{"id":34755,"date":"2026-07-08T08:57:51","date_gmt":"2026-07-08T06:57:51","guid":{"rendered":"https:\/\/www.xalt.de\/?p=34755"},"modified":"2026-07-08T12:02:38","modified_gmt":"2026-07-08T10:02:38","slug":"atlassian-cloud-bafin-konform-migrieren-4-schritte","status":"publish","type":"post","link":"https:\/\/www.xalt.de\/en\/atlassian-cloud-bafin-konform-migrieren-4-schritte\/","title":{"rendered":"BaFin-Compliant Migration to the Atlassian Cloud \u2013 4 Steps for IT Leaders at Financial Institutions"},"content":{"rendered":"<div style=\"display: flex; align-items: center; gap: 12px; margin: 40px 0;\">\n  <img decoding=\"async\" src=\"https:\/\/www.xalt.de\/wp-content\/uploads\/2026\/01\/Daniel-Gottschalk.png\" alt=\"Daniel Gottschalk\" style=\"width: 50px; height: 50px; border-radius: 50%; object-fit: cover;\">\n  <div>\n    <p style=\"margin: 0; font-weight: bold;\">Author: Daniel Gottschalk<\/p>\n    <p style=\"margin: 0; font-weight: bold;\">Head of Sales &amp; Customer Success Manager at XALT<\/p>\n  <\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Imagine your IT department has the perfect case for Atlassian Cloud: lower operating costs, automatic updates, and no need for your own infrastructure. Then the compliance department steps in, and the project grinds to a halt. BaFin requirements, EBA guidelines, DORA: For banks, insurance companies, and fintechs, Atlassian Cloud has long seemed like a regulatory obstacle course.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">What used to be justified, however, looks different today.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Atlassian has specifically addressed the concerns of regulated institutions with the EU Financial Services Addendum and a structured compliance framework. In this article, you\u2019ll get a clear overview of what this means in practice and how you, as an IT leader, can plan your move to the cloud in a compliance-compliant manner.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Why financial institutions are hesitant to migrate to the Cloud<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The reluctance to adopt cloud solutions in the financial sector is driven by regulatory considerations. The EBA (European Banking Authority) and BaFin (Federal Financial Supervisory Authority) treat cloud services as a form of outsourcing that entails far-reaching obligations:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Audit rights:<\/strong> The institution must be able to audit the cloud provider and its subcontractors.<\/li>\n\n\n\n<li><strong>Right to issue instructions:<\/strong> Clear rules about who is allowed to do what with the data.<\/li>\n\n\n\n<li><strong>Data security and location:<\/strong> Where is data processed and stored?<\/li>\n\n\n\n<li><strong>Exit clauses:<\/strong> What happens when the contract ends or the provider goes bankrupt?<\/li>\n\n\n\n<li><strong>Chain outsourcing:<\/strong> Subcontractors of the cloud provider must also meet the requirements.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">BaFin is considered one of the most demanding national regulatory authorities within the EU. Its guidance on outsourcing to cloud providers, last updated in February 2024 with an explicit reference to DORA, contains requirements that go beyond the EBA guidelines.<\/p>\n\n\n\n<blockquote style=\"max-width: 900px; margin: 40px 0; padding: 50px;\">\n  <div style=\"width: 40px; margin-bottom: 20px;\">\n    <svg aria-hidden=\"true\" class=\"e-font-icon-svg e-fas-quote-left\" viewbox=\"0 0 512 512\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"fill:#01FFCD; width:100%; height:auto;\">\n      <path d=\"M464 256h-80v-64c0-35.3 28.7-64 64-64h8c13.3 0 24-10.7 24-24V56c0-13.3-10.7-24-24-24h-8c-88.4 0-160 71.6-160 160v240c0 26.5 21.5 48 48 48h128c26.5 0 48-21.5 48-48V304c0-26.5-21.5-48-48-48zm-288 0H96v-64c0-35.3 28.7-64 64-64h8c13.3 0 24-10.7 24-24V56c0-13.3-10.7-24-24-24h-8C71.6 32 0 103.6 0 192v240c0 26.5 21.5 48 48 48h128c26.5 0 48-21.5 48-48V304c0-26.5-21.5-48-48-48z\"><\/path>\n    <\/svg>\n  <\/div>\n    <p>According to the <a href=\"https:\/\/www.capgemini.com\/insights\/research-library\/world-cloud-report-financial-services-2025\/\" target=\"_blank\" rel=\"noopener\">Capgemini World Cloud Report: Financial Services 2025<\/a> \u2013 a survey of 600 banking and insurance decision-makers \u2013 only 12% of financial institutions worldwide are true cloud innovators who consistently leverage the cloud to gain a competitive advantage. The majority are still struggling to translate cloud investments into measurable business value. The most common reason for this is a lack of a regulatory framework for migration.