Nordic Banks DORA Implementation: How Scandinavian Financial Institutions Built a Shared Resilience Framework

The Collaborative Framework

The Nordic DORA implementation approach evolved through several interconnected collaborative mechanisms, each addressing specific aspects of the regulation's requirements while respecting the entity-specific nature of compliance obligations.

Shared threat intelligence and information sharing (Art. 45). The Nordic financial sector had existing information sharing arrangements predating DORA, including sector-specific CERTs and threat intelligence sharing platforms. DORA Art. 45's encouragement of information sharing arrangements between financial entities provided formal regulatory backing for these existing practices. The Nordic institutions formalized and expanded their information sharing, establishing structured threat intelligence exchange covering ICT-related incidents, vulnerability intelligence, and attack pattern analysis. This collaborative intelligence created a collective defense posture that exceeded what any individual institution could achieve alone.

Common testing frameworks (Art. 24-27). Rather than each institution independently developing resilience testing methodologies, several Nordic banking groups collaborated on shared testing frameworks, scenario libraries, and assessment criteria. These common frameworks reduced the duplication of effort in designing testing programmes while ensuring consistency in testing quality across institutions. The shared approach was particularly valuable for Art. 26 threat-led penetration testing (TLPT), where the cost and complexity of TLPT exercises incentivized collaborative approaches to test design, threat intelligence sourcing, and red team engagement.

Pooled vendor assessment resources (Art. 28). Nordic banks recognized that many of their ICT third-party providers were shared across the sector. Rather than each institution conducting independent vendor assessments of the same providers, a pooled assessment approach allowed institutions to share assessment findings (within appropriate confidentiality boundaries), coordinate audit activities, and develop common assessment questionnaires aligned with DORA's requirements.

Regulatory interpretation forums. The practical interpretation of DORA's requirements — how to classify specific incident types, how to assess proportionality for smaller institutions, how to handle cross-border register submissions — benefited from structured forums where Nordic institutions shared their interpretive approaches and converged on common understandings before engaging with NCAs.

Shared technology platforms. Some Nordic institutions explored shared technology platforms for DORA compliance functions — register data management, incident classification tools, and testing orchestration platforms. By sharing development costs and operational overhead, institutions could access compliance tooling at a fraction of the per-institution cost of building or procuring independently.

The Nordic Efficiency Imperative

The Nordic banking sector entered the DORA compliance cycle with a distinctive set of characteristics that shaped its implementation approach. Scandinavian banks — including DNB (Norway), Nordea (Finland/Sweden), SEB (Sweden), Handelsbanken (Sweden), and Danske Bank (Denmark) — are among the most digitally advanced financial institutions in Europe. They operate in economies where digital payment adoption exceeds 95%, where cash transactions represent less than 10% of all consumer payments, and where banking services are deeply integrated into national digital identity infrastructure.

This digital maturity created a paradox for DORA compliance. On one hand, Nordic banks had already invested heavily in cybersecurity, business continuity, and IT risk management — their digital-first operating models demanded it. On the other hand, DORA's comprehensive and prescriptive requirements created compliance overhead that risked disproportionate impact on institutions that, by Nordic banking standards, maintained lean compliance teams relative to their Anglo-Saxon and Continental European counterparts.

A DNB-sponsored survey of DORA preparedness across Dutch and Nordic financial institutions in 2024 revealed that many institutions had underestimated the scope of DORA's requirements. While cybersecurity and incident management were areas of existing strength, the Register of Information, formal resilience testing programmes, and the documentation requirements for third-party risk management represented significant new compliance burdens. The survey found that institutions with fewer than 500 employees — which includes many Nordic Tier 2 and Tier 3 institutions — faced particularly acute resource challenges.

The Nordic banking tradition of cooperative problem-solving — manifest in shared payment infrastructure (BankID, Vipps, MobilePay, Swish), common regulatory interpretation forums, and cross-institutional working groups — suggested a collaborative approach to DORA implementation that would reduce per-institution costs while maintaining the quality of compliance outcomes.

The question was whether DORA's institutional-level obligations could be met through collaborative frameworks, or whether the regulation's entity-specific requirements demanded purely institutional responses. The Nordic experience demonstrated that the answer was a carefully structured combination of both.

DORA's Enablers for Collaboration

The Nordic collaborative approach was not a workaround of DORA's requirements — it was explicitly enabled by several of the regulation's provisions, which recognize that collaboration can enhance operational resilience at the systemic level.

Art. 45 — Information Sharing Arrangements

DORA Art. 45 provides the most explicit regulatory encouragement for the Nordic approach. Art. 45(1) states that financial entities "may exchange amongst themselves cyber threat information and intelligence, including indicators of compromise, tactics, techniques and procedures, cyber security alerts and configuration tools." This provision does not merely permit information sharing — it encourages it as a mechanism for enhancing collective resilience.

