LogoRegulatory Alerts
2026-04-22

IT Inspection Report for DLR Kredit

The Danish Financial Supervisory Authority issued an inspection report mandating DLR Kredit A/S to rectify significant deficiencies in its IT risk management, incident response, third-party oversight, and digital operational resilience testing. The regulator found that inadequate frameworks, unclear responsibility allocations, insufficient contingency planning, and untested exit strategies elevate the institution's IT risk profile and threaten operational continuity for its banking clients. Consequently, DLR Kredit is legally required to implement comprehensive corrective measures across all five identified control areas to comply with the Digital Operational Resilience Act (DORA).

Finanstilsynet Denmark logo

Denmark

Finanstilsynet Denmark

Click to view thumbnail

Inspection Report 22-04-2026

The Danish Financial Supervisory Authority (Finanstilsynet) conducted an IT inspection at DLR Kredit A/S in autumn 2025. The purpose of the inspection was to examine the institution's management of the IT security area, which is regulated by the Regulation on Digital Operational Resilience in the Financial Sector (DORA).

Summary and Risk Assessment

The Danish Financial Supervisory Authority assesses that DLR Kredit has deficiencies in significant areas regarding the institution's management of IT risks, IT preparedness, IT third-party risks, IT incidents, and testing of digital operational resilience. These deficiencies entail an elevated IT risk. The Authority has therefore issued a number of orders to DLR Kredit to ensure adequate management of these areas.

DLR Kredit has deficiencies in its IT risk management. The institution has not established a clearly defined and well-documented framework for IT risk management, and the strategy for digital operational resilience is insufficient. The framework and the institution's review thereof are not sufficiently clear. There is ambiguity regarding the allocation of responsibilities between the first and second lines of defense in relation to the IT risk management framework, and the information security policy is not adapted to DLR Kredit's risk profile. The control procedures are not adapted in accordance with the requirements of DORA. This may lead to a risk that significant IT risks are not identified, assessed, or managed adequately, and that the board lacks the necessary basis for oversight. DLR Kredit has therefore been ordered to ensure that the management of IT risks is adequate [1].

DLR Kredit has deficiencies in the management of IT preparedness. The requirements for IT preparedness are distributed across several documents and organizational units, resulting in ambiguity regarding responsibility allocation and role placement. The contingency plans lack clear time horizons and recovery levels, and the BIA process (business impact analysis process) is not sufficiently quality-assured. BCPs (business continuity plans) and DRPs (disaster recovery plans) are not sufficiently operational, and there is insufficient overview of or access to DRPs for all critical and significant IT suppliers. Testing of contingency plans is not sufficiently comprehensive, and there is a lack of systematic follow-up on whether the preparedness objectives can be realized in practice. These circumstances could ultimately result in operational disruptions affecting the credit institutions that are DLR Kredit's customers, and their ability to provide mortgage credit services. DLR Kredit has been ordered to ensure that the management of IT preparedness is adequate [2].

DLR Kredit has deficiencies in the management of third-party risks. Not all third-party services supporting critical functions have been risk-assessed, and a uniform method for supplier control and monitoring is lacking. Supplier-related risks are not systematically incorporated into the overall IT risk profile, and no timeline has been established for updating key contractual provisions. Furthermore, there is a lack of development and testing of exit plans for all critical suppliers. This may lead to a risk that significant risks associated with external suppliers are not identified or managed in a timely manner. DLR Kredit has been ordered to ensure that the management of third-party risks is adequate [3].

DLR Kredit has deficiencies in the management of IT incidents, including regarding incident classification. The institution has therefore been issued an order to ensure that the management of IT incidents is adequate [4].

DLR Kredit has deficiencies in testing digital operational resilience. The testing program does not cover all relevant systems and critical suppliers, and clear requirements for test types, test frequency, and follow-up are lacking. The method for assessing and managing vulnerabilities is insufficient, and risk assessments of vulnerabilities are not documented. This may lead to a risk that significant vulnerabilities or weaknesses are not identified and managed in a timely manner. DLR Kredit has been ordered to ensure that testing of digital operational resilience is adequate [5].

[1] DORA Art. 6, paragraphs 1-5 and 8, and DORA Art. 9, and RTS 2024/1774 Arts. 1-2, 6, and 27.

[2] DORA, Arts. 11-12 and RTS 2024/1774, Art. 26, paragraph 2

[3] DORA Art. 5, paragraph 3 and Arts. 28-29

[4] DORA Art. 18, paragraph 1 and RTS 2024/1772

[5] DORA Arts. 24-25 and RTS 2024/1774 Art. 10

You control your data

This website uses third-party cookies for visit statistics. If you select "Accept all", you consent to third-party services storing information about your visit.

Read more about cookies

Show only exact results

Share