Security & Compliance

DORA One Year In: Swedish Fintech Engineering Lessons

By Technspire Team
January 15, 2026
15 views

The Digital Operational Resilience Act entered into force for EU financial entities on 17 January 2025. Twelve months in, the first full year of DORA compliance has surfaced a consistent pattern for Swedish fintech: the policy work was done on time, but the engineering reality. A genuinely complete ICT third-party register, incident reporting that meets the clock, TLPT scope that reflects actual attack surface. Is still being built. Here is what a grounded retrospective looks like.

What DORA Requires, Reduced to Engineering

  • ICT risk management framework. Documented policies, board-level accountability, controls mapped to identified risks.
  • ICT-related incident reporting. Classification of major incidents, initial notification within strict timeframes, intermediate and final reports.
  • Digital operational resilience testing. Regular testing, and. For significant entities. Threat-Led Penetration Testing every three years.
  • ICT third-party risk management. A register of information on every ICT third-party service provider, concentration-risk assessment, exit plans.
  • Information and intelligence sharing. Participation in relevant information-sharing arrangements.

Where Swedish Fintech Got It Right

Firms that had already invested in Finansinspektionen-aligned operational resilience ahead of DORA had most of the policy and governance in place. Board-level ICT risk reporting, vendor management registries, and formal incident-response runbooks were already operating. The transition for these firms was a naming exercise more than a structural one.

Where Swedish Fintech Struggled

The third-party register is harder than it reads

The DORA third-party register sounds like a spreadsheet exercise and turns into a supply-chain mapping project. For every ICT service, the register must capture the legal entity, function supported, criticality, substitutability, location of data processing, subcontractor chains, and exit-plan feasibility. Subcontractor chains are where most firms hit the wall. Many SaaS vendors do not proactively disclose their own providers.

Incident classification in practice

DORA's classification criteria. Clients affected, duration, reputational impact, geographical spread, data losses, economic impact. Must be applied against live telemetry. The teams that shipped well had a shared rubric the on-call engineer could apply in the first hour, not a policy document the compliance team opened after the fact. Start the classification conversation during incident detection, not after recovery.

TLPT scope drift

Threat-Led Penetration Testing is not a pentest-as-a-service engagement. It requires threat intelligence grounding, live-production (or near-production) testing with red-team tradecraft, and controlled targeting of critical functions. The firms that scoped it as "our annual pentest, but with more paperwork" ended up doing the work twice.

The ICT Risk Framework That Actually Works

Three things differentiate a DORA-compliant framework that survives an audit from one that passes paper review and fails in practice:

  • Controls mapped to real systems. Not "we have access controls." Rather: "Access to the payments ledger is governed by these specific Entra groups, reviewed on this cadence, with this approval workflow." Traceable, auditable.
  • Tested on a cadence, not theoretically. Controls that have never failed a test have never been tested. Build failure-injection into your resilience programme.
  • Board-reported in a form the board can act on. Dashboards over policy docs. KRIs that trigger action when they cross thresholds.

What 2026 Looks Like

  • First wave of TLPT results. Significant entities that did not complete TLPT in 2025 will close the gap this year. Expect board-level conversations about findings.
  • The third-party register maturing. Year-two updates will surface changes in subcontractor chains and concentration risk. Tooling to keep the register live. Rather than a yearly static artifact. Is the 2026 investment.
  • DORA + AI Act intersection. Financial-sector AI systems that qualify as high-risk under the AI Act must satisfy both regimes. Expect Finansinspektionen guidance that harmonises the two.

Year-One Lesson

DORA's first year separated firms that treated resilience as an engineering discipline from firms that treated it as a compliance artifact. The first group is quietly ready for year two. The second group is rediscovering, with the January 2026 deadline for the Register of Information submission behind them, that resilience is built, not documented.

Ready to Transform Your Business?

Let's discuss how we can help you implement these solutions and achieve your goals with AI, cloud, and modern development practices.

No commitment required • Expert guidance • Tailored solutions

Tags

DORA
Fintech
Compliance
Sweden
Resilience
← Back to all posts