\n  <\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">What Atlassian has changed since 2021<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>EU Financial Services Addendum (EU FSA):<\/strong> Since December 2021, Atlassian has been offering this contract addendum to eligible European financial service providers. The EU FSA contractually ensures compliance with the EBA and BaFin requirements for cloud outsourcing.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">With the EU FSA, your institution will receive:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Comprehensive audit rights for you, your auditors, and regulatory authorities, including downstream rights for AWS as the infrastructure provider<\/li>\n\n\n\n<li>Enhanced record-keeping and reporting requirements on the part of Atlassian<\/li>\n\n\n\n<li>Obligation to cooperate with the client's regulatory authorities<\/li>\n\n\n\n<li>Continuity of service following termination or bankruptcy<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.atlassian.com\/trust\/compliance\/resources\/dora\" target=\"_blank\" rel=\"noopener\"><strong>DORA (Digital Operational Resilience Act)<\/strong><\/a><strong>:<\/strong> Mandatory for all EU financial institutions as of January 17, 2025. Atlassian supports affected institutions with a robust contractual framework, proof of compliance, and transparency regarding security practices.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.atlassian.com\/trust\/compliance\/resources\/bafin\" target=\"_blank\" rel=\"noopener\"><strong>BaFin Outsourcing Guidance<\/strong><\/a><strong>:<\/strong> Atlassian has published a specific mapping document that shows how Atlassian Cloud Enterprise addresses each of the BaFin requirements.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Atlassian provides the regulatory framework, contract, certifications, and documentation. The institution is responsible for configuration and data management.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">4 steps to a BaFin-compliant Atlassian Cloud<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Check the requirements for the EU FSA<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The EU FSA is not available to every customer. Requirements:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Status as a European financial services institution (bank, insurance company, or qualified fintech company in the EEA or the UK)<\/li>\n\n\n\n<li>Enterprise Edition of Confluence Cloud, Jira Software Cloud, Jira Service Management Cloud, or Jira Align Cloud<\/li>\n\n\n\n<li>MSA agreement with a minimum spend of 150,000 euros; inquiry via the Atlassian Partner Service Desk<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Get the compliance team on board early on<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">This is the most common mistake in practice: IT plans the migration, and the compliance team finds out about it six weeks before go-live. Do it the other way around. Start with a mapping session involving IT, the compliance department, and the data protection officer. Make it clear from the start:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>What data is processed in Jira\/Confluence, and what is its classification?<\/li>\n\n\n\n<li>What internal approvals do you need for outsourcing?<\/li>\n\n\n\n<li>Are there any existing internal policies for cloud services that need to be updated first?<\/li>\n\n\n\n<li>What data may be processed, and for what purposes?