Financial Supervisory Authority of Norway identifies ICT governance and DORA compliance weaknesses at Eika Boligkreditt

The Financial Supervisory Authority of Norway published an ICT supervisory report on Eika Boligkreditt AS following an on-site review on 2–3 December 2025, identifying shortcomings in the firm’s governance and control of ICT operations. The findings cover weaknesses in organisational arrangements, how governance documentation is put into practice, and management of ICT third-party risk, alongside improvement needs in regulatory compliance, access management, and testing of security, preparedness and business continuity. The report, which builds on a preliminary report of 18 February 2026 and the board’s comments of 20 March 2026, notes gaps in ICT resources and competence across the three lines of defence and questions whether planned ICT-related audit activity for 2025–2026 is sufficient. Although the firm has developed and board-approved extensive policies (including for ICT risk under Regulation (EU) 2022/2554 on digital operational resilience), Finanstilsynet found limited operationalisation in day-to-day processes. Weaknesses were also highlighted in supplier oversight, including lack of second- and third-line controls to verify adherence to service-level agreements and internal requirements, as well as insufficient visibility and assurance over supplier access and the frequency and transparency of security testing; continuity testing was assessed as lacking relevant severe scenarios involving supplier incidents. Finanstilsynet recorded the board’s planned and implemented remedial measures, including strengthening second-line compliance controls, reviewing ICT deliveries and vendor follow-up through internal audit in 2026, and tightening expectations in future service-level agreement revisions, and expects continued prioritisation of the DORA implementation work. The firm was asked to send a copy of the report to its auditor.