Governance Supervision of IT risks management

Institutions use IT as part of their business operations. Financial supervision legislation stipulates that institutions are required to manage IT risks adequately. Taking into account their own circumstances and based on in-house analysis, institutions have a responsibility to design and implement an adequate system for managing IT risks. DNB's supervision on institutions' IT risk management is principle-based and among other things assumes that when managing IT risks, institutions comply with the generally accepted standards (good practices). In addition, these standards should preferably be in line with the sector and the specific conditions relating to the financial institution in question.

In its Open Book on Supervision and its Newsletters, DNB has published information that may help institutions in designing and implementing IT risk management systems that comply with the legal requirements. The information relates to specific areas of the total IT risk spectrum that are relevant to financial institutions. Given the principle-based approach of IT supervision, the content of this information is intended as guidance and is non-obligatory. It provides insight into the practical behaviour observed and expected by DNB. This information is indicative and does not exclude that some institutions require a non-standard, possibly stricter, application of the underlying rules. Institutions are free to use this information as they see fit.

It should be noted that in December 2022 the final DORA Regulation (EU Regulation 2022/2554) EUR-Lex - 32022R2554 - EN - EUR-Lex (europa.eu) has been published. Upon implementation, this regulation sets detailed requirements regarding the management of IT risks.

DNB publications are available for specific sections of the IT risk management environment.