MaRisk outsourcing governance: are your identity controls ready?

TL;DR: MaRisk and DORA together push German financial institutions to prove that outsourced IT and cloud services remain governable through strong identity, access, and audit controls, with AT 9 placing access rights, sub-outsourcing, and exit scenarios under scrutiny according to Imprivata. The real issue is not documentation volume but whether governance can still constrain privileged access, trace accountability, and keep control after outsourcing expands.

NHIMG editorial — based on content published by Imprivata: MaRisk and DORA outsourcing governance with identity controls

Questions worth separating out

Q: What breaks when outsourced access is not tied to identity lifecycle management?

A: The control model breaks first, because the institution can no longer prove that access follows the contract lifecycle.

Q: Why do MaRisk and DORA make privileged access a governance issue?

A: Because privileged access is where delegated responsibility becomes operational power.

Q: How should banks measure whether outsourcing controls are actually working?

A: They should measure the gap between registered outsourcing relationships and the identities still able to act inside the environment.

Practitioner guidance

• Reconcile outsourced services to live identities Inventory every privileged account, service account, API key, and certificate tied to outsourced functions, then map each one to a business owner and termination path.
• Tie access reviews to outsourcing criticality Increase review frequency and evidence depth for critical and important functions, and require reviewers to confirm current access, not just contract status.
• Test exit and revocation before renewal Run exit exercises that remove provider access from production, validate revocation of delegated credentials, and confirm the service still meets recovery expectations.

What's in the full article

Imprivata's full article covers the operational detail this post intentionally leaves for the source:

• BaFin and Bundesbank references for the MaRisk lifecycle and supervisory context
• Practical notes on AT 9, AT 8.1, and AT 8.2 as they relate to outsourcing and change control
• The article's treatment of DORA, including why identity controls sit inside the broader resilience regime
• Examples of audit-ready identity and access controls in regulated outsourcing programmes

👉 Read Imprivata's analysis of MaRisk, DORA, and identity controls in outsourcing →

MaRisk outsourcing governance: are your identity controls ready?

Explore further

View Full Forum →  |  NHI Foundation Course →