TITLE: Denmark's Financial Supervisory Authority Issues Compliance Orders to AL Sydbank Following Information Technology Inspection
BODY:
On April 17, 2026, the Danish Financial Supervisory Authority (Finanstilsynet) published an inspection report detailing findings from an information technology (IT) inspection of AL Sydbank A/S conducted in autumn 2025. The inspection examined the bank's governance of IT security under the Digital Operational Resilience Act (DORA).
Finanstilsynet identified material deficiencies across multiple areas of IT risk management, determining that AL Sydbank faces elevated IT risk. The authority issued four compliance orders addressing specific governance gaps. First, the bank lacks sufficient IT risk management frameworks, having only implemented a digital operational resilience strategy and consolidated IT risk management framework from late 2025. The bank does not conduct risk assessments of all legacy systems, and board reporting does not adequately convey the bank's overall IT risk profile. Second, AL Sydbank has deficiencies in IT readiness governance, with its IT operational stability policy failing to address material aspects of operational stability. The bank's business continuity and recovery plans lack adequate testing and business impact analysis, creating risk of operational disruptions affecting customers. Third, the bank has not updated all third-party contracts and lacks exit plans for critical suppliers, with no testing of such plans, creating risk of untimely supplier exits. Fourth, AL Sydbank has deficiencies in IT incident management and event classification procedures.
AL Sydbank must address these compliance orders to ensure sufficient governance of IT risk management, IT readiness, third-party risks, and incident management in accordance with DORA Articles 5, 6, 8, 11, 12, 18, 28, and 30, and relevant regulatory technical standards.