Change Management Policy: A Guide for Regulated EU Organisations
Comprehensive guide to change management for regulated EU organisations covering DORA Article 9(4)(e) change management requirements, ISO 27001 A.8.32 control implementation, change advisory board structure, emergency change procedures, and audit trail requirements.
- 1
DORA Article 9(4)(e) mandates formal change management with risk assessment, authorisation, non-production testing where feasible, and comprehensive documentation — this is a binding regulatory obligation for financial entities.
- 2
ISO 27001 A.8.32 extends change management beyond ICT to include process, procedure, and organisational changes that affect information security.
- 3
Implement a tiered change classification (standard, normal, major, emergency) to route changes to proportionate levels of review and approval, preventing the CAB from becoming a bottleneck.
- 4
Emergency changes require a pre-defined procedure with defined criteria, expedited approval authority, minimum real-time documentation, and mandatory retrospective CAB review within 24-48 hours.
- 5
Maintain immutable audit trails for every change from request to closure — supervisory authorities assess process consistency over time, not just current-state compliance.
1. Change Management Fundamentals for Compliance
Change management in the context of regulated EU organisations is not simply an ITIL best practice — it is a regulatory obligation. Uncontrolled changes to ICT systems are a leading cause of service disruptions, security incidents, and data integrity failures. Regulatory frameworks including DORA, NIS2, and ISO 27001 recognise this reality by mandating formal change management processes that ensure changes are assessed, authorised, tested, and documented before implementation. The objective is not to slow down change, but to ensure that changes are deliberate, risk-assessed, and reversible.
A compliant change management process serves four regulatory purposes simultaneously. First, it supports operational resilience by ensuring that changes to critical systems are tested and validated before deployment, reducing the risk of change-induced outages that could trigger NIS2 incident reporting obligations or DORA operational disruption thresholds. Second, it supports security by ensuring that changes are reviewed for security implications before implementation — a code deployment that inadvertently exposes a new attack surface, or a network change that weakens segmentation, would be caught in a properly functioning change review process. Third, it supports auditability by creating a documented record of what changed, when, why, by whom, and with whose authorisation — essential for post-incident root cause analysis and supervisory inspections. Fourth, it supports accountability by establishing clear approval workflows that ensure changes are authorised by individuals with the appropriate knowledge and authority.
For organisations new to formal change management, the investment required is primarily in process design and cultural change rather than technology. While change management tools (ServiceNow, Jira Service Management, or equivalent) are valuable for workflow automation and audit trail maintenance, the core capability is a well-defined process that everyone follows consistently. A simple, well-adopted process produces better outcomes than a sophisticated tool with inconsistent adoption.
2. DORA Article 9(4)(e) Change Management Requirements
DORA establishes change management as an explicit component of the ICT risk management framework. Article 9(4)(e) requires financial entities to implement as part of their ICT security policies and procedures, policies and procedures for ICT change management, including changes to software, systems, and security parameters, that are subject to adequate assessment processes, including prior testing in a non-production environment where feasible. This provision establishes four specific obligations: changes must follow formal policies and procedures, changes must be assessed for risk, changes must be tested before production deployment, and the testing must occur in a non-production environment where feasible.
The European Supervisory Authorities' Regulatory Technical Standards (RTS) on ICT risk management provide additional granularity. The RTS require financial entities to implement change management processes that include: risk assessment of proposed changes proportionate to their impact, authorisation by appropriately qualified personnel, testing of changes in environments that replicate production conditions, rollback procedures for changes that produce unexpected results, and documentation of all changes including the assessment, approval, testing results, and deployment records. The RTS also require that change management processes cover changes made by ICT third-party service providers — you must ensure that your contractual arrangements with critical ICT third-party providers include change management provisions that are compatible with your internal requirements.
For financial entities already operating under EBA Guidelines on ICT and security risk management (EBA/GL/2019/04), DORA represents an evolution rather than a revolution. The EBA Guidelines already required formal change management processes — DORA elevates these requirements from guidelines to binding regulation, adds the explicit requirement for non-production testing, and extends the scope to include ICT third-party provider changes. The key compliance action for existing EBA-regulated entities is to review current change management processes against the DORA RTS requirements and close any gaps, particularly around third-party change management and the documentation of risk assessments for each change.
