Blogg: Is your business ready for DORA?

The Digital Operational Resilience Act is now entering into force.

On 1 July, the DORA Act enters into force in Norway. Clearer requirements are now being set for how financial undertakings and providers manage digital operational risk. Are you prepared?

 

Digital resilience is becoming a legal requirement

The Financial Supervisory Authority of Norway has now made it clear: Norway has introduced its own law on digital operational resilience (the DORA Act). This is no longer a recommendation or expectation. It is a requirement. The legislative amendment applies to entities in the financial sector, but their ICT providers are also covered. For many, this means an increased need to structure, document, and ensure that the business can actually withstand disruptions and threats to digital services, both internally and externally.

 

What do you need to relate to?

DORA sets requirements across five main areas:

  • ICT risk management:The business must establish comprehensive and documented management of digital risk, with clear anchoring at the executive level.
  • Incident handling: Processes must be established to detect, manage, and report ICT incidents both internally and to supervisory authorities.
  • Testing of digital resilience: Regular testing of systems and processes is mandatory, especially for businesses considered critical.
  • Third-party risk: You must have control over which providers you use, how they are managed, and what risks they entail.
  • Supervision and cooperation: Supervisory authorities are being given new tools, and businesses must be prepared for both dialogue and ongoing supervision.

 

DORA is not just about compliance

DORA is not just a regulatory framework; it is also an opportunity. Businesses that take the requirements seriously gain better insight into their own digital vulnerabilities, more robust operational processes, and increased trust among customers and partners.

At BDO, we work closely with banks, insurance companies, and other financial institutions that now need to make concrete assessments: What do we already have in place? What needs to be improved? And most importantly, how do we achieve this in practice, with the resources we have?

 

DORA will separate the resilient from the vulnerable.

In a sector where trust is crucial, those who work systematically with digital risk and resilience will be better equipped for the future—both from a regulatory and commercial perspective. DORA is more than a compliance exercise. It is an opportunity to build safer, more resilient organisations.

 

Three pieces of advice

  1. Anchor the responsibility in leadership. DORA requires management to be involved in digital risk management—this is not solely an IT exercise.
  2. Conduct a gap analysis. Map out what you currently have in place compared to the DORA requirements. This will give you a concrete starting point.
  3. Start with what matters. Don’t try to solve everything at once. Prioritise actions that offer the greatest gains in risk reduction and maturity.

Do you need a sparring partner to assess how your organisation is affected by DORA and which measures should be prioritised first?
Get in touch for a non-binding conversation!