Skip to content
Home

19 May 2026 | 10 min

AI Risk Becomes a Supervisory Topic: What the BaFin Warning Means for DORA, BCM and Vendor Risk

In mid-May, BaFin made it clear that cyber risks for financial institutions continue to increase. One point is particularly relevant: attackers are using artificial intelligence more often to identify vulnerabilities faster, prepare attacks more effectively and target IT systems with greater precision.

For banks, insurers and other regulated companies, this is more than a technical warning. If AI makes attacks faster and more scalable, the requirements for risk management, business continuity, third-party oversight and evidence documentation also increase. In short: AI risk is becoming a supervisory topic.

This does not only affect companies that use AI themselves. It also affects companies whose IT, suppliers, cloud services or software products may become more vulnerable to AI-driven attacks. This is exactly where DORA, BCM and vendor risk management come into play.

Key Takeaways

AI is changing the cyber threat landscape. Attackers can identify vulnerabilities faster, create more realistic phishing messages and automate attacks more effectively. This increases the pressure on companies to detect and close security gaps more quickly.

For financial institutions, this is especially relevant because DORA makes digital operational resilience a binding requirement. Companies need to manage and document risks, ICT systems, service providers, incidents and recovery processes more effectively.

Business continuity management and vendor risk management are also becoming more important. An AI-driven cyberattack rarely affects only one system. It can impact service providers, critical processes, data, customer communication and ongoing operations at the same time.

Why AI increases cyber risks

Cyberattacks are not new. What is new is the speed and quality with which attackers can use AI.

In the past, many steps had to be performed manually: analysing systems, searching for vulnerabilities, preparing attacks, writing phishing messages or adapting technical attack patterns. With AI, many of these steps can be accelerated or partly automated.

This does not mean that every attack will automatically be successful. But it does mean that companies must expect more attempts, better prepared attacks and shorter response windows.

Typical risks include:

  • faster identification of vulnerabilities in IT systems
  • more realistic phishing and social engineering attacks
  • automated analysis of publicly available information
  • more targeted attacks on employees, service providers or executives
  • faster adaptation of attack methods
  • higher pressure on security, IT and incident teams

For GRC teams, the key point is this: AI-driven cyberattacks are not just an IT security issue. They affect governance, risk, compliance, suppliers, emergency planning and management reporting.

What this has to do with DORA

DORA requires financial institutions to manage their digital operational resilience systematically. At its core, DORA is about ensuring that companies remain operational even during IT disruptions, cyberattacks or problems with external service providers.

AI-driven attacks increase pressure in exactly this area.

Companies need to know which ICT systems are critical, which risks exist, which controls are in place, which service providers are involved and which measures are triggered in the event of an incident. At the same time, they need to prove that this information is up to date and manageable.

DORA is therefore not only about technical security. It requires a reliable management system for digital risks.

In practice, this means:

  • ICT risks must be assessed regularly
  • critical systems and processes must be known
  • security measures must be documented and reviewed
  • incidents must be detected, assessed and reported
  • service providers must be managed according to risk and criticality
  • recovery and emergency processes must work in practice

If AI makes attacks faster, the quality of these processes becomes more important. Companies cannot afford to start searching for information only once an incident has already happened.

Why BCM is becoming more important

Business continuity management often only becomes visible when something fails. That is exactly the problem.

An AI-driven cyberattack may not only affect individual IT systems. It can also disrupt critical business processes, customer communication, data access or external service providers.

In that situation, having an emergency plan in a folder is not enough. Companies need to know:

  • Which processes are truly critical?
  • Which systems support these processes?
  • Which service providers are involved?
  • What alternatives exist if a system or provider fails?
  • Who makes decisions during a crisis?
  • How quickly do systems need to be restored?
  • What internal and external communication is required?

BCM therefore needs to be more closely connected with cyber risk, incident management and vendor risk management. Only then can companies gain a realistic view of their actual resilience.

