Become a member
Menu close
searchclose
  • Rights and Rules

    What are you entitled to and what are you obliged to? Read the agreement and get answers to questions about your working life.

  • Career and Danish Culture

    Finansforbundet assists you in regard to your career whether you want something new or have been terminated.

  • Membership Benefits

    As a member of Finansforbundet you have access to advice and events tailored to the financial sector.

  • Events

    Get new knowledge and inspiration at a morning meeting, go-home meeting, webinar, development course and much more.

  • News

    See all news from Finansforbundet.

  • Policies and Analyses

    We work for an influence in the sector and the development of society in Denmark through selected key issues that affect your everyday life.

Shortcuts
  • Selected for target group
Danish Da / English En
Questions about insurance, membership or in need of advice?
32 96 46 00
Are you looking for employees at Finansforbundet?
Find people

The Danish Financial Supervisory Authority is preparing for the first DORA inspections

The Danish Financial Supervisory Authority will soon carry out the first inspections to assess how financial institutions have complied with the new requirements of the DORA regulation.

17. Mar 2025
7 min

Now the work truly begins. The Danish Financial Supervisory Authority is preparing for its first inspections under the Digital Operational Resilience Act (DORA), which came into force on 17 January this year.

The financial services companies that face the most far-reaching consequences of a digital security breach – so-called systemically important financial institutions – will be the first to be scrutinised.

This could include the largest banks, data centres or other critical financial institutions. However, all financial services companies and a number of different types of companies are, as a general rule, covered by DORA.

"Now we will see how the rules are complied with in practice," says Adam Al-Saffar, the Danish Financial Supervisory Authority's head of IT supervision.

He explains that since some DORA elements are still very new, focus will initially be on whether companies have at least complied with the rules and whether they have identified areas of improvement. 

"It's a new framework, and some parts have been added late in the process. But the rules also reflect proportionality – the requirements depend on the size and complexity of a company. The important thing is that you have taken a position."

Risk-based approach

Adam Al-Saffar also points out that companies that have been accustomed to working with the IT security rules of the Danish executive order on management have a good starting point for working with DORA. 

While the Danish Financial Supervisory Authority will start with some of the systemically important companies, a decision has not yet been made as to who the Danish Financial Supervisory Authority will visit next. But that will be the next phase of the overall DORA supervisory work, he says.

“At the moment, we are planning how to go about it. The next step is to initiate the inspection process. We are following our usual inspection plans, which take a risk-based approach.”

(Artiklen fortsætter efter boksen)
Photo: Finanstilsynet.

New requirements, new inspections

With DORA, the EU is introducing stricter requirements for financial services companies' IT risk management, incident reporting and third-party management.

The new rules imply, among other things, that companies must be able to document their digital resilience, and that IT security is now to a greater extent a management responsibility.

This has only become more relevant in the geopolitical situation that Europe finds itself in.  

“We are seeing an increase in both the threat landscape and the financial sector's dependence on IT. No IT, no bank. The greater the risk, the more important it is to make it a priority at management level. “DORA helps ensure that proper attention is paid to cybersecurity,” says Adam Al-Saffar.

One of the major changes brought about by DORA is uniform incident reporting, according to which all financial services companies must now report IT incidents – e.g. hacker attacks or a breakdown – in a joint format.

This should make it easier to analyse cyber threats across the EU and, in the long term, be used proactively in digital defence.

“The new incident reporting procedure provides us with an overview of the trends of the entire sector – what threats companies are facing and how we best respond.”

A major task for the financial sector

Owing to DORA, the EU has issued a significantly higher number of compliance tasks to the sector. 

According to a 2024 McKinsey analysis, leading financial institutions and IT service providers in the EU had spent between 5 and 15 million euros on their DORA programmes – and the total costs of implementation were estimated to end up being up to 10 times higher.

At the time, 40 per cent of the companies asked were reported to have allocated more than seven full-time employees to perform DORA work, and a major financial institution estimated back then that it could cost almost EUR 100 million to fully comply with all DORA requirements.

In addition, several respondents reported to have had doubts about whether they would be able to meet the requirements before the launch in January 2025.

Adam Al-Saffar acknowledges that parts of DORA are complex.
“It's a big task. "The rules are written in regulatory language which is not always completely clear, and interpretations are still outstanding," he explains and continues: 

"Previously, we could determine how to interpret the national rules – now such interpretation lies centrally with the EU, but we will of course work to ensure that the rules work well in practice in Denmark."

What is DORA?

DORA (Digital Operational Resilience Act) is an EU regulation that is aimed at harmonising IT security requirements in the financial sector.
The purpose is to ensure high and common standards of digital resilience in all EU countries.

DORA entered into force on 16 January 2023 and was applicable from 17 January 2025.

The rules include cyber risk management, incident reporting and third-party management.

Register of Information (ROI): A challenge for many

In particular, the much-discussed part of DORA, the Register of Information (ROI), has posed challenges.

According to the ROI, companies are required to report comprehensive data on their outsourcing agreements by 31 March.
This has raised a lot of questions, because it is not just a continuation of previous rules. It is a completely new way of reporting and a much more detailed form of registering that many have had to make sense of.

“We have answered the questions we could, but much has also had to be clarified at EU level to ensure a uniform interpretation,” Adam Al-Saffar discloses.

The questions for instance concerned how the new requirements are in fact to be interpreted, and how data should be structured. 

"A good tool"

Nonetheless, the Danish companies subject to DORA must now by 31 March upload data about their outsourcing agreements, including detailed information about suppliers and contractual matters, to the Danish Financial Supervisory Authority.

The Danish Financial Supervisory Authority must then forward the register information to the EU supervisory authorities (ESAs), who will designate critical suppliers at EU level and monitor them.

Overall, this should lead to us learning, both in Denmark and at EU level, which suppliers the financial companies depend on and which, for example, need to be monitored. Therefore, the complex reporting serves a purpose, the head of division explains.

"The goal is for it to become a tool that will increase the level of understanding for the individual and in the sector," he says.

"This provides us with an overview of the supplier landscape – not only in Denmark, but throughout the EU. We see which suppliers are critical and how they impact financial services companies across countries."

"The data centres handle a lot of the work, but that doesn't relieve small banks of responsibility."
- Adam Al-Saffar, Head of IT Supervisory Division, the Danish Financial Supervisory Authority.

Data centres play a key role

Although large banks and data centres have more resources for handling the new extensive compliance tasks, Adam Al-Saffar points out that the new EU legislation contains a principle of proportionality.

This means that the requirements are to a certain extent also adapted to the size, risk profile and complexity of the individual company.

In addition, many of the small banks and financial institutions will be able to rely on the data centres, he says.

"The data centres handle a lot of the work, but that doesn't relieve small banks of responsibility." They still need to be in control of their governance and IT risk management. We would like to see small banks take an active stance with respect to their IT security, even if they outsource much of their operations.”

Inspections on the way

The DORA inspections are also a new task for the Danish Financial Supervisory Authority to embark on. Adam Al-Saffar points out that the supervisory authority will attach importance to whether each company has assessed its own risk profile and made the necessary adjustments.

"We expect companies to be able to document how they have thought through their IT risks – and not just copied a standard solution," he explains.

The Danish Financial Supervisory Authority has not yet set the dates for its first DORA inspections, but the process will follow a risk-based approach, with the most critical actors being examined first.

"We are already receiving ongoing reports from companies about incidents and outsourcing. "We use that data in our risk assessment of where we should intervene," he explains.

The inspections will likely result in reports and potential orders to be imposed on the companies.

Emner

See also

Latest news

More news