The VAIT is Over: Germany’s Insurance IT Regulation

Around the world, regulators are recognising the magnitude of risk posed by unmanaged end user computing (EUC) applications, such as spreadsheets. Spreadsheet blunders can range from embarrassing to catastrophic. With billions in the balance, it’s no wonder that orders to prevent them are now coming from the top.

This is especially relevant to the insurance sector. The financial security of millions of policyholders depends on the rigour with which models are managed. A manual, ad hoc approach is simply not good enough anymore, and it seems that the authorities agree.

What is VAIT & Who Does it Apply To?

In 2018, Germany’s Federal Financial Supervisory Authority, BaFin, issued the Versicherungsaufsichtliche Anforderungen an die IT, or VAIT, requirements. VAIT sets out requirements relating to information security and information technology for the insurance industry.

VAIT applies to all undertakings subject to supervision in accordance with section 1(1) of the German Insurance Supervision Act, Versicherungsaufsichtsgesetz (VAG). It also applies to any insurance group with undertakings in other EU or European Economic Area states for which BaFin is the group supervisor.

EUC-Specific Requirements

VAIT includes dedicated requirements for end user computing (EUC) applications. Points 14, 15, 18 and 42 to 57 of the VAIT regulations are specified as applying to EUC applications. At a high level, these requirements may be grouped into four categories:

  1. Inventory
    The ability to create and maintain a risk-based inventory of EUC applications.
  2. Version Control
    The ability to enforce and monitor varying levels of change/ release (version) control based on the risk classification of the EUC application.
  3. Change Management
    The ability to monitor EUC applications to identify unauthorized changes and facilitate approval workflows.
  4. Access Control
    The ability to control and limit access to critical EUC applications and those which contain confidential or personally identifiable information (PII).

How Apparity Helps

MBE’s EUC software partner, Apparity, was designed to manage and control EUC applications within highly regulated industries, especially banking, insurance and the utility sector. Apparity’s standard functionality allows insurance companies to automate and evidence all of the EUC-specific requirements of VAIT.


  • Discovery Module
    Automatically create and maintain an inventory of EUC files, including key file details.
  • Structural Complexity Algorithm
    Determine the complexity of each identified file using custom evaluation parameters.
  • Registration
    Qualitative assessment of file impact to capture relevant data from file owners. Enables a risk-based inventory based on both complexity and impact.
  • Connection Explorer
    Visually chart connections between discovered files. Provides a clearer understanding of upstream & downstream dependencies.

Version Control

  • Versioning
    Automatically capture and track all file copies while allowing user comments to enable collaboration and audit trails.
  • Version History
    View, export, and restore a file to a previous version or copy of a file.
  • Zero Loss Fingerprinting
    Monitored files are always tracked, regardless of file save location or how it is named. Ensures there are never ‘lost copies’ of a file.

Change Management

  • Change Logs
    Real-time and in-session view of all critical changes made to a file. Filtering and sorting helps identify potential mistakes or unauthorized changes.
  • Noise Filtering
    Users only see critical changes that are relevant to them configured against company EUC policy.
  • Automated Review and Approval Workflow
    Ensures critical changes are properly signed off with included audit trails.

Access Control

  • File Access & Modification Reports
    Track and log all users who update critical files.
  • Unexpected Change Warnings
    Flag any changes made by non-Apparity users who might be outside the controls framework.
  • Apparity checks & monitors against all Existing Access Control frameworks. Ensures access will never be granted to a file unless the user has access to the original file location.
  • Automated PII identification
    Allows teams to understand which files have sensitive data that should not be accessible to broader audiences.

For further information on how MBE can support you with your EUC requirements please get in touch. Additional information on the Apparity solution and how it helps with VAIT compliance can be found here.

Pamela Hellig