DORA Article 9(4)(e) explicitly requires testing in a non-production environment 'where feasible'. Document any cases where non-production testing is not feasible, with a risk assessment and compensating controls for those exceptions.
3. ISO 27001 A.8.32 Change Management Control
ISO 27001:2022 Annex A control A.8.32 (Change management) requires that changes to information processing facilities and information systems shall be subject to change management procedures. The control applies to all changes that could affect information security, including changes to applications, systems, infrastructure, network configurations, and security parameters. The ISO 27002:2022 implementation guidance for this control provides detailed expectations: changes should be planned and agreed, impact assessments should consider security implications, changes should be authorised before implementation, changes should be tested and validated, and records should be maintained.
The scope of A.8.32 extends beyond ICT changes to include changes to processes, procedures, and organisational structures that affect information security. A reorganisation that changes reporting lines for the security team, a process change that alters how sensitive data is handled, or a policy change that modifies access control rules all fall within scope. This breadth distinguishes the ISO 27001 change management requirement from the more technically focused DORA requirement — organisations pursuing both DORA and ISO 27001 compliance must ensure their change management process covers both ICT-specific and broader organisational changes.
ISO 27001 audit evidence for A.8.32 compliance should demonstrate: a documented change management policy and procedure, a change register or log showing all changes processed through the procedure, evidence of risk assessment for each change (proportionate to impact), approval records from authorised individuals, testing and validation records, rollback planning for high-impact changes, and post-implementation review records for significant changes. Auditors will typically sample the change register and trace selected entries through the complete lifecycle to verify that the procedure was followed consistently. Inconsistencies between the documented procedure and actual practice — changes deployed without approval, testing records missing, or risk assessments completed retroactively — are common audit findings that indicate process immaturity.
4. Change Advisory Board Structure and Processes
The Change Advisory Board (CAB) is the governance mechanism that ensures changes are reviewed, assessed, and authorised by stakeholders with the collective knowledge to evaluate their impact. The CAB is not a bottleneck — it is a risk management control. A well-structured CAB accelerates safe change by providing a single forum where technical, security, business, and compliance perspectives converge on a change decision. A poorly structured CAB becomes a bureaucratic obstacle that drives teams to circumvent the process, producing exactly the uncontrolled changes that the process exists to prevent.
CAB composition should include: a change manager (chair, responsible for process execution and meeting facilitation), technical representatives from infrastructure, applications, and network teams (to assess technical impact and feasibility), a security representative (to assess security implications and control effectiveness), a business representative (to assess service impact and scheduling constraints), and a compliance or risk representative (to assess regulatory implications, particularly for financial entities under DORA). Not every change requires full CAB review — establish a tiered classification that routes changes to the appropriate level of review. Standard changes with established, pre-approved procedures (such as routine patch deployments or pre-approved configuration templates) can be processed through an automated or delegated approval without CAB review. Normal changes that introduce non-routine modifications proceed through the regular CAB review cycle. Major changes with significant risk, impact, or cost receive enhanced review with additional stakeholders and extended testing requirements.
CAB meeting cadence should align with your deployment rhythm. A weekly CAB meeting is typical for organisations deploying changes on a weekly or bi-weekly cycle. Organisations practising continuous deployment may operate a virtual CAB with asynchronous review and approval workflows, reserving synchronous meetings for major or contested changes. Regardless of the cadence, maintain a structured agenda: review of failed or rolled-back changes from the previous period, assessment of upcoming changes (risk, impact, testing status, rollback plans, scheduling), and post-implementation review of significant changes deployed since the last meeting. Document meeting minutes, attendance, and decisions — this record forms a key part of your change management audit trail.
Implement a tiered change classification (standard, normal, major) to route changes to the appropriate level of review. Pre-approved standard changes can bypass CAB review entirely, reducing overhead without sacrificing governance.
