2026-05-10-dora-digital-operativ-motstandskraft-2026
DORA: Digital Operational Resilience — New Requirements for Swedish Financial Sector
Stockholm, May 10, 2026 — The EU regulation DORA (Digital Operational Resilience Act) came into force on January 28, 2025, and sets new, stringent requirements for ICT risk management and digital resilience for financial sector actors. For Swedish payment companies, this means significant changes in how risks are managed and incidents are reported.
What is DORA?
DORA (EU) 2022/2554 is an EU regulation that applies to almost all companies under the supervision of the Swedish Financial Inspectorate (FI). The regulation is supplemented by technical standards from EBA (European Banking Authority), EIOPA (European Insurance and Occupational Pensions Authority) and ESMA (European Securities and Markets Authority).
The purpose of the regulation is to strengthen the financial sector's ability to manage digital risks and ensure continuity in critical financial services.
Key Requirements Under DORA
DORA introduces four central requirements that affect Swedish payment companies:
- ICT Risk Management: Systematic identification, assessment and management of ICT-related risks
- Incident Reporting: Obligation to report serious incidents to supervisory authorities within 72 hours
- Digital Resilience Testing: Regular testing of resilience against cyber threats and technical disruptions
- Third-Party ICT Risk Management: Specific requirements for risk management when using external ICT service providers
Impact on Swedish Payment Companies
For Sweden's payment sector, DORA brings several specific challenges and opportunities:
Trustly and E-wallets
Trustly, a leading player in direct payments in Europe, must adapt its platform to meet DORA's requirements for incident reporting and testing. Companies offering e-wallets like Swish, Zimpler and Klarna Cash must also implement the new security requirements.
Particularly important becomes the requirement for managing third-party risks, as many payment companies depend on technology from external providers.
BankID Providers
BankID providers, including Swedish E-identity, face particularly high requirements as e-identifications are considered critical infrastructure. DORA's requirements for digital resilience and incident management have direct implications for the security of Sweden's payment systems.
FI's Report on Preparedness
The Financial Inspectorate recently published a report on how Swedish financial companies are preparing for DORA. The report shows that most companies are on the right track, but there is room for improvement, especially regarding:
- Incident management processes
- Third-party risk management
- Regular resilience testing
Connection to PSD3 and PSR
The implementation of DORA occurs alongside EU's work on PSD3 (Payment Services Directive 3) and PSR (Payment System Regulation). Together, these regulations create a new framework for European payments with focus on:
- Enhanced consumer protection
- Stricter fraud prevention
- Standardized APIs
- Shared responsibility for fraud
The increased regulatory burden places high demands on Swedish payment companies' technical and organizational capabilities to meet requirements.
Technical Challenges
The technical challenges of DORA include:
- Incident Detection: Systems for quickly detecting and reporting incidents
- Risk Mapping: Tools for systematically identifying ICT-related risks
- Testing: Automated tools for testing resilience against cyber attacks
- Third-Party Monitoring: Systems for managing risks from external providers
Company Strategies for Compliance
Swedish payment companies must now adapt their strategies to meet DORA's requirements. This includes:
- Revision of Risk Frameworks: Develop new frameworks for ICT risk management
- Incident Plans: Create detailed plans for handling technical incidents
- Supplier Collaboration: Improve requirements specification and monitoring of external providers
- Staff Training: Train staff in new processes and requirements
Future Outlook
While DORA places high demands on the industry, it also creates opportunities for companies that can demonstrate strong digital resilience. For Swedish payment companies, this could mean increased competitiveness both in the Nordic and European markets.
DORA's requirements will likely continue to evolve as technology and the threat landscape change. Companies that now invest in robust systems will have advantages in the future.
Source: Financial Inspectorate, EUR-Lex, EIOPA, Swedish Parliament (Ds 2021:5)
Published by PayPro.se - Sweden's Independent Payment Analysis
Related articles
[EN] Robinhood-Bitstamp Acquisition Analysis: Strategic Implications for European Crypto Markets
In-depth analysis of Robinhood's $200M acquisition of Bitstamp and its strategic implications for European cryptocurrency markets.
Read analysisbetalningssucceshistorier-b2b-2026
Read analysisPayment Services Act for Businesses: What You Need to Know - PayPro
Comprehensive guide to Payment Services Act for businesses in Sweden, including rights, obligations, and latest FI guidance
Read analysis