EU’s DORA Regulation on ICT Security in Finance – Norwegian Implementation

1. Background to the Regulation

As a leading country in financial sector digitalisation, Norway has long maintained extensive ICT security requirements. The ICT Decree of 2003 remains significant, setting out obligations relating to risk management, incident handling, and ICT outsourcing. However, requirements concerning sound organisation, risk management, and internal control are dispersed across various laws and regulations in the financial sector. The rationale for heightened ICT security is clear: vulnerabilities in digital infrastructure pose risks to financial stability and broader societal security. Threats originate from internal operational failures, criminal cyberattacks, and politically or militarily motivated cyber incidents. Given the international nature of service providers, a harmonised regulatory approach is imperative.

DORA marks a major step by the EU towards aligning and advancing ICT security standards across Europe. Developed over several years, it was adopted in December 2022 and took effect on 17 January 2025. The framework is set out in Regulation (EU) 2022/2554 and Directive (EU) 2022/2556, which amend various financial sector directives. Furthermore, extensive technical standards are developed.

In principle, the regulation will be incorporated into Norwegian law in full through direct implementation. Following a public consultation and a proposal from the Ministry of Finance, it has been suggested that DORA be implemented via a new act, the so-called DORA Act. The proposal also includes a regulatory authorization to impose requirements on entities not covered by DORA, potentially allowing for a continuation of certain elements of the existing ICT Decree.

2. Scope of the Regulation

Under Article 2(1) of the regulation, DORA applies to a broad range of financial entities, including:

• Credit institutions;
• Payment institutions, including those exempt under Directive (EU) 2015/2366;
• Account information service providers;
• Electronic money institutions, including those exempt under Directive 2009/110/EC;
• Investment firms;
• Crypto-asset service providers;
• Central securities depositories;
• Central counterparties;
• Trading venues;
• Trade repositories;
• Alternative investment fund managers;
• Management companies;
• Data reporting service providers;
• Insurance and reinsurance undertakings;
• Insurance, reinsurance, and ancillary insurance intermediaries;
• Pension institutions;
• Credit rating agencies;
• Administrators of critical benchmarks;
• Crowdfunding service providers;
• Securitisation repositories; and
• Third-party ICT service providers.

Certain firms are exempt, primarily based on size or the nature of their services.

A key feature of the regulation is the proportionality principle in Article 4, which ensures that the application of risk management and other regulatory requirements is commensurate with an entity’s size, overall risk profile, and operational complexity.

3. Key Requirements for Financial Entities

DORA imposes a series of requirements on in-scope financial entities, many of which build on existing Norwegian rules but with significant divergences in scope and detail.

The core obligations include:

1. Risk Management: Institutions must establish a governance and control framework to achieve a high level of digital operational resilience. In Norway, the board of directors will be the governing body responsible for defining, approving, overseeing, and ensuring the implementation of ICT risk management measures. The risk management framework must address specific threats, cover designated ICT system components, and incorporate mechanisms for detecting, preventing, and recovering from ICT incidents, including backup procedures. Crisis communication plans must also be in place. Additionally, institutions are required to conduct periodic reviews, audits, and gather intelligence on vulnerabilities, cyber threats, and ICT incidents. While the requirements are extensive, simplified rules apply to smaller institutions.
   
   
2. ICT Incident Management, Classification, and Reporting: Institutions must establish processes to detect, handle, and report ICT-related incidents. Incidents must be classified by severity and, based on predefined criteria, reported to supervisory authorities.
   
   
3. Testing of Digital Operational Resilience: The regulation mandates independent testing to identify weaknesses, errors, and vulnerabilities in ICT systems. Institutions must also have mechanisms in place to follow up on test findings.
   
   
4. Third-Party ICT Risk Management: Given the widespread reliance on outsourcing and third-party ICT providers, DORA includes specific rules for managing third-party risks. These requirements encompass supplier evaluation, contractual arrangements, monitoring, and reporting obligations. Critical ICT providers to the financial sector will also be subject to EU-level oversight.
   
   
5. Information Sharing Arrangements: DORA encourages financial institutions to exchange cyber threat intelligence and information.
   
   
6. Supervisory Authorities: The Norwegian Financial Supervisory Authority (Finanstilsynet) will be the competent authority overseeing compliance with DORA in Norway. The regulation also establishes mechanisms for cooperation between supervisory authorities. In the EEA/EFTA context, decision-making powers assigned to EU supervisory authorities are expected to be conferred on the EFTA Surveillance Authority.

4. Implementation in Norwegian Law

In the EU, the regulation entered into force on 17 January 2025. In Norway, the Storting (Parliament) is currently reviewing the legislative proposal to implement DORA into Norwegian law. The exact date for its entry into force in Norway remains to be determined.