Why vendor risk management is critical

Many companies no longer operate their most important systems entirely by themselves. They rely on cloud providers, software solutions, outsourcing partners, managed services and specialised IT providers.

This is normal and often efficient. But it changes the risk profile.

If a critical service provider is attacked, the company itself may still be affected. If a software provider has a vulnerability, it can create risk for many customers. If a cloud service fails, core business processes may come to a halt.

AI-driven attacks make this problem more serious because attackers can analyse supply chains more precisely and identify weak points faster.

That is why a simple supplier list is no longer enough. Companies need structured vendor risk management. They need to know which providers are critical, what services they deliver, which data is affected, which security requirements apply and which evidence is available.

Particularly important are:

  • criticality assessments of service providers
  • documentation of ICT dependencies
  • security requirements in contracts
  • regular supplier assessments
  • evidence of controls and certifications
  • exit strategies for critical providers
  • connection with BCM and incident management

Vendor risk is therefore not just a procurement topic. It is a central part of cyber resilience.

The real problem: information is often scattered

Many companies already have much of the information they need. It is simply not available where it is needed in an emergency.

Risks are documented in spreadsheets. Supplier information sits with procurement. Emergency plans are maintained separately. Incidents are handled in a ticketing system. Controls are documented in audit files. Evidence is stored in folders. Management reports are created manually.

As long as nothing happens, this may seem manageable. During a cyber incident, it becomes a problem.

At that point, companies need to know quickly which systems are affected, which processes are critical, which service providers are involved, which reporting obligations apply and which measures have already been planned or implemented.

If this information is scattered, companies lose time. And in a cyberattack, time is one of the most important factors.

What companies should do now

Companies do not need to launch a massive new programme immediately. But they should review their existing processes in a targeted way.

The first step is transparency. Which critical systems, processes and service providers exist? Which risks are known? Which measures are already in progress? Where is evidence missing?

The second step is connection. Risks, controls, suppliers, incidents and BCM plans should not be managed in isolation. They need to be linked.

The third step is auditability. Supervisors, auditors and management need clear answers. Not at some point in the future, but quickly and reliably.

For many companies, these questions are especially important:

  • Are AI-related cyber risks included in risk management?
  • Are critical ICT systems and service providers fully documented?
  • Are BCM plans connected to real system and supplier dependencies?
  • Are there clear processes for cyber incidents and reporting obligations?
  • Can controls, measures and evidence be found quickly?
  • Is there up-to-date reporting for management and supervisors?

These questions are simple. But they quickly show whether a company is truly in control.

The role of Zazoon GRC

Zazoon GRC helps companies manage cyber risks, DORA requirements, BCM, vendor risk and evidence centrally.

Instead of maintaining risks, controls, service providers, incidents and measures in different tools, companies can connect this information in one shared GRC structure. This creates a clearer picture: Which risks affect which systems? Which providers are critical? Which measures are still open? Which evidence is available? Which requirements are being fulfilled?

This transparency is especially important for AI-driven cyber risks. The faster the threat landscape changes, the more important up-to-date data, clear responsibilities and traceable processes become.

Zazoon helps companies view compliance not as an isolated obligation, but as a foundation for better resilience and better decision-making.

Conclusion: AI makes cyber risk faster, GRC needs to become more structured

The BaFin warning makes one thing clear: AI is changing the cyber threat landscape. Attacks can become faster, more targeted and more scalable. For regulated companies, this increases pressure on DORA, BCM, vendor risk and incident management.

The answer is not more manual documentation. The answer is better structure.

Companies need to know which risks exist, which systems are critical, which service providers are involved, which measures are effective and which evidence is available. This is the core of modern GRC processes.

AI risk is therefore no longer a future topic. It is a current supervisory topic and a clear reason to connect digital resilience, third-party oversight and business continuity more closely.

FAQ

What does AI risk mean in cybersecurity?

