DORA sets requirements for the financial sector's digital resilience. Are your IT suppliers ready?
Banks, insurance companies, and investment firms must manage ICT risks, report incidents, and oversee their third-party providers. If you deliver IT services to the financial sector, your customers will demand the same from you.
Five pillars for digital resilience
DORA is built on five pillars. Each pillar has specific requirements, with AmpliFlow tools that support the work.
ICT risk management
Financial entities need a documented framework for identifying, assessing, and managing ICT risks. The framework must be reviewed annually and approved by management.
ICT incident reporting
Major ICT incidents must be classified and reported in three stages: initial notification within 4 hours of classification (maximum 24 hours after detection), intermediate report within 72 hours, and final report within one month. This requires processes for capturing, categorising, and escalating.
Resilience testing
Annual basic testing of ICT systems for all entities. Significant entities must also conduct Threat-Led Penetration Testing (TLPT) every three years.
Third-party risk management
Complete register of all ICT third-party providers. Risk assessment, concentration risk analysis, and documented exit strategies.
Information sharing
Voluntary arrangements for sharing threat information between financial entities. Strengthens the collective resilience of the sector.
Financial institutions must manage their ICT suppliers. That affects you.
DORA requires banks and insurance companies to maintain registers of all ICT third-party providers, assess concentration risks, and have documented exit strategies. If you sell software or IT services to the financial sector, your customers will require you to demonstrate security controls, incident handling processes, and documented risk management.
Regulated by DORA
Bank / Insurance company
Sets requirements for
ICT supplier
Must demonstrate
Documented governance
Supplier register
Your customers must maintain a register of all ICT third-party providers with risk assessments, contract information, and dependencies.
Concentration risk
Financial entities must assess whether they are too dependent on a single ICT supplier. You need to demonstrate that you mitigate that risk.
Exit strategies
Your customers must have documented exit strategies for all critical ICT suppliers. This affects how you structure your services.
Security controls
You need to demonstrate how you handle incidents, assess risks, and protect data, in a structured and documented way.
DORA and NIS2: not the same thing
DORA and NIS2 overlap partially, but they differ in scope, detail, and legal status. DORA takes precedence for financial entities.
| Aspect | DORA | NIS2 |
|---|---|---|
| Type | Regulation (directly applicable) | Directive, transposed in Sweden as the Cybersecurity Act (cybersäkerhetslagen, SFS 2025:1506) |
| Scope | Financial sector: banks, insurance, securities, crypto | Broad sectors: energy, transport, health, digital infrastructure |
| Focus | Digital operational resilience and ICT risks | Overall cybersecurity and network security |
| Third parties | Detailed requirements: ICT provider register, concentration risk, exit strategies | Basic supply chain security requirements |
| Testing | Mandatory TLPT every three years for significant entities | No specific testing requirements |
| Relation | Lex specialis: takes precedence for financial entities. The Cybersecurity Act explicitly excludes DORA-covered entities (1 kap. 10 §) | General legislation: DORA overrides where they overlap |
How AmpliFlow supports each pillar
AmpliFlow handles organisational governance, not technical security solutions. Here are concrete tools mapped to DORA's pillars.
Risk assessment with risk matrices
Assess ICT risks by likelihood and impact. Link risks to assets and actions. If you already work with ISO 27001, you have a foundation for DORA compliance.
Pages (wiki) for ICT policies
Centralise framework documentation, policies, and procedures in AmpliFlow's wiki feature. Management can review and comment directly in the system.
Incident management via deviations
Register ICT incidents with classification and prioritisation. Workflow for root cause analysis, action, and verification. Full traceability for reporting to supervisory authorities.
Audit planning and follow-up
Plan and schedule testing activities and reviews of ICT processes. Document findings, deviations, and improvement actions.
Supplier register
Register of ICT third-party providers with contact information. Document dependencies and exit strategies in Pages (wiki). Risk assessments are handled separately in the risk module.
Process management and continuity
Map business-critical processes and their dependencies on ICT systems and third-party providers. Document continuity plans in Pages (wiki), use checklists for exercises.
Questions about DORA and AmpliFlow
What is DORA?
DORA (Digital Operational Resilience Act) is EU Regulation 2022/2554. It sets requirements for digital operational resilience in the financial sector: ICT risk management, incident reporting, resilience testing, third-party risk management, and information sharing. Penalties are determined by each Member State but must be effective, proportionate, and dissuasive. DORA covers 21 types of financial entities. Unlike a directive, DORA applies directly in all EU member states without national legislation.
Who must comply?
DORA applies to banks, insurance companies, investment firms, payment institutions, crypto-asset service providers, credit rating agencies, crowdfunding platforms, and more. It also covers ICT third-party service providers that supply services to these entities, for example cloud providers and SaaS vendors.
Do all requirements apply to everyone?
No. DORA applies a proportionality principle (Article 4). Requirements are adapted to the size, risk profile, and complexity of the entity. Microenterprises have simplified ICT risk management requirements. Threat-Led Penetration Testing (TLPT) is only required of significant entities identified by the supervisory authority. However, the baseline requirements for risk management, incident reporting, and third-party management apply to all.
How does DORA differ from NIS2 and the Cybersecurity Act?
DORA is lex specialis: a regulation specific to the financial sector that takes precedence over NIS2 where they overlap. In Sweden, NIS2 is transposed as the Cybersecurity Act (cybersäkerhetslagen, SFS 2025:1506), which explicitly excludes DORA-covered financial entities (1 kap. 10 §). DORA sets more detailed requirements for ICT third-party registers, Threat-Led Penetration Testing (TLPT), and specific incident reporting to financial supervisory authorities.
What does DORA mean for ICT suppliers?
Financial entities must assess their ICT suppliers, document dependencies, and have exit strategies. This means that if you are an ICT supplier to a bank or insurance company, your customer will require you to demonstrate your security controls, risk management, and incident handling processes. Critical ICT suppliers are additionally subject to direct oversight by European Supervisory Authorities.
How does AmpliFlow support DORA compliance?
AmpliFlow is a management system that handles organisational governance: risk assessment with risk matrices, incident management via the deviation process, pages (wiki) for policies and frameworks, supplier register for contact information, and audit planning. AmpliFlow does not replace technical tools such as SIEM systems or penetration testing tools, but structures the work that DORA requires.
How does ISO 27001 help with DORA?
ISO 27001 provides a strong foundation: risk assessment, policies, incident management, and supplier governance overlap with DORA. But DORA sets additional requirements: specific ICT third-party registers, mandatory resilience testing, and reporting to financial supervisory authorities. Having ISO 27001 in place gives you a head start.
Want to see how it works?
Book a demo and we'll show you how AmpliFlow can support your DORA work, whether you're a financial entity or an ICT supplier to the financial sector.