<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Compare BaFin requirements with Atlassian controls<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Atlassians <a href=\"https:\/\/www.atlassian.com\/trust\/compliance\/resources\/bafin\" target=\"_blank\" rel=\"noopener\">BaFin Outsourcing Guidance<\/a> provides the exact mapping. The key areas:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Audit rights:<\/strong> Atlassian grants inspection rights even downstream at AWS<\/li>\n\n\n\n<li><strong>Data Security:<\/strong> ISO 27001, SOC 2, SOC 3, and <a href=\"https:\/\/www.atlassian.com\/trust\/compliance\/resources\/c5\" target=\"_blank\" rel=\"noopener\">BSI C5-certified<\/a>; Data Residency available for the EU<\/li>\n\n\n\n<li><strong>Incident Report:<\/strong> 72-Hour Standard for Security Incidents Enshrined in the Atlassian DPA<\/li>\n\n\n\n<li><strong>Exit Management:<\/strong> EU FSA Ensures Service Continuity Even in the Event of Termination or Insolvency<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Document everything as a package of supporting evidence<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Completed outsourcing register with the EU FSA as proof of contract<\/li>\n\n\n\n<li>Mapping Document: BaFin requirements vs. Atlassian controls<\/li>\n\n\n\n<li>Configuration documentation for all admin settings<\/li>\n\n\n\n<li>Incident Response Matrix<\/li>\n\n\n\n<li>Regular review meeting (at least once a year)<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">DORA starting in 2025: What's changing for Atlassian users<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">For Atlassian users, DORA encompasses five areas of focus:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>ICT Risk Management:<\/strong> Clear Frameworks for risk identification and management<\/li>\n\n\n\n<li><strong>Incident Reporting:<\/strong> Standardized reporting processes for ICT disruptions<\/li>\n\n\n\n<li><strong>Resilience Tests:<\/strong> Regular penetration tests and stress tests<\/li>\n\n\n\n<li><strong>Third-Party Management:<\/strong> Monitoring and Ooversight of critical ICT service providers<\/li>\n\n\n\n<li><strong>Information Exchange:<\/strong> Voluntary exchange on cyber threats<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion: What IT leaders in the financial sector should take away<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>The EU FSA makes Atlassian Cloud regulatorially compliant<\/strong> (available to eligible financial institutions since 2021)<\/li>\n\n\n\n<li><strong>DORA has been mandatory since January 2025<\/strong> (Atlassian provides the contract framework)<\/li>\n\n\n\n<li><strong>Shared Responsibility:<\/strong> Atlassian provides the foundation; you provide the configuration.<\/li>\n\n\n\n<li><strong>Involving Compliance early on speeds up projects<\/strong> (not the other way around)<\/li>\n\n\n\n<li><strong>The Enterprise Edition is a prerequisite for the EU FSA<\/strong><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Are you planning to migrate to the Atlassian Cloud and want to ensure compliance with BaFin, EBA, and DORA from the very beginning? XALT supports you every step of the way: From conducting a regulatory assessment to setting up an audit-ready cloud environment.<\/p>\n\n\n\n<div style=\"height:31px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-buttons is-content-justification-center is-layout-flex wp-container-core-buttons-is-layout-3e41869c wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link has-black-color has-text-color has-background has-link-color wp-element-button\" href=\"https:\/\/www.xalt.de\/en\/contact-2\/\" style=\"background-color:#01ffcd\"><strong>Request a BaFin Compliance Assessment now<\/strong><\/a><\/div>\n<\/div>\n\n\n\n<div style=\"height:31px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">FAQ: Atlassian Cloud and BaFin Compliance<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>How does Atlassian support compliance with BaFin BAIT requirements?<\/strong><br>Through the <strong>Financial Services Addendum (FSA)<\/strong> and the <strong>EU Data Residency<\/strong> the necessary contractual and technical foundations. The Atlassian Trust Center also provides specific compliance mappings for German financial institutions to help them meet the requirements of BAIT and MaRisk.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Is Atlassian Cloud DORA-compliant for banks in Germany?