AI risk describes risks that arise from or are amplified by the use of artificial intelligence. In cybersecurity, this mainly means that attackers can use AI to identify vulnerabilities faster, create more realistic phishing attacks or automate attack processes more effectively.

Why is the BaFin warning important for companies?

BaFin makes it clear that AI-driven cyberattacks are not only a technical problem. They can threaten the stability of companies, the availability of services and digital resilience. For regulated companies, this increases the pressure to manage and document cyber risks more effectively.

What does AI risk have to do with DORA?

DORA requires financial institutions to manage digital risks in a structured way. If AI makes cyberattacks faster and more complex, companies need better control over their ICT risks, controls, incidents, service providers and recovery processes.

Why is BCM important for AI-driven cyberattacks?

Business continuity management ensures that critical business processes can continue or be restored quickly during disruptions. In an AI-driven cyberattack, one incident can affect several systems, providers and processes at the same time. That is why BCM must be closely connected with cyber risk and incident management.

What role does vendor risk management play?

Many cyber risks do not arise only inside the company. They can also come from service providers, cloud providers or software suppliers. Vendor risk management helps companies identify critical providers, assess risks and document security requirements in a traceable way.

Do companies now need separate AI risk programmes?

Not necessarily. The first step should be to integrate AI-related cyber risks into existing GRC, DORA, BCM and vendor risk processes. What matters most is that risks, controls, measures and evidence can be managed centrally.

Is a technical security solution enough?

No. Technical security solutions are important, but they are not enough on their own. Companies also need clear responsibilities, documented processes, supplier oversight, emergency plans, incident management and reliable evidence.

How does Zazoon GRC support AI risk management?

Zazoon GRC helps companies manage risks, controls, measures, suppliers, incidents and evidence centrally and connect them with each other. This makes it easier to understand where risks arise, which measures are effective and which regulatory requirements are being fulfilled.

Share

Related posts

Different privacy values between European Union & United States
21 December 2021 | 5 min

Different privacy values between European Union & United States

 GDPR and the EU view on privacy The enactment of the EU General Data Protection Regulation (GDPR) has elevated the significance of personal data protection for institutions operating in the European Union (EU) and beyond. Global tech companies like Meta Platforms Inc. (Meta), Google, and Microsoft have faced heightened scrutiny in this regard. Meta and<a href="https://zazoon.com/fishtext-is-used-by-designers-planners/">Continue reading <span class="sr-only">"Different privacy values between European Union & United States"</span></a>
Read more
Resilience at Sea – How Good GRC Makes the Shipping Industry Crisis-Proof
14 October 2025 | 6 min

Resilience at Sea – How Good GRC Makes the Shipping Industry Crisis-Proof

 The global shipping industry is defying the slowdown. Despite geopolitical tensions, tariffs, and weak industrial production in Europe, many shipping companies report stable or even growing business. This is surprising, given that most economic indicators point in the opposite direction: trade barriers are increasing, transport costs are rising, and global demand is softening. Yet, according<a href="https://zazoon.com/resilience-at-sea-how-good-grc-makes-the-shipping-industry-crisis-proof/">Continue reading <span class="sr-only">"Resilience at Sea – How Good GRC Makes the Shipping Industry Crisis-Proof"</span></a>
Read more
New EU AI Requirements 2025: What Companies Must Know Now
05 August 2025 | 5 min

New EU AI Requirements 2025: What Companies Must Know Now

 The European Union is launching a new era of regulated artificial intelligence with the AI Act (Regulation 2024/1689). Starting August 2, 2025, binding rules will apply to both providers and users of General Purpose AI (GPAI) models. Organizations that build or integrate AI systems – particularly in generative AI, machine learning, natural language processing, or<a href="https://zazoon.com/new-eu-ai-requirements-2025-what-companies-must-know-now/">Continue reading <span class="sr-only">"New EU AI Requirements 2025: What Companies Must Know Now"</span></a>
Read more