← All posts

Nordic Regulators Are Aligned: Digital Resilience Is a Top Supervisory Priority in 2026

hen one regulator singles out digital resilience as a priority, it warrants attention. When all four Nordic financial supervisory authorities do it simultaneously, it signals a structural shift in how the region approaches ICT risk oversight.

Norway, Sweden, Denmark, and Finland have each published their supervisory priorities for 2026. Despite differences in structure, language, and emphasis, a common thread runs through all four: financial institutions must demonstrate that their ICT environments are resilient — not just documented, but tested and operational. For firms subject to DORA, this convergence removes any remaining ambiguity about where supervisory attention will land this year.

Norway: Robust Infrastructure and Total Defence

The Norwegian Financial Supervisory Authority (Finanstilsynet) has framed its 2026 priorities around what it calls robust infrastructure. The focus is broad but pointed: supervisors will assess whether financial institutions maintain adequate control over ICT risk, cyber risk, and broader operational risk.

Three elements stand out from the Norwegian priorities.

First, Finanstilsynet will conduct risk and vulnerability analyses across the sector, mapping weaknesses and consolidating findings into a comprehensive risk assessment. This is not a desk exercise. The authority has signalled that it intends to identify systemic vulnerabilities — areas where individual institutional weaknesses compound into sector-level exposure.

Second, the supervisory focus on organisational structures is notable. Finanstilsynet is paying particular attention to complex group structures, outsourcing arrangements, and control environments where accountability becomes unclear. For institutions relying on group-level ICT functions or outsourced technology operations, this is a direct signal: your supervisory reporting needs to demonstrate that you know who is responsible for what, even when functions are distributed.

Third, the context matters. Norway has designated 2026 as Totalforsvarsåret — Total Defence Year. This broader national focus on crisis preparedness is shaping the financial sector's regulatory environment. Finanstilsynet is emphasising both its own internal crisis readiness and the preparedness of supervised entities to prevent and manage disruptions to the financial system.

The subtext is clear: digital resilience is no longer treated as an IT matter. It is being positioned as part of national infrastructure security.

Sweden: Operationally Sound IT Under Stress

Finansinspektionen (FI), Sweden's financial supervisory authority, has structured its 2026 supervision around three priorities: countering financial crime, managing threats to financial stability, and protecting consumers.

The digital resilience dimension sits within the stability pillar. FI has stated that it will examine whether financial firms maintain operationally sound IT structures capable of withstanding disruptions — including cyberattacks. The phrasing is deliberate. The question is not whether firms have IT infrastructure, but whether that infrastructure can absorb and recover from hostile events.

FI has historically taken a strong position on operational resilience, with longstanding guidelines on outsourcing, internal controls, and cyber risk management that predate DORA. The 2026 priorities suggest that FI is now integrating DORA's requirements into its existing supervisory framework rather than treating them as a separate compliance layer. For firms operating in Sweden, this means that DORA compliance will be assessed alongside — and through the lens of — FI's established expectations.

Sweden's regulator has also flagged a broader challenge. A previous assessment found that payment service providers face more obstacles than banks in managing third-party ICT risks under DORA. Firms in this category should expect targeted supervisory attention in 2026.

Denmark: DORA Enforcement and Cross-Cutting IT Supervision

Denmark's Finanstilsynet has taken a structured approach to DORA implementation. The authority has established mandatory reporting procedures for ICT-related incidents under DORA and requires institutions to submit their Register of Information — detailing contracts with ICT third-party providers — within defined deadlines.

IT supervision operates as a cross-cutting theme in Denmark's regulatory programme. Rather than treating technology risk as a standalone inspection category, the Danish FSA embeds it across all supervisory activities — covering banking, insurance, pensions, and capital markets. This means that IT controls, incident response capabilities, and third-party oversight are examined as part of every institutional review, not only during dedicated IT inspections.

Denmark also maintains a Decentral Unit for Cyber and Information Security (DCIS), which supports sector-wide cybersecurity coordination. This institutional capability means that supervisory teams in Denmark have access to dedicated expertise when assessing whether an institution's ICT resilience framework meets the standard.

