DORA is the EU’s Digital Operational Resilience Act.

By /

DORA brings a fundamental change to how financial entities are to document, test and manage their IT risks.

It is no longer simply about cybersecurity and technical resilience, but also about the ability to withstand, detect, respond to and recover from digital incidents. The regulation entered into force in January 2023 and will be enforced from January 17, 2025. The Danish Financial Supervisory Authority (the Danish FSA) has already announced that it will incorporate DORA compliance into future thematic reviews and reviews of functions. Consequently, preparation time is severely restricted.

The organizations’ second and third lines of defense, which must provide Management and the board of directors with insight, overview and comfort, have a particular responsibility in terms of ensuring that the organizations face the future with full transparency and action plans to ensure full compliance in the area.

A regulation with a broad aim and strict requirements

DORA applies to virtually all financial industry actors. This includes banks, insurance companies, pension companies, investment funds and data centers as well as third-party providers of critical IT services.

The regulation makes specific requirements in five core areas:

  1. Management of IT risk, including policies, roles, and responsibilities
  2. Incident management, including detection, classification, and reporting
  3. Resilience testing, including technical tests and exercises
  4. Third-party management, including assessment of criticality and contractual terms
  5. Information sharing, including participation in sharing of threat data.

Many organizations have established part of the above, but far from all entities have a coherent and documented setup that meets the DORA requirements.

What does it mean to the second and third lines of defense?

DORA raises an important question with respect to control functions. Who keeps an eye on whether the organization is actually digitally resilient, and whether it can be documented?

Risk, compliance and internal audit should already in 2025 ask and be able to answer the following questions:

  • Has an overall digital risk management policy been established?
  • Have all critical IT assets and dependencies been identified?
  • Does documentation exist of contingency exercises and restoration tests?
  • Are incidents classified and addressed with clear roles and responsibilities?
  • Have critical suppliers been identified, and do the contracts meet the requirements?
  • Does Management receive actual reports on digital resilience, and do they respond?

Intentions and a formal framework are not sufficient. Authorities seek evidence that an organization is resilient enough to respond if things go wrong.

The Danish FSA and DORA: What should organizations expect?

The Danish FSA has made it very clear that DORA will be a key theme of its supervisory activities from 2025. This applies to inspections, thematic reviews and the ongoing risk assessment.

Already in 2025, many organizations will face questions about status and readiness. The Danish FSA expects organizations to be able to:

  • Document IT risk and incident management policies and testing
  • Explain governance and roles
  • Display classification of suppliers and content of contracts
  • Document the execution and results of tests and scenarios
  • Verify that reporting and follow-up are genuinely rooted in Management.

The Danish FSA is taking an active part in the European collaboration and will adhere to the joint guidelines issued by the EBA, ESMA, and EIOPA. In addition, Denmark will be responsible for the supervision of critical third-party providers in the Danish market.

What are the consequences of not being ready?

DORA provides authorities with even more options in terms of orders and responses. Non-compliance may result in:

  • Formal orders
  • Stricter supervision and higher classification of risk
  • Increased capital requirements as a consequence of increased operating risk
  • Reputational damage, especially if incidents are not dealt with correctly
  • Doubts about Management’s effectiveness and the resilience of the organization
  • Fines imposed on critical IT third-party service providers.

In practice, DORA will be used as a yardstick for future incidents and reporting. Failure to integrate the requirements may therefore have a direct impact on operations, management assessment and risk profile.

We help you move forward – without starting from zero

At Atlab FS and Conformance, we work with DORA as a practical extension of the second and third lines of defense teams you have already established. As temporary support, we provide expert knowledge and insights to craft clear, solution-oriented reports for Management, the board, and the audit committee. Moreover, our reports include an assessment of risk, time, and scope, which  provides you with a clear overview of the simple and less time-consuming adjustments as well as the major, more complex adjustments.

We will use your existing control and audit framework as our starting point and make a direct connection to the DORA requirements. This enables us to identify gaps quickly, prioritize the most critical areas, and provide you with a concrete picture of what it will take to ensure timely and proportionate compliance. The objective is determined by your risk profile and level of ambition, factoring in your desired resilience, overview, and readiness for a supervisory review.

Our review includes ICT risk management, asset registration, preparedness, incident management, and testing of your recovery setup. We will look at supplier management and contracts, roles and responsibilities in case of incidents, and your ability to document it all; not just in a report, but in practice.

The process is divided into four phases. First, we map your status using a questionnaire (questionnaire app) and targeted interviews. Then, we prepare an overall assessment focusing on risks, measures required, and the effort it will realistically take. Following this, we provide you with concrete initiatives for closing the gaps, both in terms of governance and documentation.  Finally, we make sure that Management achieves the overview and reporting needed to gain insight and respond in a timely and secure manner.

Everything will be customized to your organization’s size, risk profile and current maturity level. We build no more than what is needed. But we build enough to make you well-prepared for the Danish FSA’s inspection of your business.

Scroll to Top