.svg)
As Sweden's financial sector gets ready for the EU’s Digital Operational Resilience Act (DORA), a report from the Swedish Financial Supervisory Authority reveals progress but highlights challenges, with payment service providers (PSPs) facing more obstacles than banks.
DORA is set to take effect on January 17, 2025 and establishes rigorous standards for managing IT risks and strengthening digital operational resilience.
Payments firms, like most other financial firms, must implement comprehensive ICT risk management frameworks, covering all aspects of their digital infrastructure.
Many have started these preparations, but the report from the Swedish Financial Supervisory Authority (Finansinspektionen (FI)), based on a survey of 49 companies covered by the rules, reveals difficulties in coordinating their various ICT components into a comprehensive and compliant structure.
This includes identifying vulnerabilities and aligning internal processes with DORA’s standards, which remains a complex issue.
“The survey responses indicate that extensive work is underway in the financial sector before the DORA regulation comes into force,” said Linda Löfgren, department manager for resilience and preparedness at the regulator.
“A majority of the companies also answered that they are in phase with their preparations. It is gratifying, but at the same time, a lot of work remains,” she acknowledged.
Third-party risks
The survey findings show that managing third-party risks is a major challenge for firms.
DORA requires PSPs to maintain oversight of ICT service providers supporting critical operations, but adapting current processes to meet these new standards has proven difficult.
Many PSPs rely heavily on outsourcing, which means that close monitoring of external partnerships is necessary to ensure contracts meet DORA’s requirements.
DORA also mandates annual testing of digital resilience and comprehensive incident reporting, and setting up these testing regimes poses a particular challenge for smaller PSPs with fewer resources.
In addition, PSPs are working to align their incident reporting processes with both national and EU standards, which has caused delays.
The regulator says that another complication lies in interpreting DORA’s definitions of critical and important functions, and uncertainty around which functions require enhanced scrutiny and independent testing has delayed some companies' progress.
Despite these challenges, the FI’s report suggests that most Swedish financial firms are conducting gap analysis and resource planning to ensure compliance with DORA.
Of the respondent firms, 45 have begun assessing their readiness for the regulation, the regulator says.
“In its ongoing supervision, FI will review how well the companies comply with the new regulations,” it said in its media release.
