P
PayPro.se
Back to blog

dora-regulation-new-requirements-financial-sector-ict-risk-management

5 min

--- title: "DORA Regulation — New Requirements for Financial Sector ICT Risk Management in Effect Since January 2025" author: PayPro Editor published: 2026-05-11 reading_time: 5 minutes keywords: ["DORA", "Financial Inspectorate", "IT security", "risk management", "Swish", "Klarna"] ---

DORA Regulation — New Requirements for Financial Sector ICT Risk Management in Effect Since January 2025

The DORA regulation (Digital Operational Resilience Act) has been fully implemented in the Swedish financial sector since January 2025. This EU regulation imposes significantly higher requirements for IT security and risk management for all companies under the supervision of the Swedish Financial Inspectorate (FI).

What is DORA?

DORA, or Digital Operational Resilience Act, is an EU regulation (EU) 2022/2554 that entered into force on January 28, 2023, and has been fully implemented in member states since January 2025.

The regulation targets most companies under the supervision of the Swedish Financial Inspectorate, including:

  • Banks and credit institutions
  • Investment managers
  • Insurance companies
  • Pension institutions
  • Finance companies
  • Payment institutions and e-money issuers
  • Crypto-asset service providers

DORA's Focus Areas

The regulation focuses on four main areas:

  1. ICT Risk Management: Systematic identification, assessment, and management of IT-related risks
  2. ICT Incident Reporting: Mandatory reporting of ICT incidents to national supervisory authorities
  3. Digital Resilience Testing: Requirements for regular testing to verify resilience
  4. Third-party Risk Management: Specific requirements for managing risks from external service providers

Relevance for the Swedish Payment Sector

DORA is directly relevant for all players in the Swedish payment sector. Payment companies such as Swish, Klarna, Trustly, Zimpler, Bankgirot, and all other licensed payment institutions are covered by the regulation's requirements.

Impact on Payment Companies

For payment companies, DORA involves several significant changes:

  • Operational Costs: Increased costs for IT security and compliance
  • Tech Provider Contracts: Strict requirements on security and transparency in external provider contracts
  • Incident Management: New requirements for reporting and handling of ICT incidents
  • Testing and Validation: Regular testing of payment system resilience

Specific Requirements for Payment Institutions

Payment institutions have specific responsibilities within the DORA framework:

  1. Systematic Risk Management: Documented process for identification and management of IT risks
  2. Incident Preparedness: Plans for handling disruptions and attacks
  3. Provider Monitoring: Regular assessment of tech providers' security levels
  4. Reporting to FI: Reporting of incidents within specified timeframes

Implementation Status in Sweden

Financial Inspectorate's Work

FI has conducted reviews of how Swedish financial actors have implemented DORA. The authority has particularly monitored:

  • Payment companies' technical infrastructure
  • External providers' security certifications
  • Incident reporting systems
  • Risk management processes

Payment Sector's Adaptation

Swedish payment companies have undergone significant adaptations to meet DORA requirements:

  • Swish: Investments in systems for monitoring and reporting of incidents
  • Klarna: Updates to internal security policies and processes
  • Trustly: Implementation of stricter requirements for tech providers
  • Bankgirot: Updates to payment system resilience

Future Challenges and Opportunities

Future Challenges

DORA imposes high requirements on payment companies and creates several challenges:

  • Costs: Increased investments in IT security and compliance
  • Complexity: The requirement for documentation and reporting is extensive
  • Consequences: Strict requirements for incident handling can lead to greater intervention from FI

Opportunities for Innovation

Despite the challenges, DORA also creates opportunities:

  • Innovation Support: EU support for development of security solutions
  • Standardization: Common standards for security in the industry
  • Trust: Increased trust from customers through better security levels

Upcoming Developments

For DORA, the near future involves several important steps:

  • Follow-up: FI continues with follow-up inspections
  • Sanctions: Possibility of sanctions for implementation deficiencies
  • Updates: Technical standards and guidelines will be updated

Next Steps for Payment Companies

For payment companies that want to continue operating within the EU, it is important to:

  • Monitor: Stay updated with changes in requirements
  • Collaborate: Collaborate with tech providers to meet requirements
  • Report: Report any problems or delays in implementation

Conclusion

The DORA regulation marks a new era for IT security in the financial sector. For the Swedish payment industry, it means both challenges and opportunities. By proactively managing the new requirements, payment companies can not only comply with legal requirements but also strengthen their position in the European market.

The Riksbank's latest interest rate decision and low inflation may affect how companies prioritize their investments in IT security, but DORA's requirements are long-term and independent of the economic cycle.

Sources

  • Swedish Financial Inspectorate (FI), DORA information
  • EUR-Lex, Regulation (EU) 2022/2554
  • European Commission, Digital Operational Resilience Act
  • Swedish Riksbank, press release 2026-05-07
  • Statistics Sweden (SCB), inflation figures 2026

Related articles