AI Risks: BaFin and DORA on the secure use of LLMs

In December 2025, BaFin published its guidance on ICT risks in the use of AI at financial institutions. The document is not a binding interpretation of DORA, but it identifies risks that are relevant when using AI systems under DORA and provides concrete guidance on how financial institutions can address them. Notably, the document describes, in Chapter 5.2, two protection levels for data in processing: encryption of data during processing and, where that is not possible, at least a separate and protected processing environment. With this, BaFin names a technical requirement that goes beyond organizational controls. 

What BaFin classifies as a material ICT risk in the use of AI

The guidance distinguishes three infrastructure variants for operating an LLM-based AI assistant:  

1. operation in the institution's own data center,  
2. operation in the institution's own cloud tenant, and  
3. operation outside the institution's own tenant.  

The third variant is the one most commonly encountered in practice today. A financial institution uses a large language model via an API operated by an external provider. The model runs on the external provider's infrastructure, not on the institution's. 

For this variant, BaFin formulates the material risk that data leaves the institution's own tenant and flows to the model provider. As countermeasures, the guidance recommends, among other things, filters that check whether input data is confidential, restrictions on data uploads for certain user groups, and granting the AI application reduced data access rights. However, the financial institution has to develop, provide, and maintain these controls itself. For institutions with a cloud-first strategy, this means introducing and permanently maintaining a dedicated filter infrastructure for a single AI use case. It has to be updated with every change, for example when a new user group is added or the sensitivity of the processed data changes. 

These are organizational controls. They reduce the likelihood that particularly sensitive data reaches the model, but they are not designed to technically prevent access to sensitive data. The provider still has technical access to everything sent to its model. As the sole protective measure, filters are often not sufficient. The context of a request frequently remains discernible, and not every piece of confidential information can simply be "redacted." 

Moreover, the guidance does not limit this risk to the model provider. In Chapter 5.2 (cloud specifics), it states as part of due diligence that, when using cloud services, a financial institution should also consider "the risks of an unauthorized data leakage — including to the cloud provider." The material risk of variant 3 is therefore twofold: data leaves the institution's own tenant not only toward the service provider but is also exposed in the infrastructure of the cloud provider on which the inference runs. 

What DORA Art. 9 and BaFin guidance Ch. 5.2 require at this point

Chapter 5.2 of the guidance formulates a requirement that goes beyond filters and policies. In essence, it states: AI systems are encrypted based on data classification and ICT risk assessment, specifically for data at rest, in transit, and in processing (DORA Art. 9(2), further specified by Art. 6 and 7 of Delegated Regulation (EU) 2024/1774 — the regulatory technical standard on ICT risk management). Where encryption during processing is not possible, at least other measures are required, in particular processing in a separate and protected environment. 

This is the decisive sentence. It describes neither filter solutions nor data access concepts, but a processing environment that is structurally protected against unauthorized access. Together with the due diligence note from Chapter 5.2, it covers both sources of risk in variant 3: the leakage of sensitive data to the model provider and to the cloud provider. This is exactly what confidential computing delivers. 

How Privatemode AI solves this problem

Privatemode AI is a GenAI inference service in which prompts and responses are processed in a hardware-isolated environment. Neither the underlying EU cloud provider nor Edgeless Systems as the operator of the service can access the content of requests or responses. This is not a contractual assurance but a technically enforced property of the architecture. The isolation is enforced by the hardware, not by a policy. 

This has two practical consequences. First, there is no need to build a dedicated filter infrastructure. Here, data security is not an additional layer placed in front of the service but firmly integrated into the inference environment. Second, the protection claim is verifiable independently of the provider. Through remote attestation, every customer can verify that the promised environment is actually in place, without having to trust Edgeless Systems. 

Privatemode AI is built on Contrast, Edgeless Systems' open-source framework for confidential computing in Kubernetes, whose source code is fully public and reproducibly built. Existing AI integrations can be migrated to Privatemode AI with minimal adjustments. All that is required is to select a different API endpoint.

What this means for DORA compliance at financial institutions

BaFin's guidance describes variant 3, the use of external SaaS services, as the high-risk option and recommends primarily organizational compensating measures. Building on confidential computing, Privatemode goes beyond this by technically ensuring that neither the provider nor third parties can access the processed data. This corresponds to the higher of the two protection levels from Chapter 5.2, the separate and protected processing environment. The protection of sensitive data therefore no longer rests with the individual users. 

This also has practical consequences for evidence obligations under DORA. Audit and control rights extending into the chain of subcontractors, which Chapter 4.2 requires in the context of DORA Art. 30, can be technically substantiated with remote attestation and reproducible builds, not merely secured contractually. The evidence provided to BaFin is based on cryptographic proof rather than on the provider's assurances. 

Privatemode AI does not replace the entire compliance effort surrounding the use of AI systems under DORA. Governance, risk assessment, incident management, and the remaining requirements of the guidance still apply. But it addresses exactly the core of the problem that BaFin identifies for variant 3: unauthorized data leakage to the model and cloud provider as a material ICT risk. This is precisely where confidential computing comes in. It prevents this access technically instead of merely making it organizationally less likely. 

Anyone wishing to review the architecture and security properties can explore the documentation. The source code is publicly available.