Navigating DORA: Country-Specific Requirements for Financial Services

The Digital Operational Resilience Act (DORA) is a recent European Union (EU) regulation that officially took effect on the 17th of January 2025. 

The act is relevant specifically to the financial services sector, outlining 5 key areas for which in-scope entities must meet a minimum acceptable security standard. By doing so, DORA seeks to bolster cyber defences across Europe’s critical financial organisations and ensure risk management and resilience play a key role in internal processes. 

The in-scope entities are as follows: 

While the EU is responsible for outlining the requirements of DORA, each member state has a part to play in identifying their own competent authorities, setting out any country-specific fines, and providing mechanisms through which in-scope entities can register their information and report incidents. 

Under DORA, many in-scope entities will have to carefully review and update their processes surrounding IT risk management, third-party IT providers, and reporting obligations, adhering to the specific and prescriptive requirements laid out in the regulation. This article will help organisations navigate these changes by setting out the need-to-know information for a few key jurisdictions and outlining their competent authorities and key country-specific information. 

United Kingdom 

While the United Kingdom (UK) is no longer under the direct jurisdiction of the EU, any financial services sector organisation currently providing services in the EU will fall within the scope of the legislation and may be required to adhere to the regulation. Additionally, any IT-related service providers will be required to adhere to the regulation upon entering a contract with a financial entity under the remit of DORA. 

The first step for UK financial entities and ICT service providers is to establish whether they fall under the scope of DORA through any operations within the EU. Even if current operations do not merit adherence, it is advisable to use EU regulations such as DORA, NIS2, and GDPR as best practice standards, and seek to review risk management practices frequently to uphold high standards of digital operational resilience.  

If you are a UK-based company providing financial services in the EU, make sure you consider the following: 

• Ensure understanding of the regulation requirements – To achieve adherence to the 5 components, each entity must demonstrate a robust information and communication technologies (ICT) risk management framework, incident management processes, information sharing procedures, and thorough ICT third-party (supply chain) oversight practices.

• Identify your regions of operation in the EU – This is to understand which competent authorities you may have to report to and to identify any country-specific legislation that may come into play (for example, fine amounts or criminal penalties).

If you are a UK-based ICT-related services provider contracted by entities in scope of DORA, you may want to consider the following: 

• Are you a critical provider? – If you are identified as a critical entity at a union level, you should be notified by the relevant ESAs/committees. In some cases, you may be required to establish a subsidiary in the Union following the designation. 

• Prepare for regular review – Under DORA, ICT services supporting critical or important functions may be subject to contractual arrangements that allow the financial entity the right to monitor their performance. This could include using document-based or onsite audits and inspections.

• Understand your contractual relationship – Under DORA, financial entities must ensure more stringent contractual arrangements with their ICT service providers. This means the compulsory inclusion of certain terms, including the circumstances under which they may terminate the contract. 

France 

As part of the EU, entities in France will have to comply with DORA. The nominated competent authority has been identified as the ACPR, which is the French Prudential Supervisory and Resolution Authority. Under the supervision of the Banque de France, the ACPR is responsible for overseeing the banking and insurance sectors in France to maintain financial stability. 

The ACPR has provided several supplementary documents to address and advise on certain DORA components, which can be found here. 

Entities required to report to the ACPR under DORA should use the OneGate portal being operated by the competent authority. Via this portal, organisations can submit and maintain their register of information, which are due in France before the 15th of April 2025. Reporting of any security or ICT incidents under the remit of DORA must also be submitted to the ACPR via the OneGate portal. 

Germany 

Within Germany, the competent authorities for DORA have been identified as BaFin (the German Federal Financial Supervisory Authority) and the Bundesbank. Communications from BaFin note that more than 3,600 companies in Germany will be required to implement DORA. 

Financial entities in Germany must submit any requirements for registering information about ICT third party service providers to BaFin. This is also the case for any incident notifications that need to be submitted, regardless of whether the incident is attributable to the financial entity or one if its service providers. All submissions to BaFin should go through its Reporting and Publishing (MVP) Portal. 

Image Source: BaFin diagram

Ireland 

For entities in Ireland, the competent authority has been identified as the Central Bank of Ireland. 

Financial organisations in scope of DORA will have to submit any required registers of information to the Central Bank for Ireland by close of business on the 4th of April 2025. The Central Bank said that it will assess performance based on “the quality of their approach, and their ongoing track record of the timely closing of any gaps”. 

The Central Bank stated that it expects financial entities to “prioritize the implementation of an ICT incident management process to detect, manage and to notify stakeholders of ICT incidents including identifying their root causes.” Major ICT-related incidents and significant cyber threat reports can be submitted on the Central Bank of Ireland portal. 

The Nordics 

Denmark: The Danish competent authority is the Financial Supervisory Authority (FSA). Organisations are expected to submit reports of any IT-related incidents via a portal provided on the FSA’s website. Registers of information and contracts related to IT third-party suppliers must be submitted to the FSA before the end of March. 

Finland: In Finland, DORA applies to more than 400 supervised entities. The competent authority has been identified as the FIN-FSA, otherwise known as the Finanssivalvonta. The FIN-FSA has provided an incident reporting form on their website, with a section for supervisory entities regulated by DORA. 

Norway: While Norway is not a member of the EU, it is a member of the European Economic Area (EEA). As such, it is aiming to align itself to the DORA regulation and is advising institutions to prepare for DORA to take effect in Norway in 2025. The supervisory authority in Norway will be the Finanstilsynet (Norwegian Financial Supervisory Authority), which has provided a number of steps that can be taken to prepare in its 2024 risk and vulnerability analysis report. 

Sweden: In Sweden, the competent authority is the Finansinspektionen (Swedish Financial Supervisory Authority). Reporting of incidents in relation to DORA requirements can be submitted through the Fidac online portal, which is where Sweden collects all national and EU-related data collections. Previous reporting according to PSD 2 will be removed from the portal and replaced with DORA submission from January 2025. 

How Turnkey can help you manage DORA requirements 

No matter which EU country you operate in, responding to DORA requires a multifaceted approach, embracing a range of specialisms and creating harmony across different teams across your organisation. 

Turnkey can help you achieve seamless DORA compliance by leveraging our extensive experience in security, risk, controls, and identity to right-size your organisation’s response to DORA’s five key pillars. This support could include: 

• Maturity Assessment: We’ll perform cybersecurity and/or internal controls maturity assessments against your existing IT risk management frameworks, creating a customised improvement plan that outlines your organisation’s critical content and process gaps. 

• Risk and control design and deployment: Applying our extensive knowledge of best practice and business processes, we’ll design and deploy bespoke risk and controls and support your business through the change, as needed. 

• Managed service support: If ongoing support is what you require, our Bedrock Managed Service offers ongoing control operations and independent assurance activities. 

• Remediation projects: We can support your identity, access governance, and internal controls challenges by remediating any elements of your processes that don’t align with DORA. 

• Process, policy and documentation development: Having the right documentation in place helps ensure consistent behaviours and set best practice expectations. We can empower your organisation by developing or improving documentation surrounding controls, sensitive access, cyber awareness or security. 

• Risk management tooling selection and deployment: We can help you identify and leverage the most appropriate risk management tooling to increase efficiency, centralise processes, and drive automation throughout your business. 

Get in touch with the Turnkey team today to discuss the specifics of your DORA compliance project.