LogoRegulatory Alerts
2025-11-10

Order on the Implementation of System Audits in Operators of Financial Digital Infrastructure and Others

The Danish Financial Supervisory Authority issued this order to regulate system audits for operators of financial digital infrastructure, mandating both external and internal audit functions to ensure system, data, and operational security. It establishes strict requirements for auditor independence, reporting protocols, and the issuance of annual declarations regarding IT controls and risk management. The regulation further obligates operators to provide management statements to connected financial entities, enabling them to assess risks and implement compensating controls based on audit findings.

Finanstilsynet Denmark logo

Denmark

Finanstilsynet Denmark

Click to view thumbnail

Order on the Implementation of System Audits in Operators of Financial Digital Infrastructure and Others

Pursuant to Section 333 p and Section 373, paragraph 4, of the Act on Financial Business, cf. Statutory Order No. 650 of 6 September 2025, and Section 180 h and Section 255, paragraph 1, of the Act on Capital Markets, cf. Statutory Order No. 652 of 6 September 2025, the following is prescribed:

Chapter 1 Scope and Definitions

Section 1. This Order applies to companies designated as operators of financial digital infrastructure pursuant to Section 333 of the Act on Financial Business.

Section 2. In this Order, "system audit" is understood as the audit of the following:

  1. General IT controls within the company, including their management system in relation to IT security.
  2. IT-based user systems offered by operators to connected financial companies, financial holding companies, insurance holding companies, or subsidiaries of such companies.
  3. IT systems offered for the exchange of data with financial companies, financial holding companies, insurance holding companies, or subsidiaries of such companies connected to the operators, as well as other operators.

Paragraph 2. In this Order, "system, data, and operational security" is understood as follows:

  1. System security is the result of policies, procedures, and controls that ensure reliable systems, including that systems are documented, approved, tested, and secured against unauthorized modification and access.
  2. Data security is the result of policies, procedures, and controls that ensure reliable and confidential registration, storage, protection, and use of data, as well as that modification, deletion, physical or logical access to, or use of data is approved and documented.
  3. IT systems offered for the exchange of data with financial companies, financial holding companies, insurance holding companies, or subsidiaries of such companies connected to the operators, as well as other operators.

Paragraph 3. "Connected companies" refers to companies subject to the supervision of the Danish Financial Supervisory Authority, for which a company designated as an operator of financial digital infrastructure performs significant IT operations and IT development tasks.

Chapter 2 The External System Audit

Section 3. The general meeting of operators of financial digital infrastructure pursuant to Section 1 shall appoint at least one approved auditor (the external system audit) to perform the tasks in Sections 4-8. In operators where the highest governing body is not a general meeting, the appointment shall be made by the highest governing body. The individual external system auditor shall perform their tasks through an approved audit firm, cf. the Act on Approved Auditors and Audit Firms. The operator bears the costs of the system audit.

Paragraph 2. The external system audit is appointed for one year at a time. In the event of a new appointment of an auditor, the board of directors must ensure that notification thereof is given to the Danish Financial Supervisory Authority no later than one month after the appointment. In the event of a change of auditor, the company and the outgoing auditor shall each provide a statement to the Danish Financial Supervisory Authority no later than one month after the departure, if the change is due to special circumstances, cf. Section 199, paragraph 6, of the Act on Financial Business.

Paragraph 3. The provisions of the Act on Approved Auditors and Audit Firms regarding the auditor's term of office in companies subject to the supervision of the Danish Financial Supervisory Authority, as well as reporting and independence, shall apply mutatis mutandis to the external system audit.

Paragraph 4. The provisions of the Act on Companies and Limited Liability Companies (the Companies Act) regarding the board of directors' and management's duty to provide the auditor with information, access to conduct investigations, and ensure that the auditor receives the information and assistance deemed necessary for the performance of their duties, shall apply mutatis mutandis to the external system audit.