5. Emergency Change Procedures
Emergency changes — changes required urgently to restore service, address a security vulnerability, or prevent imminent harm — require a distinct procedure that balances speed with governance. The emergency change procedure must be explicitly defined in your change management policy, because the worst time to design a process is during an emergency. A clear, pre-agreed emergency procedure ensures that urgent changes are executed with appropriate controls even when normal review timelines cannot be followed.
The emergency change procedure should define: the criteria for classifying a change as an emergency (service outage affecting defined thresholds, active security incident, regulatory mandate with an immediate deadline), the emergency approval authority (who can authorise an emergency change outside normal CAB processes — typically the change manager, on-call senior engineer, or CISO for security-related emergencies), the minimum documentation required at the time of implementation (what is being changed, why it is urgent, who authorised it, and what the rollback procedure is), and the retrospective review requirement (emergency changes must be reviewed by the CAB at the next scheduled meeting, with full documentation completed retrospectively). The retrospective review is non-negotiable — without it, the emergency procedure becomes a standing bypass for the normal process.
For DORA-regulated financial entities, emergency changes must still be documented with sufficient detail to demonstrate compliance with Article 9(4)(e). The ESA RTS do not provide an exemption for emergency changes — they must still be risk-assessed, tested where feasible, and documented. The practical accommodation is timing: the risk assessment and detailed documentation can be completed retrospectively within a defined window (typically 24-48 hours after implementation), but the approval, implementation, and rollback records must be captured in real time. Establish a digital audit trail for emergency changes that automatically timestamps each step: request submission, approval grant, implementation start, implementation completion, validation, and retrospective review closure. This timestamped trail provides the evidence needed to demonstrate that the emergency procedure was followed even under time pressure.
Emergency changes must be retrospectively reviewed by the CAB and fully documented within 24-48 hours. Without this step, the emergency procedure becomes a permanent bypass for the normal change process.
6. Audit Trails and Evidence Management
The audit trail is the evidentiary backbone of change management compliance. Every change processed through your change management system must produce a complete, immutable record that an auditor or supervisory authority can follow from request to closure. The minimum audit trail for each change includes: the change request (description, justification, requester, date), risk assessment (impact analysis, security review, regulatory implications), approval record (approver identity, date, any conditions attached to the approval), testing evidence (test plan, test results, environment used, defects found and resolved), implementation record (implementer identity, date/time, systems affected, steps executed), validation record (post-implementation verification that the change produced the intended result without unintended side effects), and closure record (confirmation of successful implementation or rollback documentation if the change failed).
For DORA-regulated entities, the audit trail has specific additional requirements. The ESA RTS require that change records demonstrate proportionate risk assessment, and that the trail includes evidence of testing in a non-production environment. Where non-production testing is not feasible, the record must document the reason and the alternative risk mitigation applied. For changes implemented by ICT third-party service providers, the entity must maintain records demonstrating that the provider's change followed agreed procedures — this typically requires contractual provisions for change notification and documentation sharing.
Retain change management records for a period aligned with your regulatory requirements and your organisation's audit cycle. DORA does not specify a retention period for change records, but the general principle is to retain records for at least the duration of your audit cycle plus one year — typically five to seven years for financial entities. For NIS2, supervisory authorities may request evidence of change management practices during inspections, and the ability to demonstrate consistent process execution over time is significantly more persuasive than a snapshot of current practice. Store records in an immutable or version-controlled repository (not editable spreadsheets) to ensure integrity. Change management tools with built-in audit logging (ServiceNow, Jira Service Management) provide this capability natively — if you are using manual processes, ensure that records are stored in a system that prevents retrospective modification.
7. Continuous Improvement and Metrics
A mature change management process is not static — it improves continuously based on performance data and operational feedback. Establish a set of key performance indicators that measure both process efficiency and effectiveness. Process efficiency metrics include: change lead time (time from request to implementation), CAB review cycle time, percentage of changes processed on schedule, and percentage of changes requiring rework. Process effectiveness metrics include: change success rate (percentage of changes implemented without unplanned rollback or incident), change-related incident rate (number of incidents caused by changes as a proportion of total changes), emergency change percentage (should remain below 10-15% of total changes — a high percentage indicates either inadequate planning or process avoidance), and post-implementation review completion rate.