The Nordic implementation went beyond simple intelligence sharing. Institutions established formal information sharing agreements with defined scope, governance, and confidentiality protections. These agreements covered not only threat intelligence but also incident lessons learned, resilience testing outcomes (at an appropriate level of abstraction), and vendor assessment findings. The result was a collaborative intelligence ecosystem that improved each institution's individual resilience while contributing to sector-wide resilience.

Art. 4 — Proportionality Principle

DORA Art. 4 establishes that the regulation's requirements must be applied proportionately, taking into account the entity's size, risk profile, nature, scale, and complexity of its services. For smaller Nordic institutions — those with limited compliance teams and budgets — the proportionality principle justified collaborative approaches that achieved compliance outcomes at costs proportionate to the institution's size.

The collaborative framework allowed smaller institutions to benefit from the investment and expertise of larger institutions, creating a rising-tide effect where the sector's overall DORA compliance quality exceeded what individual smaller institutions could have achieved independently.

Art. 24-27 — Resilience Testing Collaboration

While DORA's testing requirements are entity-specific (each institution must test its own systems), the shared frameworks developed by Nordic institutions addressed the design, methodology, and assessment criteria rather than the testing itself. This distinction is important: the actual testing remained institution-specific, but the efficiency of designing and preparing for testing was significantly improved through collaboration.

For TLPT (Art. 26), the collaborative approach was particularly valuable. TLPT exercises require significant resources — threat intelligence sourcing, red team engagement, scenario design — that are expensive for any single institution. Nordic institutions explored coordinated TLPT approaches where multiple institutions engaged the same red team providers (at different times, against different systems) to reduce per-institution costs while maintaining the rigour of individual testing.

The Cost Efficiency Outcome

The Nordic collaborative approach achieved measurable efficiency gains:

• Estimated 30-40% cost reduction in DORA compliance programme costs through shared infrastructure, pooled assessments, and common frameworks.
• Approximately 6 months faster time to compliance compared to institutions implementing independently, due to reduced duplication of effort in framework development and regulatory interpretation.
• Higher quality outcomes as smaller institutions benefited from the compliance expertise and investment of larger Nordic banks, creating a more uniform and robust compliance standard across the sector.

A Model for Proportionate DORA Implementation

The Nordic collaborative DORA implementation provides a replicable model for how financial sectors — particularly those with strong existing cooperation traditions — can achieve regulatory compliance efficiently without compromising quality.

Measurable Outcomes

Cost efficiency: The estimated 30-40% cost reduction compared to independent implementation was achieved primarily through three mechanisms: pooled vendor assessments (eliminating duplicative assessments of shared providers), shared testing frameworks (reducing per-institution framework development costs), and common regulatory interpretation (reducing the cost of regulatory uncertainty).

Time to compliance: Nordic institutions that participated in the collaborative framework achieved operational readiness approximately six months ahead of institutions implementing independently. This acceleration was particularly significant given that DORA's application date was fixed (January 17, 2025) and could not be deferred — earlier readiness translated directly into reduced compliance risk.

Quality improvement: Smaller Nordic institutions reported higher-quality DORA compliance outcomes than they would have achieved independently, attributing the improvement to access to shared frameworks, common assessment criteria, and the collective expertise of larger institutions within the collaborative group.

Replicability Conditions

The Nordic model is not automatically transferable to all markets. Its success depended on several pre-conditions:

1. Existing cooperation tradition. Nordic banking has a history of cooperative infrastructure (shared payment systems, common identity platforms) that created institutional trust and governance mechanisms suitable for collaboration. Markets without this tradition would need to build trust and governance structures before attempting collaborative compliance.

2. Common regulatory environment. While the Nordics span multiple EU/EEA member states with different NCAs, the regulatory environments are sufficiently similar that common interpretive frameworks were viable. Markets with highly divergent NCA interpretations may find collaborative interpretation more challenging.

3. Manageable sector size. The Nordic banking sector is large enough to achieve economies of scale through collaboration but small enough for institutions to coordinate effectively. Very large markets (Germany, France) may need to organize collaboration at the sub-sector or regional level.

4. Proportionality alignment. DORA Art. 4's proportionality principle was critical to legitimizing the collaborative approach. Institutions must demonstrate that collaborative mechanisms achieve compliance outcomes equivalent to independent implementation — not that collaboration is a shortcut to reduced requirements.

Implications for Other Markets

The Nordic model demonstrates that DORA's Art. 45 information sharing provisions, combined with the Art. 4 proportionality principle, create space for collaborative implementation approaches that can significantly reduce the cost of compliance for the sector as a whole. Banking associations, sector-specific CERTs, and industry working groups in other EU member states should evaluate whether similar collaborative frameworks could improve their DORA implementation efficiency.

The key insight is that collaboration addresses the efficiency of implementation, not the substance of compliance. Each institution remains individually responsible for its DORA obligations — but the path to meeting those obligations can be made significantly more efficient through structured cooperation.