For firms supervised by the Danish FSA, the practical implication is that DORA compliance is not something you demonstrate in a separate review. It is woven into every supervisory interaction. Your ICT risk management, incident classification, and vendor oversight will be examined whenever a supervisor walks through the door — regardless of the stated purpose of the review.

Finland: A Three-Year Strategy Built on Digital Resilience

Finland's Financial Supervisory Authority (FIN-FSA) has gone further than its Nordic peers in one respect: it has published a three-year strategic plan covering 2026–2028. The strategy explicitly identifies two focal points — preparedness for extreme economic phenomena and ensuring functionally secure digital services.

The digital services dimension reflects Finland's position as one of the most digitally advanced financial markets in Europe. Finnish consumers and businesses rely heavily on digital banking and payment infrastructure. Disruptions to these services carry immediate economic and social consequences.

By embedding digital resilience into a multi-year strategy rather than an annual priority cycle, FIN-FSA has signalled that this is not a temporary supervisory focus. Institutions operating in Finland should expect sustained, recurring attention to ICT risk management, service continuity, and digital infrastructure resilience through at least 2028.

What the Convergence Means

The alignment across all four Nordic NCAs is significant for three reasons.

DORA is being localised, not just adopted. While DORA provides the regulatory baseline, each NCA is integrating its requirements into existing supervisory frameworks and national contexts. Norway connects it to national defence. Sweden embeds it in stability oversight. Denmark weaves it into cross-cutting inspections. Finland builds it into a three-year strategy. Firms cannot take a one-size-fits-all approach to DORA compliance across the Nordics — they need to understand how each NCA interprets and applies the regulation. The tolerance period is over. DORA became applicable on 17 January 2025. The first year involved information-gathering, questionnaires, and baseline assessments. The 2026 priorities across all four countries indicate a shift toward active supervision. Regulators have their baselines. They know which institutions engaged seriously and which produced frameworks without substance. The 2026 cycle is being built around that intelligence. Digital resilience is no longer an IT-department concern. Every NCA has positioned ICT risk as a board-level, institutional-level, and in Norway's case, national-level priority. The governance expectations under DORA Article 5 — which place direct responsibility on the management body — are being enforced, not just referenced.

What Firms Should Do Now

If you operate in one or more Nordic markets, the supervisory signals are unambiguous. Five actions deserve immediate attention.

Review your ICT risk framework against the specific NCA context. A framework that satisfies DORA's text may not satisfy the local supervisory emphasis. Understand what your specific NCA is prioritising and ensure your framework addresses those dimensions. Verify your incident reporting readiness. Denmark already requires DORA incident reporting through defined procedures. Other NCAs are examining classification processes and response timelines. If your incident management process cannot produce a compliant initial notification within four hours of classification, fix that gap now. Stress-test your third-party oversight. Every Nordic NCA has flagged third-party ICT risk as a supervisory focus. Your Register of Information, criticality assessments, and Article 30 contract clauses will be examined. Ensure they exist and that they reflect current reality, not last year's vendor landscape. Engage the board. DORA Article 5 is being enforced as written. Board-level oversight of ICT risk is not optional, and supervisors are looking for evidence of genuine engagement, meeting minutes, approved strategies, allocated budgets, completed training. If your board's involvement has been ceremonial, that is a finding waiting to happen. Think beyond a single jurisdiction. If you operate across Nordic markets, map the supervisory overlap. The four NCAs are asking similar questions with different emphasis. A coordinated approach to DORA compliance that accounts for local supervisory priorities will be more efficient, and more defensible than treating each country in isolation.

The Nordic NCAs have made their position clear. Digital resilience is not a secondary concern or a compliance checkbox. It is a core supervisory priority that will shape how institutions are assessed, examined, and where necessary sanctioned in 2026 and beyond.

The question is no longer whether regulators will look at your ICT resilience framework. It is whether that framework will hold up when they do.

Ready to simplify DORA compliance?

Purpose-built platform for EU financial entities. Start your free trial today.

Get Started →