Paragraph 5. The provisions of the Act on Companies and Limited Liability Companies (the Companies Act) regarding the auditor's right and duty to be present and answer questions at a company's general meeting shall apply mutatis mutandis to the external system audit at an operator's general meeting or meeting of the highest governing body.

Section 4. The external system audit shall conduct the system audit referred to in Section 2, paragraph 1, in accordance with good auditing practice, including ensuring:

  1. That adequate control and security measures are taken to a sufficient extent in the development, maintenance, and operation of the operator's systems related to the connected companies, and
  2. That the operator's procedures related to connected companies are organized and function in a satisfactory manner.

Paragraph 2. The external system audit shall contribute to a coordinated system audit effort with:

  1. The audit of connected companies, and
  2. The system audit of other operators covered by this Order.

Chapter 3 The External System Audit Protocol

Section 5. For the use of the operator's board of directors, the external system audit shall maintain a separate system audit protocol. The system audit protocol shall account for the system audit performed during the year, which can form the basis for audit sub-conclusions. The system audit protocol shall be presented to the board of directors, and every entry in the protocol shall be signed by the entire board of directors and the head of the system audit.

Paragraph 2. At the end of each calendar year, an annual protocol addendum shall account for the nature and scope of the audit work performed and the conclusion thereof. The annual protocol addendum shall in this connection fulfill the following:

  1. The external system audit shall list in the annual protocol addendum any auditor statements regarding system audits that were not issued pursuant to Section 8, and provide information on the content of any modifications or emphasis of matters in these. If there are no auditor statements to list, this shall be explicitly stated in the annual protocol addendum.
  2. The external system audit shall, in a separate section of the annual protocol addendum, summarize all remarks that the system audit has had occasion to raise with the board of directors in the system audit protocol. The summary shall include a status regarding the remarks raised for the relevant year as well as a status regarding remarks that appeared as outstanding in the annual protocol addendum for previous years. The summary may include references to remarks in the auditor's statement to be issued pursuant to Section 8. If references to the auditor's statement are used, the statement itself shall be presented to the operator's board of directors no later than at the meeting where the board processes the annual protocol addendum. In a separate section, it shall be clearly stated when the board has received or will receive the statement itself.
  3. The external system audit shall, in a separate section of the annual protocol addendum, provide information on the execution of any assistance or advisory tasks within the scope of this Order. If no such tasks have been performed, this shall be explicitly stated in the annual protocol addendum.

Section 6. If the operator has an internal system audit that fulfills the provisions of Sections 10-16, the external system audit may agree with the head of the system audit, cf. Section 11, paragraph 1, that the listing of auditor statements pursuant to Section 5, paragraph 2, no. 1, and the summary pursuant to Section 5, paragraph 2, no. 2, shall appear only in the internal system audit's annual protocol addendum. This agreement shall be stated in the system audit agreement, cf. Section 15.

Section 7. The annual protocol addendum shall provide information on:

  1. Whether the external system audit fulfills the legislative requirements for the auditor's independence, and
  2. Whether the external system audit has received all the information requested.

Paragraph 2. In the annual protocol addendum, the external system audit shall confirm that the statement referred to in Section 8 has been issued to the connected companies. Any modifications or emphasis of matters shall be reproduced in the annual protocol addendum in this connection.

Paragraph 3. In operators that have an internal system audit, the annual protocol addendum shall provide information on:

  1. Whether the tasks agreed upon in the system audit agreement, cf. Section 15, have been performed,
  2. Whether the internal system audit functions satisfactorily, including whether the external audit has become aware of circumstances that individually or collectively indicate that the internal audit functions independently of the daily management, and
  3. Whether the external system audit agrees with the content of all entries in the internal system audit's protocol regarding the calendar year, and if not, in what the disagreement consists.

Paragraph 4. The operator shall send a copy of the external system audit's annual protocol addendum to the Danish Financial Supervisory Authority every year before 15 February, together with a copy of the statement issued pursuant to Section 8 and a copy of the management statement, cf. Section 21.

