IT On-site Inspections (OSIs) have become a central supervisory tool for regulators like the European Central Bank (ECB) and the Commission de Surveillance du Secteur Financier (CSSF), especially as ICT risks and cyber threats continue to rise.
With the Digital Operational Resilience Act (DORA) fully applicable as of January 2025, the supervisory momentum is accelerating. In Luxembourg, the CSSF had been conducting regular IT Risk OSIs, with institutions facing administrative fines for shortcomings in IT governance, IT risk management, outsourcing, and organizational controls.
On-site inspections are intrusive, risk-based, and action-oriented, designed to assess the in-practice effectiveness of ICT governance, cyber resilience, and internal controls. To prepare effectively, organizations must not only document their control environment but also ensure that key stakeholders are audit-ready and that governance structures can withstand supervisory scrutiny.
This is where KPMG brings strategic value – supporting institutions throughout the OSI lifecycle, from pre-inspection preparation and simulation to onsite execution support and post-inspection remediation.
We explain the key focus areas and how you can prepare in this short guide.
Institutions undergoing an OSI face a multi-week, high-pressure process that tests not only their technical documentation but also their people, decision-making structures, and ability to respond appropriately under scrutiny. It’s not just the scope of the inspection that makes it challenging – it’s the intensity, speed, and depth at which regulators engage.
A typical inspection spans 8 to 12 weeks and involves:
KPMG’s experience across the EU shows that OSIs are not static – focus areas evolve as findings emerge, and regulators may dig deeper based on responses received. Many institutions are surprised by the operational strain this causes, especially when roles and responsibilities are unclear, or documentation is fragmented.
Regulators assess how the IT function is structured and governed. This includes the clarity of reporting lines, adequacy of staffing and skills, use of third-party providers, and defined roles for IT, security, and continuity including oversight from the management body.
A critical area where inspectors examine the maturity of internal governance frameworks, risk ownership, and the alignment of IT with business strategy. Key themes include the role of the second line of defense, digital operational resilience strategy, IT budgeting practices, and training and awareness across the organization.
This is often one of the most detailed parts of the review. Inspectors focus on identity and access management (especially privileged access), authentication controls, threat landscape, monitoring activities (e.g. SIEM), vulnerability and patch management, and how well security is embedded in system architecture. DORA-specific cybersecurity questionnaires are also now common.
Attention here is on asset inventory accuracy, architectural governance, and documentation of system interconnections and data flows. Inspections also look for alignment between architecture decisions and approved change roadmaps.
BCP and DRP documentation must be complete, tested, and accessible. Inspectors expect clear governance, regular continuity testing, mapping of critical business processes, and inclusion of third-party providers in planning efforts.
Supervisors pay particular attention to how institutions manage dependencies on external service providers (including the group), especially those delivering critical ICT functions. Reviews typically cover governance over outsourcing arrangements, due diligence and risk assessments prior to onboarding, and continuous monitoring throughout the relationship. Inspectors expect a comprehensive register of third-party and sub-outsourced services, clear contractual clauses addressing data protection, service levels, and termination rights, as well as defined exit and contingency plans.
It is then followed by an information request specifying the documentation to be provided. This may include the organizational structure of the IT function, security policies, governance and risk management frameworks, process descriptions, and relevant data extracts.
Enabling clients to navigate this phase effectively
Once underway, the inspection involves a series of supervisory activities aimed at verifying the design and effectiveness of ICT-related controls. These may include:
At the conclusion of the inspection, the supervisory team presents a draft report the main preliminary findings during a closing meeting with the entity. This meeting serves to discuss the factual accuracy and interpretation of the findings before the report is finalized. These findings are typically classified by severity based on their potential impact on the entity’s financial position, risk profile, or regulatory obligations.
Following the meeting, the draft inspection is sent to the entity for comments within a defined timeframe. After reviewing the entity’s written feedback, the inspection report is finalized. This marks the beginning of the follow-up phase.
In this phase, the institution is expected to submit an action plan detailing the remedial measures, responsibilities, and deadlines. The supervisory authority assesses the adequacy of this plan and determines the follow-up approach, including the frequency and format of progress reporting (for example, written updates or follow-up supervisory meetings).
KPMG will help you prepare for an up-coming IT on-site inspection.
During the inspection, KPMG helps you stay on track by managing requests, coordinating teams, and ensuring quality in your responses.
After the inspection, KPMG supports you in addressing findings and putting long-term solutions in place.
This article was co-written by Ashish Bedi, Director – Information Risk Management, Jean-Baptiste Damiens, Director – Information Risk Management, Alexander Holsten, Director – Information Risk Management and Amani Ben Slama, Assistant Manager Audit.
