The Digital Operational Resilience Act DORA governing both digital operational resilience and the use of information and communication technology (ICT) in the financial sector entered into force in the European Union in January. The regulation is part a larger digital finance package and will apply to EU Member States from January 2025 onwards.
28.3.2023
The EU regulation on digital operational resilience for the financial sector poses new obligations for boards of financial entities
Kim Parviainen
Related services
Regulated industries and operators
DORA applies to various financial entities, including banks, insurance companies and investment firms. The regulation also applies to service providers that provide financial entities with critical ICT services, such as cloud computing services and data analytics services.
New obligations for boards of financial entities
One of the aims of the regulation is to ensure that the boards of financial entities take on a pivotal and active role in steering and adapting the overall strategy concerning ICT risk management and operational resilience. Under DORA, the board is ultimately responsible for the entity’s ICT risk management.
First, the board must define, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework. DORA lays down the concrete minimum requirements for risk management frameworks in more detail, but they must include at least strategies, policies, procedures, protocols and tools that are necessary to protect all ICT assets (such as computer software, hardware and servers) and infrastructures (such as premises and data centres) against ICT risks including damage and unauthorised access or usage. In practice, this includes the following:
As part of their ICT risk management framework, financial entities must also define a strategy for the risks related to the use of third-party ICT services. This requires that the board members of financial entities regularly review the risks concerning contractual arrangements on the use of ICT services supporting critical or important functions.
Board members of financial entities are also required to keep up to date with sufficient knowledge and skills to understand and assess the entity’s ICT risk. Under the regulation, maintaining sufficient knowledge requires, among other things, regular participation in specific training on ICT risks and their effects.
Liability for non-compliance
Under DORA, Member States must ensure that the national authorities have the power to apply different administrative penalties and remedial measures in case the obligations are breached. It must be possible to direct these administrative penalties and remedial measures at board members of financial entities and other natural persons who are responsible for the breach of DORA under national law. However, the final form of these sanctions will not be known before the national law is amended as required by the regulation. Authority initiative on this matter has not yet begun in Finland.
Preparing for the future
All in all, DORA creates a comprehensive and detailed framework for the management of risks related to digitalisation in financial entities. DORA includes new requirements with respect to cyber security and operational resilience. The regulation also lays down new obligations for boards of financial entities. Failure to comply with these obligations could even result in administrative penalties to board members on an individual level. The sanctions for breach in Finnish legislation will likely be specified in the coming years. However, it is advisable that financial entities start to evaluate their ICT risks and practices in good time, also with respect to their ICT service providers.
Latest insights
Article published 10.10.2024 – Data & Technology
New act on dual-use items entered into force in September – what companies need to know
Article published 5.9.2024 – Data & Technology
Technology acquisitions can boost companies’ growth – or cause them to fail
Article published 6.5.2024 – Employment
Outsourcing company functions – four key points for success
Article published 7.12.2023 – Data & Technology
Agreements define data sharing and re-use
Kim Parviainen, Lauri Laatunen & Joakim Jaulimo
Topi Lusenius, Anders Forss & Kim Parviainen
Tomi Kemppainen, Kim Parviainen & Eija Warma-Lehtinen
Latest references
PwC – Public tender in Kela’s Eepos procurement process
We are proud to have provided legal assistance to PwC in the successful public tendering process for the comprehensive renewal of Kela’s benefits processing systems. Kela is the Social Insurance Institution of Finland, and this project is a significant cornerstone in modernising Finland’s social security infrastructure. PwC was selected as Kela’s strategic partner to implement a comprehensive overhaul of the benefits processing systems, digital services, customer relationship management, and information exchange platforms. The project aims to meet the demands of the future digital environment and enhance customer experience through the adoption of Salesforce technology. The new systems are expected to simplify benefit processes, enhance user experience for both customers, employees and other stakeholders, and ensure adaptability to future legislative changes. Castrén & Snellman provided strategic legal support to PwC throughout its successful bidding process, which was carried out through a competitive negotiated procedure. We extend our warmest congratulations to PwC for their successful bid and look forward to seeing the positive impact of this project on Finland’s social security system.
Case published 24.4.2025
Savings Banks Group – Sale of Sb Life Insurance
We advised the Savings Banks Group on an arrangement whereby the shares in Sp-Henkivakuutus Oy were sold to Henki-Fennia and at the same time the parties agreed on a long-term distribution cooperation for insurance savings and loan protection products. The closing of the transaction remains subject to regulatory approvals. Sb Life Insurance is a domestic life insurance company, established in 2007, offering insurance savings and risk insurance products to private customers and companies. The Savings Banks and Oma Säästöpankki Oyj act as agents for Sp-Life Insurance. Henki-Fennia is a subsidiary of Keskinäinen Vakuutusyhtiö Fennia, specialising in voluntary life, pension and savings insurance.
Case published 11.4.2025
Valio – Acquisition of the Härkis® and Beanit® fava bean brands
We advised Valio Oy in its acquisition of Raisio Oyj’s plant protein business, related fixed assets and the Härkis® and Beanit® fava bean brands. The fixed assets include, among other things, the production equipment of the factory that makes plant protein products in Kauhava. The transaction supports Valio’s strategy to grow from a dairy company to a food company. This business acquisition will make us an even more significant developer and producer of plant-based protein products. The demand for these products will grow in the long term, and a great deal of growth potential still remains. In 2022, we acquired the Gold&Green® business and, since then, we have been carrying out strong product development and renewed the brand. Following successful product launches, sales in the last quarter of 2024 increased by about 50% from the previous quarter. With this acquisition, we are building our own production capacity. The production equipment of the Kauhava factory is just right for our needs and situation. says Kimmo Luoma, Valio’s Senior Vice President. Valio is a Finnish dairy and food company founded in 1905 and owned by Finnish dairy cooperatives. Valio has subsidiaries in Sweden, Estonia, the United States and China. In 2023, the Group had a turnover of EUR 2 278 million and more than 4 000 employees.
Case published 14.2.2025
WithSecure – Sale of cyber security consulting business
We advised WithSecure Corporation in the sale of its cybersecurity consulting business to Neqst. WithSecure is a global cyber security company (listed on NASDAQ OMX Helsinki). Neqst is a Swedish investment firm, focusing on technology companies. The closing of the transaction remains subject to customary conditions and regulatory approvals.
Case published 24.1.2025