<\/strong><br>Yes, Atlassian is actively preparing for the <a href=\"https:\/\/www.atlassian.com\/trust\/compliance\/resources\/dora\" target=\"_blank\" rel=\"noopener\"><strong>Digital Operational Resilience Act (DORA)<\/strong><\/a> . They already provide the necessary transparency and audit rights, as well as security certifications (ISO 27001, SOC 2), required for third-party ICT risk management under DORA.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>What is the Atlassian Financial Services Addendum (FSA)?<\/strong><br>The FSA is a contract addendum for clients in the financial sector. It contains specific provisions regarding audit rights, disclosure obligations, and the oversight of subcontractors to meet the requirements of BaFin and the EBA (European Banking Authority).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Can I use Atlassian Jira and Confluence Cloud with BSI C5?<\/strong><br>Yes, Atlassian Cloud products have a <a href=\"https:\/\/www.atlassian.com\/trust\/compliance\/resources\/c5\" target=\"_blank\" rel=\"noopener\"><strong>BSI C5 Certification<\/strong><\/a> (Cloud Computing Compliance Controls Catalog). This is essential for German companies to demonstrate the security of their cloud infrastructure to regulatory authorities. XALT has already successfully migrated customers (such as AKDB) to a C5-compliant environment.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Where can I find the latest audit reports for my risk analysis?<\/strong><br>All relevant <a href=\"https:\/\/www.atlassian.com\/trust\/compliance\/resources\" target=\"_blank\" rel=\"noopener\">Certifications<\/a>, SOC reports and compliance certifications are central to the <strong>Atlassian Trust Center<\/strong> archived. Some detailed reports can be requested directly through the compliance portal.<\/p>","protected":false},"excerpt":{"rendered":"<p>Autor: Daniel Gottschalk Head of Sales &amp; Customer Success Manager bei XALT Stell dir vor, deine IT-Abteilung hat die perfekte Begr\u00fcndung f\u00fcr die Atlassian Cloud: niedrigere Betriebskosten, automatische Updates, keine eigene Infrastruktur. Dann kommt die Compliance-Abteilung und das Projekt stockt. BaFin-Anforderungen, EBA-Leitlinien, DORA: F\u00fcr Banken, Versicherungen und FinTechs klingt Atlassian Cloud lange nach einem regulatorischen [&hellip;]<\/p>\n","protected":false},"author":213,"featured_media":34756,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"content-type":"","inline_featured_image":false,"footnotes":""},"categories":[36,37],"tags":[42],"department":[],"job_location":[],"start":[349],"beschaeftigungsverhaeltnis":[373],"class_list":["post-34755","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud","category-atlassian","tag-cloud","start-ab-sofort","beschaeftigungsverhaeltnis-vollzeit"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.xalt.de\/en\/wp-json\/wp\/v2\/posts\/34755","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.xalt.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.xalt.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.xalt.de\/en\/wp-json\/wp\/v2\/users\/213"}],"replies":[{"embeddable":true,"href":"https:\/\/www.xalt.de\/en\/wp-json\/wp\/v2\/comments?post=34755"}],"version-history":[{"count":11,"href":"https:\/\/www.xalt.de\/en\/wp-json\/wp\/v2\/posts\/34755\/revisions"}],"predecessor-version":[{"id":34775,"href":"https:\/\/www.xalt.de\/en\/wp-json\/wp\/v2\/posts\/34755\/revisions\/34775"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.xalt.de\/en\/wp-json\/wp\/v2\/media\/34756"}],"wp:attachment":[{"href":"https:\/\/www.xalt.de\/en\/wp-json\/wp\/v2\/media?parent=34755"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.xalt.de\/en\/wp-json\/wp\/v2\/categories?post=34755"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.xalt.de\/en\/wp-json\/wp\/v2\/tags?post=34755"},{"taxonomy":"department","embeddable":true,"href":"https:\/\/www.xalt.de\/en\/wp-json\/wp\/v2\/department?post=34755"},{"taxonomy":"job_location","embeddable":true,"href":"https:\/\/www.xalt.de\/en\/wp-json\/wp\/v2\/job_location?post=34755"},{"taxonomy":"start","embeddable":true,"href":"https:\/\/www.xalt.de\/en\/wp-json\/wp\/v2\/start?post=34755"},{"taxonomy":"beschaeftigungsverhaeltnis","embeddable":true,"href":"https:\/\/www.xalt.de\/en\/wp-json\/wp\/v2\/beschaeftigungsverhaeltnis?post=34755"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}