DORA checklist for Norwegian financial firms
A ten-step DORA checklist for Norwegian banks, insurers, payment firms and asset managers, with Finanstilsynet deadlines and what to do this quarter.
DORA is the EU rule book on IT and digital risk for the financial sector. This is a ten-step checklist that gets a Norwegian firm from “we have read about DORA” to “we can answer Finanstilsynet” in one quarter.
DORA started across the EU on 17 January 2025. Norway is part of the EEA, so the path was different. The Norwegian DORA law and regulation entered into force on 1 July 2025. If Finanstilsynet supervises your firm, DORA almost certainly applies.
1. Check if DORA applies to you
DORA covers most regulated financial firms in Norway: banks, insurers, payment firms, e-money firms, investment firms, asset managers, crypto firms, and pension funds. Auditors, accountants, real estate agents, and debt collection firms are outside the Norwegian version for now, but the government can extend the list.
Write down whether DORA applies to your firm, and why. The first thing an auditor asks is how you decided. If you are a small firm and want the lighter rules (called proportionality), name the paragraph you rely on so you do not re-argue it every year.
2. Get the board to own IT risk
DORA puts ultimate responsibility for IT risk on the board (Article 5). Board members also have to keep their IT risk knowledge current.
Write a short board paper that names the IT risk owner, points to your IT risk framework, and includes a board training plan. Approve it in a minuted meeting that mentions Article 5 by name. Re-approve at least once a year and after every major incident.
3. Write the IT risk framework document
Articles 6 to 16 list what the framework must contain: how you identify risk, protect, detect, respond, recover, learn, and communicate.
If you already run an ISO 27001 system, a large share of these controls map across. Run a gap analysis: DORA article number on one side, your existing control reference on the other. The three gaps most firms still have to build are detection (Article 10), business continuity (Article 11), and incident learning (Article 13). Detection needs log evidence, not policy text.
4. Build a decision tree for “is this a major incident?”
You only have to report incidents that count as major. What counts as major is defined in the EU’s incident classification rules. The short version: if two impact criteria are breached, or someone gets unauthorised access to systems that support a critical service, it is major.
Turn those rules into a one-page decision tree your on-call lead can run at three in the morning. Put numbers on customer impact, downtime, geographical spread, data loss, reputation, and money. Train at least two people to use it.
5. Learn the reporting clock, 4 hours, 24 hours, 72 hours, one month
When a major IT incident is confirmed, Finanstilsynet expects:
- First notification, within four hours of you classifying the incident as major. No later than twenty-four hours after you spotted it.
- First status report, within seventy-two hours.
- Final report, within one month of the last status report.
You send these through Finanstilsynet’s Altinn portal. From there they go to the EU watchdogs. The Norwegian process is in Finanstilsynet’s incident reporting circular.
If your current plan counts in days, rewrite it this week. The four-hour clock starts when someone classifies the incident as major, not when someone decides to phone the regulator.
6. Build your IT supplier register
Once a year you send Finanstilsynet a register of every IT supplier you use. The 2026 deadline was 13 March 2026, so expect a similar window next year. Each supplier needs a legal identifier. EBA has been rejecting submissions over poor data quality, so clean data matters more than fast submission.
Start the supplier inventory today. Tag each contract as supporting a critical or important function (per Article 28(2)), or not. That tag drives most of your other paperwork.
7. Fix the contracts for critical IT suppliers
For suppliers that support critical or important functions, DORA requires specific clauses in the contract (Article 30): audit rights, exit plans, where data is processed, sub-contracting controls, service levels, security measures, and how the supplier helps you during incidents.
Pull your top ten supplier contracts by criticality. Map each clause against Article 30. Send amendment requests for anything missing. Cloud providers, core banking systems, and software-as-a-service handling client data are usually the first ten.
8. Plan your IT resilience testing
DORA expects a testing programme that includes vulnerability scans, network testing, scenario tests, and code review where it makes sense (Article 24). Larger firms that Finanstilsynet identifies must also run threat-led penetration tests every three years, following the EU framework called TIBER-EU.
We deliver application and infrastructure testing through Aikido AI Pentest as part of the standard programme. Threat-led tests for designated firms are a separate engagement.
9. Decide how you share information with peers
DORA encourages firms to share threat information with each other (Article 45). Decide whether you join Nordic Financial CERT, FS-ISAC, or rely on what Finanstilsynet sends out. Write the decision and the limits (what you share, what you do not) into the framework.
10. Build the evidence pack
When Finanstilsynet contacts you, they ask for the framework document, the board approval, the gap analysis with article references, the incident register, the IT supplier register, the testing plan, and the supplier contract review. Keep it in one place. Date-stamp every document.
In one composite scoping engagement with a payment institution this quarter, the technical controls were mostly in place, but the paper trail was missing: no board minutes referencing Article 5, no decision tree, no version-controlled framework. The technical work took three weeks. The documentation took six.
Next action
Talk to our compliance practice for a focused DORA readiness review against your existing IT risk system, with an article-by-article gap list. We work alongside your team, not over the top of them, so the framework you end up with is one you can defend on your own.
FAQ
Are we in scope of DORA in Norway?
If Finanstilsynet supervises you under EU or EEA financial rules (bank, insurer, payment institution, e-money institution, investment firm, asset manager, pension fund, crypto-asset service provider), assume yes. Auditors, accountants, real estate agents, and debt collection firms are outside the Norwegian version for now, though the government can extend it. Confirm against Article 2 of Regulation (EU) 2022/2554 and write the conclusion down.
When did DORA start applying to Norwegian firms?
DORA applied across the EU from 17 January 2025. In Norway, the EEA Joint Committee incorporated DORA on 20 February 2025, and the Norwegian DORA law and DORA regulation entered into force on 1 July 2025. Finanstilsynet has been enforcing it since.
How is DORA incident reporting different from GDPR breach reporting?
GDPR gives you seventy-two hours from awareness of a personal data breach to notify the supervisor. DORA gives you four hours from classification of a major IT incident, with a hard twenty-four hour ceiling from when you first spotted it, then a seventy-two hour status report, then a final report within a month. The triggers, the clocks, and the recipients are different. One incident often triggers both rule sets, and your plan has to handle that.
What is the IT supplier register and when is it due?
It is your yearly inventory of every IT supplier, submitted to Finanstilsynet in a structured format through the e-Reg portal. The 2026 submission deadline was 13 March 2026, with Finanstilsynet forwarding to the EU supervisors by 31 March. EBA has been rejecting submissions over data quality, so start the supplier inventory now rather than in February.
How does DORA interact with NIS2?
For financial firms, DORA takes precedence over NIS2 on IT risk management. DORA is the specific rule and beats the general one. If you are a bank that also runs an essential service in another part of the business, you can end up under both rule sets. Give each obligation to a single internal owner so nothing falls between them.
We are a small firm, do we have to do all of this?
Article 16 gives small firms a lighter regime called proportionality. The list includes microenterprises, small investment firms, small institutions for occupational retirement provision, small payment institutions, small e-money firms, and small alternative investment fund managers. You still need a framework, an incident reporting flow, a supplier register, and a testing programme. The depth required is lower. Write down which paragraph you rely on, so you do not re-argue it every supervisory cycle.
