MaGo update – roadmap for implementing the new requirements

On 14 July 2025, BaFin revised the circular “Minimum requirements for the business organization of insurance companies under Solvency II” (MaGo for SII-VU) and published it as Circular 09/2025 (VA). The new version comes into force on October 14, 2025 and contains a transitional provision. These are the main changes and the measures required for implementation:

Fundamental responsibility of the management

Responsibility for the business organization remains with the entire management and cannot be delegated. This means that the adaptation to the new MaGo requirements must be initiated and ensured by the management.

Focus on central aspects of the business organization

The new version focuses more clearly on core topics. Other content has been outsourced, namely:

• Requirements for own funds have been included in a separate information sheet.
• Risk management guidelines (APM, investment risk, liquidity risk) can be found in Circular 05/2025 (VA).

Group level: governance and responsibility

The new MaGo also places a focus on monitoring and control responsibility at Group level. Key governance elements such as risk management and internal control systems as well as reporting should (or can) be implemented at Group level.

To-dos:

• Companies should review the Group guidelines regarding the new procedures.
• The monitoring and control responsibility of the ultimate parent company of the insurance group (OMU) should be sufficiently structured.
• Foreign and non-insurance companies should be included.

Sustainability risks: New information

The updated MaGo circular reflects the increased legal requirements for dealing with sustainability risks. BaFin requires insurers to take appropriate account of sustainability risks in their business organization.

To-dos:

• Companies should take stock: Are sustainability risks systematically taken into account in investment decisions and the investment strategy?
• If necessary, separate sustainability guidelines and plans must be drawn up.
• If necessary, training courses should be carried out or adapted and those responsible should be sensitized.
• Reporting and documentation processes should be reviewed and adapted if necessary.

Risk management: new requirements

Under the new MaGo, companies must define materiality thresholds for all risks that are deemed to be significant.

Furthermore, the new MaGo now explicitly addresses the aspect of risk culture as the basis for effective risk management in Chapter 7. Companies must therefore also subject their risk culture to an appropriate evaluation in order to identify deficiencies in this area at an early stage. As existing risk management processes can be used and expanded for this purpose, the implementation effort appears to be manageable. However, attention should be paid to the explicit inclusion of risk culture in risk management during implementation.

To-dos:

• Companies must define materiality thresholds for all relevant risks.
• They must ensure that risks are managed, monitored and included in reporting based on materiality thresholds.
• Companies should evaluate their risk culture and expand existing processes if necessary.

Automated business processes: New section

Chapter 3 of the Circular explains the relationship of MaGo to DORA and the AI Regulation. If insurance companies rely on existing organizational and control processes when implementing DORA and the AI Regulation requirements, MaGo remains the authoritative frame of reference for the interpretation of the general organizational minimum standards.

Chapter 9 of MaGo has been supplemented by a section on automated business processes. These include, for example, automated risk underwriting, individual case decisions and portfolio management. BaFin requires that these processes are controlled, monitored, evaluated in a risk-oriented manner, documented in a comprehensible manner and quality-assured, both prior to implementation and during ongoing operations. The processes must be independently evaluated on a regular basis and the management must be informed about their establishment, design and functionality.

To-dos:

• Companies should carry out an inventory and identify and document all automated business processes in the company.
• The risks associated with automated processes should be systematically analyzed and evaluated.
• Governance structures should be reviewed with regard to the EIOPA’s AI governance option.
• Responsibilities between specialist departments, IT, risk control and compliance should be clearly defined and documented.
• Companies should establish processes for the control, monitoring and quality assurance of automated workflows, both before deployment and during operation.
• The automated processes should be regularly reviewed by the internal audit department, independent specialist departments or external auditors.
• Finally, companies should set up a structured process and regular reporting.

Reinsurance risks: New guidelines

Subsection 11.2.2 of the MaGo now also includes requirements for risk management guidelines for ceded reinsurance and other risk mitigation techniques. The desired degree and effectiveness of risk transfer should be based on the defined risk tolerance thresholds. Companies should select the type of reinsurance or risk mitigation technique that best suits their risk profile and set out selection criteria in the guidelines. Companies must also develop principles for the selection of contractual partners. This includes requirements for assessing and monitoring the performance and creditworthiness of reinsurers. External ratings should be verified by additional assessments. The guidelines should also stipulate that all risks associated with ceded reinsurance are taken into account, in particular credit risks and risks with reinsurers from third countries. Companies must also assess the scope, impact and effectiveness of risk transfer. Possible liquidity bottlenecks due to timing differences between insurance benefits and payments from reinsurers must also be taken into account.

Companies should also consider scenarios in which reinsurers terminate reinsurance contracts or continue them on less favorable terms. Contingency measures for such exit scenarios should be defined when the contract is concluded.

Finally, any significant risks and measures actually identified must be documented.

To-dos:

• Guidelines should be developed that align the intended risk transfer with the risk tolerance thresholds.
• These must contain selection criteria for reinsurers and an assessment of their creditworthiness.
• Companies must consider all risks associated with reinsurance, including basis risks and liquidity bottlenecks.
• Emergency measures for exit scenarios must be defined when the contract is concluded.
• All material risks and the measures taken must be documented.

Spin-off: clarification of the term

In section 13.1, BaFin has deleted the word “typical of insurance”. The text now only refers to whether the function or activity would otherwise be performed by the insurance company itself.

However, it is unlikely that BaFin will change its previous administrative practice on outsourcing as opposed to other third-party purchases.

The need for adjustment should therefore be manageable. However, companies should keep an eye on developments in this area. With the entry into force of DORA, the focus of the IT resilience requirements is not on the nature of the IT service as typical for insurance, but on its criticality.

To-dos:

• Companies should check whether existing carve-outs still meet the regulatory requirements.
• They should keep an eye on developments in outsourcing doctrine in the area of IT resilience in connection with DORA.

Key functions: Changes and simplifications

The new MaGo also changes the requirements for key functions.

In future, the actuarial function (VmF) must analyze whether reinsurance leads to a greater reduction in the Solvency Capital Requirement than is justified by the risks actually transferred, or whether new risks arise that were not previously taken into account in the Solvency Capital Requirement. Life insurance undertakings must ensure that the VmF’s statement on life insurance contracts with long-term interest rate guarantees also addresses the extent to which the undertaking is likely to be able to meet the obligations arising from the interest rate guarantees for new business from the expected future returns on its investments. The calculation must be specifically assessed in relation to the individual risk profile.

Section 10.5 on the independent risk control function (URCF) contains a simplification: Information that has already been addressed to the entire management should therefore only have to be included again in the URCF’s regular report if and to the extent that it is necessary for an understanding of the content in the URCF report. The extent to which the information in the ORSA report on material risk exposures is complete and suitable as a basis for information should be agreed with the URCF.

To-dos:

• The company should instruct the VmF to analyze reinsurance with regard to its effect on the solvency capital requirement.
• They should ensure that the VmF specifically assesses the fulfillment of interest rate guarantees for life insurance policies.
• It should be clarified whether the ORSA report is sufficient as an information basis for the standard report.

Conclusion

With the entry into force of the new MaGo on 14 October 2025, BaFin is specifying, amending and expanding its administrative practice with regard to the requirements for business organization in a whole series of points. The board of directors or the management of the company, which bears ultimate responsibility for the business organization, should ensure that the necessary implementation steps are addressed and monitor timely implementation.