Digital Operational Resilience Act Compliance in Finland
DORA creates a comprehensive framework for ICT risk management in the financial sector. It requires resilience testing, third-party risk management, and incident reporting.
How does DORA apply in Finland?
DORA applies in Finland under EU law with the same obligations as across the bloc — maximum fine CTPPs: 1% of daily global turnover (up to 6 months); Financial entities: per national law. The national supervisory authority is the Tietosuojavaltuutetun toimisto (TSV), which handles enforcement, complaints, and notifications. Deadline: January 17, 2025.
- Supervisory authority: Tietosuojavaltuutetun toimisto (TSV)
- Maximum fine: CTPPs: 1% of daily global turnover (up to 6 months); Financial entities: per national law
- Key deadline: January 17, 2025
| Supervisory authority | Tietosuojavaltuutetun toimisto (TSV) |
| Maximum fine | CTPPs: 1% of daily global turnover (up to 6 months); Financial entities: per national law |
| Key deadline | January 17, 2025 |
| Sectors affected | Banking, Insurance |
January 17, 2025
CTPPs: 1% of daily global turnover (up to 6 months); Financial entities: per national law
Banking, Insurance, Investment Firms
What are my DORA obligations in Finland?
- Implement ICT risk management framework
- Conduct digital operational resilience testing
- Manage third-party ICT risk
- Report major ICT-related incidents
- Share threat intelligence
Who enforces DORA in Finland?
Finanssivalvonta (FIN-FSA)
Official authority websiteDORA in Finland: what is different here?
Finanssivalvonta (FIN-FSA), Finland's Financial Supervisory Authority, is the competent authority for DORA supervision of banks, insurers, and investment firms operating in Finland. FIN-FSA has published dedicated guidance on DORA obligations for supervised entities.
Source: Finanssivalvonta — DORA guidanceDORA (Regulation (EU) 2022/2554) has applied in Finland since 17 January 2025. Finnish financial entities in scope — including credit institutions, payment institutions, investment firms, and their ICT service providers — must comply with requirements on ICT risk management, incident reporting, digital operational resilience testing, and third-party risk oversight.
Source: EUR-Lex — Regulation (EU) 2022/2554Under DORA, Finnish financial entities must maintain a register of all contractual arrangements with ICT third-party service providers and, where directed by FIN-FSA, submit it as part of supervisory reporting. Significant ICT incidents must be reported to FIN-FSA within prescribed timelines under the EBA/ESMA/EIOPA joint guidelines.
Source: Finanssivalvonta — DORA guidanceWhat are the DORA penalties for Finland organisations?
DORA's penalty regime (Article 50) is unusual in the EU regulatory landscape: rather than a one-off maximum fine, it authorises national competent authorities and ESAs to impose periodic penalty payments of up to 1% of average daily worldwide turnover for each day of non-compliance, for a maximum of 6 months. For designated critical ICT third-party service providers, the ESAs can directly impose periodic penalties. Member States must ensure penalties are 'effective, proportionate and dissuasive'.
Periodic penalty payments for ongoing non-compliance — financial entities
Up to 1% of average daily worldwide turnover per day, for up to 6 monthsPeriodic penalty payments for critical ICT third-party service providers (CTPPs) — imposed directly by ESAs
Up to €5,000,000 or 1% of average daily worldwide turnover per day, for up to 6 monthsWhat is the maximum DORA fine?▼
DORA does not specify a single maximum fine amount. Instead, it authorises periodic penalty payments of up to 1% of a financial entity's average daily worldwide turnover per day of non-compliance, for a maximum of 6 months. For a firm with €1B annual turnover, this could reach approximately €16M over 6 months.
Who enforces DORA?▼
National competent authorities (NCAs) designated by each Member State enforce DORA for financial entities under their supervision. For critical ICT third-party service providers, the European Supervisory Authorities (EBA, EIOPA, ESMA) enforce DORA directly through the Joint Oversight Committee.
Does DORA apply to non-financial companies?▼
DORA applies only to financial entities as defined in Art. 2, plus their critical ICT third-party service providers. Non-financial companies that are ICT service providers to banks or insurers may be designated as critical and become subject to DORA's oversight regime.
Common DORA compliance questions
What are the DORA compliance requirements for fintech?▼
DORA (Regulation 2022/2554) applies to financial entities and their ICT third-party providers from January 2025. Core requirements: (1) ICT Risk Management framework (Articles 5–16) with documented policies and regular testing; (2) ICT-related incident classification and reporting to competent authorities within 4 hours for major incidents; (3) Digital Operational Resilience Testing including penetration testing every three years for significant institutions; (4) Third-party ICT risk management with DORA-compliant contractual clauses; (5) Register all critical ICT third-party providers with the relevant authority. Fintech companies under MiFID II, PSD2, or e-money licensing are in scope.
Does DORA apply to small fintech startups in the EU?▼
DORA applies to all financial entities as defined in Article 2, including payment institutions, e-money institutions, investment firms, and crypto-asset service providers (CASPs), regardless of size. Proportionality provisions in Article 4 allow microenterprises — fewer than 10 employees and under €2M annual turnover — to implement a simplified ICT risk management framework. However, incident reporting obligations (Article 19) and third-party ICT risk management requirements apply to all in-scope entities regardless of size. A fintech startup that has obtained a PSD2 payment institution licence, an e-money licence, or a MiCA CASP authorisation is in scope for DORA from January 2025.
What are DORA's ICT incident reporting requirements?▼
DORA Article 19 requires financial entities to classify and report major ICT-related incidents to their national competent authority (NCA) — e.g., BaFin for German banks, ACPR for French institutions, DNB for Dutch entities. The reporting timeline is: an initial notification within 4 hours of classifying the incident as major (or 24 hours from first detection); an intermediate report within 72 hours; and a final report within one month. An incident is classified as major based on criteria including number of clients affected, service downtime, geographic spread of impact, and data loss. Financial entities must also voluntarily notify NCAs of significant cyber threats that have not yet caused an incident.
What is a DORA-compliant ICT risk management framework?▼
A DORA-compliant ICT risk management framework (Articles 5–16) must include: a documented ICT strategy endorsed by the management body; an ICT asset register covering hardware, software, and data; a business impact analysis for critical functions; a business continuity and disaster recovery plan with tested RTO/RPO targets; regular ICT security testing including vulnerability assessments (annually for all entities) and threat-led penetration testing every three years for significant institutions; and access control policies with privileged account management. The framework must be reviewed annually and after any major ICT incident. Management bodies are personally responsible for compliance and must maintain sufficient ICT knowledge.
Does DORA apply to your Finland business?
Find out in 2 minutes with our free regulation checker.
Check now — freeDORA compliance in other EU countries
Check Your Compliance Obligations
Find out which DORA obligations apply to your Finland organisation in under 2 minutes.
Explore DORA Compliance
For informational purposes only. This is not legal advice — consult qualified legal counsel.