The purpose of the study is to assess whether the government has adequate contingency plans for 12 selected critical IT systems to ensure that the public sector can sustain critical public services in the event of major IT incidents. The report answers the following questions:
- Does the government have an adequate basis for developing contingency plans for the selected critical IT systems?
- Has the government developed satisfactory crisis management plans for the selected critical IT systems?
- Has the government developed satisfactory emergency plans for the selected critical IT systems?
- Has the government ensured that satisfactory disaster recovery plans have been developed for the selected critical IT systems?
Rigsrevisionen assesses that the contingency plans developed by the Ministry of the Interior and Health for its critical IT system are generally satisfactory. Although affected by shortcomings, the quality of parts of the contingency plans developed by the Danish Business Authority is mainly satisfactory, as are the contingency plans for the Danish Maritime Authority’s four critical IT systems. The contingency plans for the remaining seven critical IT systems are not satisfactory. Five IT systems (systems C, D, E, F and G) are particularly inadequate. Shortcomings and inadequacies in contingency plans entail a risk of system breakdowns and data losses that may make it impossible for the government or severely disrupt its ability to perform tasks critical to society.
Rigsrevisionen took the initiative to do the study in February 2023.
Read the introduction and conclusion (PDF)