The Financial Supervisory Authority of Norway finds ICT governance and DORA control shortcomings at Landkreditt Bank AS

The Financial Supervisory Authority of Norway published an on-site ICT inspection report on Landkreditt Bank AS, identifying multiple deficiencies in the bank’s governance and control of ICT operations, including weaknesses in organisational role clarity, governance documentation, risk reporting, and compliance with applicable requirements including the Digital Operational Resilience Act (DORA). The inspection assessed how the bank manages, develops, operates, maintains and secures ICT systems and services, with particular focus on oversight of ICT service providers, ICT risk and security, and contingency planning. Key findings covered outdated and incomplete ICT governance documentation and an underdeveloped approach to business impact analysis, unclear links between the board’s risk appetite and the assessed ICT risk level, compliance reporting that did not assess DORA compliance, limited follow-up of internal audit recommendations, and a vendor oversight approach largely reliant on third-party assurance reporting rather than the bank’s own controls. Further improvement needs were identified in access management at ICT service providers and in completing and testing contingency and continuity arrangements. In its responses, the board reported updates to ICT role descriptions, revisions to internal audit follow-up processes with quarterly management and board reporting, plans for more extensive first- and second-line controls of key ICT suppliers aligned to the 2026 compliance plan, and completion and board approval of contingency and continuity plans. The bank also indicated it will test critical processes against relevant scenarios in 2026 and include related training in its 2026 training plan, while the supervisor requested that a copy of the report be sent to the external auditor.