The Digital Operational Resilience Act DORA governing both digital operational resilience and the use of information and communication technology (ICT) in the financial sector entered into force in the European Union in January. The regulation is part a larger digital finance package and will apply to EU Member States from January 2025 onwards.
28.3.2023
The EU regulation on digital operational resilience for the financial sector poses new obligations for boards of financial entities
Kim Parviainen
Related services
Regulated industries and operators
DORA applies to various financial entities, including banks, insurance companies and investment firms. The regulation also applies to service providers that provide financial entities with critical ICT services, such as cloud computing services and data analytics services.
New obligations for boards of financial entities
One of the aims of the regulation is to ensure that the boards of financial entities take on a pivotal and active role in steering and adapting the overall strategy concerning ICT risk management and operational resilience. Under DORA, the board is ultimately responsible for the entity’s ICT risk management.
First, the board must define, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework. DORA lays down the concrete minimum requirements for risk management frameworks in more detail, but they must include at least strategies, policies, procedures, protocols and tools that are necessary to protect all ICT assets (such as computer software, hardware and servers) and infrastructures (such as premises and data centres) against ICT risks including damage and unauthorised access or usage. In practice, this includes the following:
As part of their ICT risk management framework, financial entities must also define a strategy for the risks related to the use of third-party ICT services. This requires that the board members of financial entities regularly review the risks concerning contractual arrangements on the use of ICT services supporting critical or important functions.
Board members of financial entities are also required to keep up to date with sufficient knowledge and skills to understand and assess the entity’s ICT risk. Under the regulation, maintaining sufficient knowledge requires, among other things, regular participation in specific training on ICT risks and their effects.
Liability for non-compliance
Under DORA, Member States must ensure that the national authorities have the power to apply different administrative penalties and remedial measures in case the obligations are breached. It must be possible to direct these administrative penalties and remedial measures at board members of financial entities and other natural persons who are responsible for the breach of DORA under national law. However, the final form of these sanctions will not be known before the national law is amended as required by the regulation. Authority initiative on this matter has not yet begun in Finland.
Preparing for the future
All in all, DORA creates a comprehensive and detailed framework for the management of risks related to digitalisation in financial entities. DORA includes new requirements with respect to cyber security and operational resilience. The regulation also lays down new obligations for boards of financial entities. Failure to comply with these obligations could even result in administrative penalties to board members on an individual level. The sanctions for breach in Finnish legislation will likely be specified in the coming years. However, it is advisable that financial entities start to evaluate their ICT risks and practices in good time, also with respect to their ICT service providers.
Latest insights
Article published 28.4.2026 – Private M&A
Unlocking value in carve-outs – Why integration planning deserves top priority in every carve-out
Article published 2.2.2026 – Data & Technology
Avoid costly risks with well-drafted distribution agreements
Article published 10.10.2024 – Data & Technology
New act on dual-use items entered into force in September – what companies need to know
Article published 5.9.2024 – Data & Technology
Technology acquisitions can boost companies’ growth – or cause them to fail
Benjamin Bade, Maiju Mäkinen & Samuli Salminen
Topi Lusenius & Samuli Salminen
Kim Parviainen & Lauri Laatunen
Topi Lusenius, Anders Forss & Kim Parviainen
Latest references
G&W Electric – Acquisition of Safegrid
We advised G&W Electric with its acquisition of Safegrid Oy, a leading provider of intelligent grid monitoring solutions based in Finland. The acquisition accelerates G&W Electric’s long-term strategy to integrate intelligent monitoring and predictive analytics into its power distribution portfolio, strengthening its offering to utility customers worldwide. Founded in 1905 and headquartered in Bolingbrook, Illinois, G&W Electric is a global leader in innovative power grid solutions, with a presence in over 100 countries. The company is known for advanced load and fault interrupting switches, reclosers, sensors, system protection equipment, power grid automation, intelligent grid monitoring, and transmission and distribution cable accessories. Safegrid is a Finnish technology company headquartered in Espoo, Finland. The company develops the Intelligent Grid System®, a grid monitoring solution that combines instant-on wireless sensors with advanced analytics to deliver real-time insight into grid conditions, enabling utilities to identify emerging issues, anticipate failures, and reduce outage duration across medium and high voltage distribution and transmission networks.
Case published 8.5.2026
Downing – Acquisition of the entire share capital of Tornionlaakson Voima
We advised UK-based investment company Downing in its acquisition of the entire share capital of Tornionlaakson Voima Oy. Tornionlaakson Voima owns three hydropower plants in the Tengeliönjoki river system – the Portimokoski power plants in Ylitornio, the Jolmankoski power plants in Raanujärvi and the Kaaranneskoski power plants in Sirkkakoski. The power plants produce a total of approx. 45 gigawatt-hours of electricity per year. Tornionlaakson Voima’s daily operations will continue normally, and the transaction will not affect customers. The consummation of the transaction is subject to the approval of the Ministry of Economic Affairs and Employment. Downing has over 35 years’ experience in providing a wide range of investment solutions to the needs of institutional investors, advisers and retail investors. The company manages over £2 billion in assets in both the private and public markets and its current hydro power portfolio includes approx. 50 hydro power plants in the Nordics.
Case published 27.3.2026
LähiTapiola and OP Henkivakuutus – Successful representation of insurance companies in Supreme Administrative Court health data processing cases
We successfully represented insurance companies LähiTapiola and OP Henkivakuutus in two cases concerning an important point of principle: the right of insurance companies to process health data as part of the insurance application process. The Supreme Administrative Court handed down twin decisions ( one published as precedent ) addressing the matter in light of contrary DPA decisions. Under the Finnish Data Protection Act, insurance companies may, to simplify, process health data concerning “insured persons” (vakuutettu, försäkrad) to determine liability under the insurance. This rule constitutes an exception to Article 9 GDPR. At issue was whether the term “insured person” also covers people in the process of obtaining insurance coverage or only people who are already covered. In more practical terms: can an insurance company rely on the rule when considering whether/how to grant the insurance in the first place? The SAC answered in the affirmative and thus upheld the traditional industry approach over the DPA’s contrary view. The SAC noted that the Data Protection Act did not define the term “insured person” and thus looked at insurance legislation for guidance. As argued by the insurance companies, that legislation also uses the term in the context of describing the insured person’s pre-contractual informational obligations. Thus, and in view of the underlying purpose of the rule at issue, the SAC found that an “insured person” could be someone in the process of obtaining coverage, not just a person already covered. The outcome clarifies the scope of the local rule at the insurance application stage for the Finnish insurance industry.
Case published 22.1.2026
SuperOffice – Acquisition of Lyyti
We acted as Finnish counsel to SuperOffice AS, backed by Axcel, in its acquisition of Lyyti Oy from Finnish private equity firm Vaaka Partners and other sellers. Lyyti is a leading event management software company for physical, digital and hybrid events with a strong customer base in Finland, Sweden and France. SuperOffice is a leading provider of customer relationship management (CRM) software for small and medium-sized businesses across Northern Europe. Axcel is a Nordic private equity firm with a focus on technology, business services and industrials, healthcare, and consumer sectors.
Case published 9.12.2025