Financial Supervisory Authority of Norway flags DORA-related ICT governance and control shortcomings at SpareBank 1 Østlandet

The Financial Supervisory Authority of Norway published a report from an on-site ICT inspection of SpareBank 1 Østlandet and identified shortcomings in the bank’s governance and control of its ICT activities under the Digital Operational Resilience Act (DORA) framework. The review found gaps in how ICT governance documentation is translated into operational standards and routines, and called for stronger internal control through structured, documented follow-up of findings from audit work and contingency testing. The inspection assessed ICT risk management, ICT operations, ICT security, use of ICT service providers and preparedness. The report highlights weaknesses in internal control over the tracking and closure of findings from external reviews, deficiencies in change management routines including testing expectations and the ability to link incidents to changes, and shortcomings in the bank’s DORA incident reporting routine, including clarity on the role of SpareBank 1 Utvikling and the bank’s approach to aggregated reporting with other alliance banks. It also expects more detailed standards and routines for supplier oversight, particularly for providers of critical or important ICT services, including clear requirements for reporting content and frequency and how the bank follows up what suppliers report, as well as systematic follow-up of findings from continuity and contingency tests. SpareBank 1 Østlandet indicated it is updating routines and standards in response, including updating its business impact analysis routine and strengthening supplier oversight through a dedicated outsourcing function and increased resourcing. The supervisor underscored that systematic, documented follow-up of findings from external reviews and preparedness testing must be ensured.