ICT Change Management under the Digital Operational Resilience Act (DORA)
APRIL 07, 2026

By Christopher Aquilina - Deputy Head, Supervisory ICT Risk & Cybersecurity, MFSA

The Digital Operational Resilience Act (DORA) is now applicable across Member States’ financial services sectors, with the aim of enhancing digital operational resilience of the Financial Entities that are in its scope. Effective ICT change management is central to its objective: well‑governed, well‑tested and well‑documented ICT changes reduce the likelihood of incidents whilst ensuring that financial services remain available to its users.

DORA requires Financial Entities to integrate ICT change management in their ICT risk management framework, with clear governance, segregation of duties, and comprehensive record-keeping. Material changes must be assessed for their impact on the Financial Entity’s critical or important functions, tested prior to deployment, and supported by rollback and recovery arrangements. Incident management, reporting and third‑party risk controls must be considered throughout the ICT change lifecycle. Good practice also guides towards a structured change workflow, registration, validation, assessment, prioritisation and controlled release with published milestones, so that ICT changes deliver business value without undermining stability.

Drawing from supervisory insights, where material changes are concerned (e.g. core platform modernisation, cloud migration, payments transformation) the Authority encourages Financial Entities to:

  • Ensure its management body has continuous oversight, with explicit approval of scope, budget and risk tolerance, and maintain separation of duties between approvers and implementers.
  • Define roles and responsibilities from the outset whilst maintaining a detailed timeline and service transition plan aligned with its digital operational resilience strategy.
  • Map affected ICT assets and the critical/important functions they support, whilst assessing risks and controls comprehensively, including for new technologies such as cloud or AI.
  • Apply secure development and environment segregation, limit non‑production data to anonymised or pseudonymised sets and follow the Financial Entity’s project management policy.
  • Operate formal change control to ensure that changes are specified, planned, tested, quality‑assured and approved before go‑live.
  • Establish and test failover and rollback procedures.
  • Integrate incident detection, crisis communications and major incident reporting timelines into the programme, whilst ensuring third‑party providers participate where relevant.

DORA sets standards for planned ICT change management whilst promoting transparency. The Authority encourages Financial Entities to treat material changes as a resilience exercise as much as a delivery one, to be governed from the top, executed securely, and evidenced throughout. Financial Entities are also encouraged to engage early with their supervisory teams, plan realistically, and demonstrate through testing and documentation that financial services will remain safe, reliable and available to the public as change proceeds.