Application of DORA has started – FIN-FSA to focus on the management of ICT risks and cyber-threats in its supervision

The Regulation of the European Parliament on digital operational resilience for the financial sector entered into force on 17 January 2023 and applies from 17 January 2025. DORA (Digital Operational Reliability Act) applies extensively to financial market participants in the EU, such as banks, insurance companies, investment firms and ICT companies providing services to them. In its supervision, the FIN-FSA will focus on the management of supervised entities’ ICT and information security risks, the ICT incident reporting process and the supervision of ICT providers’ risk management. 

– DORA introduces uniform and transparent rules for the financial sector which are necessary to ensure that institutions in the sector can effectively identify, address and prevent various digital threats. In the current global situation, these threats are very real, states Samu Kurri, Head of Department.

All entities within the scope of application of the Regulation will have a new requirement to report annual costs caused by ICT-related incidents. The Regulation also enables the voluntary exchange of information on cyber threats between supervised entities and the reporting of cyber threats to the supervisory authority. Furthermore, supervised entities are obliged to submit a register of ICT contracts to the FIN-FSA on an annual basis. 

The FIN-FSA has obliged the most significant supervised entities to perform threat-led penetration tests at regular intervals. 

– For instance significant banks, the stock exchange and the central securities depository are directly compelled by DORA to perform these threat-led data security tests. However, we have also obliged smaller banks and insurance-sector participants to engage in these tests in Finland. By doing so, we foster the achievement of cyber security in the financial sector on an extensive scale, says Kurri.

In Finland, DORA applies to over 400 supervised entities. There is no transitional period for the application of the Regulation, which means that the requirements must be complied with from 17 January 2025.

See also

Regulation on the digital operational resilience of the financial sector – DORA (in Finnish)

For further information, please contact

Samu Kurri, Head of Department. Requests for interviews are coordinated by FIN-FSA Communications, tel. +358 9 183 5030 (weekdays 9.00–16.00).