itself. With the cumulative assessment of whether a function or insurance activity falls under Sec. 32 VAG, BaFin is limiting the scope of its specific outsourcing oversight.
What Does This Mean for Insurers in Practice?
Overall, the new MaGo provide clarity in many areas that have been relevant for some time. The management and relevant departments of the addressed undertakings have dealt with many detailed adjustments and will need to continue doing so.
However, particularly relevant is the recurring emphasis in MaGo on documentation, clearly written rules of procedure, and the overall responsibility of the whole management board. This means that governance and risk management should increasingly be anchored throughout the undertaking – silos are not a viable long-term solution.
Insurers would be well advised to focus on the concrete implementation and documentation of organisational and procedural governance, including decision-making based on pre-defined criteria. Given the complexity and size of many corporate organisations, this also includes establishing a company-wide or group-wide understanding and transparency around these topics. This, in turn, facilitates communication with and between all relevant (group) entities and departments, which often is a prerequisite for identifying key issues and risks and refining the undertakings´s own risk profile.
Only an undertaking that knows relevant internal and external facts and risks can adress them appropriately.