Paragraph 5. Statements and information pursuant to paragraphs 1-3 shall, if issued without modifications, be reproduced according to the wording of this Order.

Chapter 4 Statements

Section 8. The external system audit shall, every year before a time agreed with the operator, cf. however paragraph 9, issue a statement regarding system, data, and operational security concerning the preceding calendar year for use by the connected companies.

Paragraph 2. The statement, cf. paragraph 1, shall cover all relevant matters, including matters pursuant to Section IX c of the Act on Financial Business.

Paragraph 3. For each individual control objective included in the statement pursuant to paragraph 1, one of the following categories shall be specified as a summary of whether the control objective is fulfilled satisfactorily:

  1. Satisfactory.
  2. Satisfactory, but need for some improvements.
  3. Not satisfactory.

Paragraph 4. The statement, cf. paragraph 1, shall contain an independent listing of controls that are or have been ineffective.

Paragraph 5. Conclusions in the statement, cf. paragraph 1, shall be issued verbatim according to Annex 1 to this Order, if the statement is issued without modifications. The statement shall be drafted according to the rules for other assurance statements in the Order on Approved Auditors' Statements.

Paragraph 6. It shall appear from the statement's conclusion whether the external system audit assesses that the operator's overall system, data, and operational security is and functions satisfactorily.

Paragraph 7. If the external system audit is aware of circumstances regarding the operator's general IT controls, IT-based user systems, and systems for data exchange that are in conflict with legislation regarding financial business, the external system audit shall inform thereof in a separate section of the statement. If none of the mentioned circumstances exist, this shall likewise be stated in a separate section.

Paragraph 8. The statement, cf. paragraph 1, and the internal system audit head's statement pursuant to Section 9, shall be sent by the operator without undue delay after their issuance to the management of the connected companies. For groups, the operator may, unless it conflicts with the provisions of the Act on Financial Business regarding the disclosure of confidential information, agree with the parent company that the statements are sent only to the parent company's management, which shall in that case ensure that the management of relevant group companies receives copies.

Paragraph 9. The external system audit shall issue the statement, cf. paragraph 1, regarding a period ending no earlier than 31 October in the relevant calendar year. If a statement is issued regarding a period other than a calendar year, the external system audit shall, at the turn of the year, additionally issue a supplementary statement to the connected companies regarding whether the overall system, data, and operational security has been and functioned satisfactorily in the period up to the turn of the year.

Section 9. If the operator has an internal system audit that fulfills the provisions of Sections 10-16, the head of the internal system audit shall, in a separate document, for use by the connected companies, declare that they agree with the external system audit's statement.

Paragraph 2. The head of the system audit's statement shall contain a brief description of the system audit performed and the conclusion thereof.

Paragraph 3. Any modifications or emphasis of matters shall clearly appear in the statement.

Chapter 5 The Internal System Audit

Section 10. The board of directors of an operator may determine that an internal system audit shall be established, cf. however paragraph 2.

Paragraph 2. Operators performing significant IT operations, including accounting, registration, and clearing tasks for credit institutions, are obliged to establish an internal system audit.

Section 11. The internal system audit shall be led by a head of the system audit. The appointment and dismissal of the head of the system audit may only be made by the operator's board of directors.

Paragraph 2. The head of the system audit must, at the time of appointment, have participated in practical system audit work for at least 3 of the last 5 years.

Paragraph 3. The board of directors may appoint a deputy head of the system audit as a substitute for the head of the system audit.

Paragraph 4. The provisions in paragraphs 1 and 2 and Sections 12 and 13 regarding the head of the system audit shall apply mutatis mutandis to deputy heads of the system audit, including substitutes.

Section 12. When a head of the system audit assumes office, this shall be reported to the Danish Financial Supervisory Authority no later than one month after the assumption of office.

