Labs Support
EN SV
EU Regulation 2022/2554, applies since 17 January 2025

DORA sets requirements for the financial sector's digital resilience. Are your IT suppliers ready?

Banks, insurance companies, and investment firms must manage ICT risks, report incidents, and oversee their third-party providers. If you deliver IT services to the financial sector, your customers will demand the same from you.

Book a demo DORA's five pillars
DORA framework

Five pillars for digital resilience

DORA is built on five pillars. Each pillar has specific requirements, with AmpliFlow tools that support the work.

ICT risk management

Financial entities need a documented framework for identifying, assessing, and managing ICT risks. The framework must be reviewed annually and approved by management.

Risk assessmentPages (wiki)

ICT incident reporting

Major ICT incidents must be classified and reported in three stages: initial notification within 4 hours of classification (maximum 24 hours after detection), intermediate report within 72 hours, and final report within one month. This requires processes for capturing, categorising, and escalating.

Deviation management

Resilience testing

Annual basic testing of ICT systems for all entities. Significant entities must also conduct Threat-Led Penetration Testing (TLPT) every three years.

Audit management

Third-party risk management

Complete register of all ICT third-party providers. Risk assessment, concentration risk analysis, and documented exit strategies.

Supplier registerRisk assessment

Information sharing

Voluntary arrangements for sharing threat information between financial entities. Strengthens the collective resilience of the sector.

Pages (wiki)
The third-party cascade

Financial institutions must manage their ICT suppliers. That affects you.

DORA requires banks and insurance companies to maintain registers of all ICT third-party providers, assess concentration risks, and have documented exit strategies. If you sell software or IT services to the financial sector, your customers will require you to demonstrate security controls, incident handling processes, and documented risk management.

Regulated by DORA

Bank / Insurance company

Sets requirements for

ICT supplier

Must demonstrate

Documented governance

Supplier register

Your customers must maintain a register of all ICT third-party providers with risk assessments, contract information, and dependencies.

Concentration risk

Financial entities must assess whether they are too dependent on a single ICT supplier. You need to demonstrate that you mitigate that risk.

Exit strategies

Your customers must have documented exit strategies for all critical ICT suppliers. This affects how you structure your services.

Security controls

You need to demonstrate how you handle incidents, assess risks, and protect data, in a structured and documented way.

Comparison

DORA and NIS2: not the same thing

DORA and NIS2 overlap partially, but they differ in scope, detail, and legal status. DORA takes precedence for financial entities.

Aspect DORA NIS2
Type Regulation (directly applicable) Directive, transposed in Sweden as the Cybersecurity Act (cybersäkerhetslagen, SFS 2025:1506)
Scope Financial sector: banks, insurance, securities, crypto Broad sectors: energy, transport, health, digital infrastructure
Focus Digital operational resilience and ICT risks Overall cybersecurity and network security
Third parties Detailed requirements: ICT provider register, concentration risk, exit strategies Basic supply chain security requirements
Testing Mandatory TLPT every three years for significant entities No specific testing requirements
Relation Lex specialis: takes precedence for financial entities General legislation: the Cybersecurity Act (cybersäkerhetslagen, SFS 2025:1506) explicitly excludes DORA-covered financial entities (1 kap. 10 §)
Tools

How AmpliFlow supports each pillar

AmpliFlow handles organisational governance, not technical security solutions. Here are concrete tools mapped to DORA's pillars.

1 Pillar 1

Risk assessment with risk matrices

Assess ICT risks by likelihood and impact. Link risks to assets and actions. If you already work with ISO 27001, you have a foundation for DORA compliance.

1 Pillar 1

Pages (wiki) for ICT policies

Centralise framework documentation, policies, and procedures in AmpliFlow's wiki feature. Management can review and comment directly in the system.

2 Pillar 2

Incident management via deviations

Register ICT incidents with classification and prioritisation. Workflow for root cause analysis, action, and verification. Full traceability for reporting to supervisory authorities.

3 Pillar 3

Audit planning and follow-up

Plan and schedule testing activities and reviews of ICT processes. Document findings, deviations, and improvement actions.

4 Pillar 4

Supplier register

Register of ICT third-party providers with contact information. Document dependencies and exit strategies in Pages (wiki). Risk assessments are handled separately in the risk module.

4 Pillar 4

Process management and continuity

Map business-critical processes and their dependencies on ICT systems and third-party providers. Document continuity plans in Pages (wiki), use checklists for exercises.

Related

Explore more

ISO 27001

International standard for information security

NIS2 Directive

The EU's broader cybersecurity directive

Supplier Management

Manage third-party providers in AmpliFlow

Risk Management

Risk matrices and risk assessments
FAQ

Questions about DORA and AmpliFlow

What is DORA?
DORA (Digital Operational Resilience Act) is EU Regulation 2022/2554. It sets requirements for digital operational resilience in the financial sector: ICT risk management, incident reporting, resilience testing, third-party risk management, and information sharing. Penalties are determined by each Member State but must be effective, proportionate, and dissuasive. DORA covers 21 types of financial entities. Unlike a directive, DORA applies directly in all EU member states without national legislation.
Who must comply?
DORA applies to banks, insurance companies, investment firms, payment institutions, crypto-asset service providers, credit rating agencies, crowdfunding platforms, and more. It also covers ICT third-party service providers that supply services to these entities, for example cloud providers and SaaS vendors.
Do all requirements apply to everyone?
No. DORA applies a proportionality principle (Article 4). Requirements are adapted to the size, risk profile, and complexity of the entity. Microenterprises have simplified ICT risk management requirements. Threat-Led Penetration Testing (TLPT) is only required of significant entities identified by the supervisory authority. However, the baseline requirements for risk management, incident reporting, and third-party management apply to all.
How does DORA differ from NIS2 and the Cybersecurity Act?
DORA is lex specialis: a regulation specific to the financial sector that takes precedence over NIS2 where they overlap. In Sweden, NIS2 is transposed as the Cybersecurity Act (cybersäkerhetslagen, SFS 2025:1506), which explicitly excludes DORA-covered financial entities (1 kap. 10 §). DORA sets more detailed requirements for ICT third-party registers, Threat-Led Penetration Testing (TLPT), and specific incident reporting to financial supervisory authorities.
What does DORA mean for ICT suppliers?
Financial entities must assess their ICT suppliers, document dependencies, and have exit strategies. This means that if you are an ICT supplier to a bank or insurance company, your customer will require you to demonstrate your security controls, risk management, and incident handling processes. Critical ICT suppliers are additionally subject to direct oversight by European Supervisory Authorities.
How does AmpliFlow support DORA compliance?
AmpliFlow is the platform where you run your organisational governance: risk assessment with risk matrices, incident management via the deviation process, pages (wiki) for policies and frameworks, a supplier register, and audit planning. AmpliFlow does not replace technical tools such as SIEM systems or penetration testing tools, but it is where you keep your governance work in order for DORA.
How does ISO 27001 help with DORA?
ISO 27001 provides a strong foundation: risk assessment, policies, incident management, and supplier governance overlap with DORA. But DORA sets additional requirements: specific ICT third-party registers, mandatory resilience testing, and reporting to financial supervisory authorities. Having ISO 27001 in place gives you a head start.
Get started

Want to see how it works?

Book a demo and we'll show you how AmpliFlow can support your DORA work, whether you're a financial entity or an ICT supplier to the financial sector.