Analyse these metrics monthly and present a quarterly summary to the management body or risk committee. Trend analysis is more valuable than point-in-time values: a declining change success rate over three months signals a systemic issue that requires investigation, while a single failed change is an operational event to be reviewed and learned from. Common root causes of change management failures include: inadequate testing (changes that passed testing but fail in production due to environmental differences), incomplete impact assessment (changes that produce unintended side effects in connected systems), and communication gaps (changes that succeed technically but disrupt business processes because stakeholders were not informed).
Use failed changes and change-related incidents as learning opportunities, not blame events. Conduct blameless post-mortems for significant change failures, focusing on process gaps rather than individual errors. Feed the findings back into the change management procedure as improvements — if a class of changes consistently fails due to inadequate testing, strengthen the testing requirements for that class. If emergency changes are increasing as a percentage of total changes, investigate whether the normal process is too slow or restrictive, driving teams to classify routine changes as emergencies to bypass the CAB. A healthy change management culture balances rigour with pragmatism — the process should be thorough enough to prevent uncontrolled risk, but efficient enough that teams use it willingly rather than circumventing it.
Does DORA require a Change Advisory Board?
DORA does not prescribe a specific governance structure such as a CAB — Article 9(4)(e) requires that ICT changes are subject to adequate assessment processes with prior testing. The CAB is a widely adopted mechanism for satisfying this requirement, but the regulatory obligation is outcome-based: changes must be assessed, authorised, and tested by appropriately qualified individuals. Whether you implement this through a formal CAB, an asynchronous peer-review workflow, or automated approval for pre-categorised standard changes is a design choice — what matters is that the assessment process is documented, consistently followed, and produces a defensible audit trail.
How should we handle changes made by third-party ICT providers?
DORA requires financial entities to manage ICT third-party risk, which includes changes made by critical ICT third-party service providers. Your contractual arrangements should include: advance notification requirements for changes affecting your services, documentation of the provider's change management process and its alignment with your requirements, the right to review and approve high-impact changes before implementation, access to change records for audit and supervisory purposes, and incident notification procedures for change-related failures. Monitor provider change management performance through regular service reviews and include change management metrics in your third-party risk assessment.
What percentage of changes should be emergency changes?
In a mature change management programme, emergency changes should represent less than 10-15% of total changes. A higher percentage indicates either that the environment is genuinely unstable (requiring root-cause investigation) or that teams are using the emergency procedure to bypass normal CAB review (requiring process investigation). Track emergency change percentage as a key metric and investigate any sustained increase. Common causes of high emergency change rates include: overly restrictive normal change processes that teams circumvent, inadequate release planning, and environments with high levels of unresolved technical debt that produce frequent urgent fixes.
How long should we retain change management records?
Retain change management records for a minimum of five to seven years for DORA-regulated financial entities, aligned with your regulatory retention obligations and internal audit cycle. For NIS2-scoped entities, no specific retention period is prescribed, but retaining records for at least five years supports supervisory inspection readiness and demonstrates consistent process execution over time. Store records in an immutable or version-controlled system — auditors will question the integrity of records maintained in editable formats such as spreadsheets or word processing documents.
How does change management relate to NIS2 compliance?
NIS2 does not contain a specific change management article equivalent to DORA Article 9(4)(e), but change management is implicitly required by several NIS2 provisions. Article 21(2)(e) requires security in network and information systems acquisition, development, and maintenance — which necessarily includes change management for system modifications. Article 21(2)(b) requires incident handling, and effective change management reduces change-related incidents. Article 21(2)(f) requires policies and procedures for assessing the effectiveness of cybersecurity risk-management measures, which should include assessing whether changes introduce new risks. A formal change management process supports NIS2 compliance across multiple Article 21 categories.
Ready to Operationalise This?
Turn this guide into working compliance workflows. Create an account or schedule a personalised demo.