Paragraph 2. The board of directors shall, in the report to the Danish Financial Supervisory Authority regarding the appointment of the head of the system audit, provide a statement that the head of the system audit fulfills the requirements pursuant to Section 11, paragraph 2.

Paragraph 3. When a head of the system audit leaves their position, the board of directors and the head of the system audit shall, no later than one month after the departure, each send a statement to the Danish Financial Supervisory Authority regarding the background thereof.

Section 13. The head of the system audit shall have access to all information deemed necessary for the implementation of the system audit, including board of directors' minutes.

Paragraph 2. The head of the system audit and employees in the internal system audit may not participate in other work in the operator than audit.

Paragraph 3. The head of the system audit and employees in the internal system audit must be independent. The system audit must be able to address and report directly to the board of directors, independently of the management.

Section 14. In operators that have an internal system audit, a job description must exist, which is approved by the board of directors. The job description shall as a minimum contain provisions on the following:

  1. The internal system audit's general powers, responsibilities, and work tasks.
  2. The employees' qualifications.
  3. How and to what extent the head of the system audit and employees in the internal system audit are ensured continuous further education.
  4. That the appointment and dismissal of employees in the internal system audit shall be made or approved by the head of the system audit.
  5. The internal system audit's budget, including that this is approved by the operator's board of directors.
  6. Information on agreements between the operator's management and the internal system audit regarding the execution of special audit tasks, with the exception of one-off tasks and tasks of a temporary nature, which only need to appear in the internal system audit's protocol, cf. Section 17.

Paragraph 2. The tasks mentioned in paragraph 1, no. 6, must not cause the head of the system audit to be in a situation where the person declares or provides information on circumstances or documents for which the head of the system audit or employees in the internal system audit have prepared the basis.

Paragraph 3. The internal system audit shall present the audit plan to the board of directors, including all IT audits and any significant changes thereto. The audit plan and its implementation, including nature, scope, and frequency, shall reflect and stand in a reasonable proportion to the inherent IT risks in the company and shall be updated regularly.

Section 15. In operators that have an internal system audit, the system audit work shall be performed in accordance with good auditing practice and according to a system audit agreement between the external system audit and the head of the system audit. The system audit agreement shall as a minimum contain the following:

  1. An overall description of which system audit tasks shall be performed, and which of these tasks are the responsibility of the external system audit and the internal system audit, respectively.
  2. Guidelines for cooperation between the external system audit and the internal system audit, including the work the external and internal system audit shall perform in connection with the control of system audit work.
  3. A description of how, and to what extent, information is exchanged between the internal system audit and the external system audit regarding the performed system audit.
  4. Guidelines for cooperation with: a) Internal and external audit in connected companies, and b) Internal and external system audit in other operators covered by this Order.

Section 16. Internal system audit shall take a stance on the operator's compliance with the Danish Financial Supervisory Authority's supervisory responses by reviewing and verifying relevant documentation.

Chapter 6 The Internal System Audit Protocol

Section 17. For the use of the operator's board of directors, the internal system audit shall maintain a system audit protocol. The system audit protocol shall account for the system audit performed during the year, which can form the basis for audit sub-conclusions. The system audit protocol shall be presented to the board of directors, and every entry in the protocol shall be signed by the entire board of directors.

Paragraph 2. At the end of each calendar year, an annual protocol addendum shall account for the system audit performed and the conclusion thereof. The annual protocol addendum shall in this connection fulfill the following:

  1. The internal system audit shall list in the annual protocol addendum any auditor statements regarding system audits issued and provide information on the content of any modifications or emphasis of matters in these. If there are no auditor statements to list, this shall be explicitly stated in the annual protocol addendum.
  2. The internal system audit shall, in a separate section of the annual protocol addendum, summarize all remarks that the system audit has had occasion to raise with the board of directors in the system audit protocol. The summary shall include a status regarding the remarks raised for the relevant year as well as a status regarding remarks that appeared as outstanding in the protocol addendum for the previous year.
  3. The internal system audit shall, in a separate section of the annual protocol addendum, reproduce a company-prepared overview of all supervisory responses issued by the Danish Financial Supervisory Authority in the financial year, supervisory responses issued by the Danish Financial Supervisory Authority in the previous financial year but not yet complied with at the closing date, and supervisory responses that have been complied with in the financial year. If no supervisory responses have been issued in the financial year, and all supervisory responses have been complied with by the end of the previous financial year, this shall likewise be stated. The internal system audit shall review the company-prepared overview and provide information on remarks thereto, including the internal system audit's stance on the compliance with supervisory responses.
  4. The head of the system audit shall, as a minimum in a separate section of the annual protocol addendum, confirm that the head of the system audit has not been in a situation where the person declares or provides information on circumstances or documents for which the head of the system audit or employees in the internal system audit have prepared the basis, cf. Section 14, paragraph 2.
  5. The annual protocol addendum shall also provide information on whether the internal system audit has received all the information requested.

Paragraph 3. The operator shall send a copy of the internal system audit's annual protocol addendum to the Danish Financial Supervisory Authority every year before 15 February, together with a copy of the statement issued pursuant to Section 9.

Chapter 7 General Provisions

Section 18. The internal and external system audit shall:

  1. Have sufficient knowledge, professional competencies, and expertise in relevant areas, and continuously maintain these at a level necessary to ensure that a qualified professional service is delivered based on updated knowledge of the latest development within good auditing practice, legislation, and methods, and
  2. Ensure that the nature, scope, and frequency of the audit stand in a reasonable proportion to the relevant IT risks.

Section 19. The internal and external system audit shall ensure that the Danish Financial Supervisory Authority immediately receives notification if they:

  1. Must presume that the operator's overall system, data, and operational security in areas covered by this Order is not satisfactory, or
  2. Become aware that significant and prolonged IT operational problems have arisen in the operator regarding the operator's services to the connected companies.

Paragraph 2. In the assessment of whether notification to the Danish Financial Supervisory Authority shall be made pursuant to paragraph 1, no. 2, the following shall as a minimum be included:

  1. The impact of the operational problems on the operator's exchange of data with other operators and the associated data processing, and
  2. The significance of the operational problems for the connected companies' short-term financial management.

Paragraph 3. If the external system audit or the internal system audit establishes circumstances regarding one or more of the connected companies' IT usage that are not satisfactory in areas covered by the operator's services to the company, and this concerns circumstances that connected companies can normally be expected to attach significance to when making decisions regarding system, data, and operational security, the relevant party shall ensure that the circumstance is notified in writing without undue delay to the management of the relevant company or companies. The circumstance shall appear in the ongoing system audit protocol to the operator's board of directors, and it shall appear in a separate section of the internal or external system audit's annual protocol addendum.

Section 20. Section 74, paragraphs 1-3, of the Act on Financial Business shall apply mutatis mutandis to the external system audit's and the internal system audit head's participation in and rights at board meetings.

Chapter 8 Management Statement

Section 21. The operator's management shall prepare a statement, based on the external system audit's statement, which shall enable each connected company to assess risks. The statement shall as a minimum contain a description of the following:

  1. Management's assessment of control weaknesses and derived risks for each connected company, as well as the consequences the identified control weaknesses entail individually and collectively.
  2. How the operator handles the identified control weaknesses.
  3. Which compensating control and security measures each connected company can implement to counteract the identified control weaknesses.

Paragraph 2. Based on the performed system audit, the external system audit shall review the management statement and provide an opinion on whether the information in the management statement is in accordance with the statement issued pursuant to Section 8 and the minimum requirements pursuant to Section 21, paragraph 1.

Paragraph 3. The statement and opinion shall be sent to each connected company together with the statement, cf. Section 8, paragraph 1.

Share