Skip to main content
search
DORA

DORA Reporting for Finanstilsynet Denmark: A Practical Guide to Compliance

By December 10, 2025No Comments8 min read

1. Navigating DORA Reporting in Denmark: A Critical Imperative for Financial Institutions

The Digital Operational Resilience Act (DORA) is a European Union regulation designed to harmonize and strengthen the digital operational resilience of financial entities. It will be applicable from January 17, 2025. In Denmark, Finanstilsynet (the Danish Financial Supervisory Authority) is responsible for overseeing and enforcing DORA compliance. This mandate was formally established through an amendment to the Danish Financial Business Act on May 2, 2024. This guide aims to assist CISOs, risk managers, and compliance officers in Danish financial institutions with the practical challenges of DORA reporting to Finanstilsynet, emphasizing its role in enhancing security posture and consumer trust.

2. DORA Fundamentals: Key Definitions and Scope for Danish Entities

DORA’s primary objective is to ensure financial entities can withstand, respond to, and recover from all types of ICT-related disruptions and threats. The Act is structured around five core pillars:

  • ICT risk management
  • Incident reporting
  • Resilience testing
  • Third-party risk management
  • Information sharing

DORA applies to a broad range of financial entities operating in Denmark, including:

  • Credit institutions, payment institutions, and electronic money institutions
  • Investment firms, insurance and reinsurance undertakings, and pension funds
  • Crypto-asset service providers, central securities depositories, and trading venues
  • Critical ICT third-party service providers (e.g., data centers, cloud providers)

Finanstilsynet has the authority to oversee DORA compliance within the Danish financial sector and to sanction infringements. The Proportionality Principle allows financial entities to adapt DORA requirements based on their size, risk profile, and operational complexity.

3. Demystifying DORA Reporting Requirements for Finanstilsynet Denmark

Financial entities are obligated under DORA to report major ICT-related incidents and may voluntarily notify Finanstilsynet of significant cyber threats. A “major ICT-related incident” is defined by DORA Article 18 and related Regulatory Technical Standards (RTS) based on both quantitative and qualitative factors.

Quantitative factors include:

  • Financial impact
  • Number of clients impacted
  • Duration of critical service downtime
  • Volume of data records affected

Qualitative factors include:

  • Reputational impact
  • Geographical spread
  • Criticality of affected services

The reporting process for major ICT incidents involves three stages:

  1. Initial Notification: Must be submitted as soon as possible, within 4 hours of classifying the incident as major, and no later than 24 hours of awareness. It requires essential details about the incident.
  2. Intermediate Report: Submitted within 72 hours of the initial notification, upon any status change, or at Finanstilsynet’s request. It provides an update on the incident’s status.
  3. Final Report: Due within one month of incident resolution or information gathering. It details the root cause analysis and lessons learned.

All DORA-related incident reports must be submitted via the virk.dk platform using MitID Erhverv and the provided standardized forms. These standardized reports enable Finanstilsynet to forward information to European Supervisory Authorities (ESAs), the European Central Bank (ECB), and the NIS 2 authority as necessary.

4. Practical Implementation: Building Your DORA Incident Reporting Framework

Establishing a DORA-compliant incident reporting framework requires a structured approach, starting with a robust ICT-related incident management process. This process should include:

  • Continuous monitoring of IT systems for abnormal activities and cyber threats.
  • Well-defined procedures for incident detection, logging, tracking, categorization, and classification.
  • Clearly defined roles, responsibilities, and escalation paths for incident response, covering detection, investigation, containment, and recovery.

It is crucial to utilize standardized reporting templates that adhere to ESAs’ guidelines for initial, intermediate, and final reports. These templates require specific data points such as the incident’s nature, affected systems, detection time, impact, response measures, and the Legal Entity Identifier (LEI). While not directly applicable, Finanstilsynet’s guidance on KRT-1190 (a Norwegian form) can offer insights into expected content.

Thorough documentation and evidence-keeping are essential. Maintain detailed records of all ICT-related incidents and significant cyber threats, along with relevant policies, processes, and testing results. Internal coordination among ICT, risk management, compliance, and legal departments is vital. For incidents involving third-party ICT service providers, ensure contractual clauses mandate prompt notification to facilitate timely DORA reporting.

5. Overcoming Challenges in DORA Reporting Finanstilsynet Denmark

DORA compliance presents several challenges for financial institutions:

  • Interpreting Proportionality: Determining how to appropriately apply DORA requirements based on an institution’s size and risk profile.
  • Resource Constraints: Insufficient investment in technology, cybersecurity measures, and specialized expertise.
  • Framework Integration: Harmonizing existing Danish ICT security regulations and incident management processes with DORA.
  • Data Collection: Gathering comprehensive, standardized data within strict DORA timelines.
  • Third-Party Contracts: Ensuring contracts include DORA-mandated provisions and incident reporting capabilities.
  • Board and Management Accountability: Elevating digital security to a direct management responsibility and demonstrating active oversight.
  • RTS/ITS Deadlines: Limited time for implementation and adaptation due to the finalization of Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS).

6. DORA and NIS2 in Denmark: Navigating Overlaps and Ensuring Unified Compliance

The NIS2 Directive expands cybersecurity requirements across various sectors, categorizing entities as “essential” or “important.” In Denmark, NIS2 is implemented through the Danish Financial Business Act (with an effective date of October 18, 2024, for IT suppliers).

However, the “lex specialis” principle dictates that DORA, as the sector-specific regulation for financial entities, takes precedence over NIS2. For financial institutions, DORA’s requirements generally supersede those of NIS2.

Key differences and overlaps in reporting exist: DORA has a more prescriptive incident reporting framework, while NIS2 focuses on “significant incidents.” Finanstilsynet is the primary reporting authority for financial entities under DORA, while the Centre for Cyber Security (CFCS) acts as a national hub for reports. An integrated compliance strategy considering both DORA and NIS2 is recommended to ensure comprehensive coverage and avoid fragmentation.

7. Real-World Scenarios and Best Practices for DORA Reporting Success

Scenario 1: Major Ransomware Attack. A Danish bank experiencing a ransomware attack must meticulously track the incident through all reporting stages (initial, intermediate, final) to Finanstilsynet, including root cause analysis and remediation.

Scenario 2: Critical Cloud Service Outage. A financial institution relying on a critical cloud service provider must ensure prompt notification from the vendor regarding a significant outage and clearly understand its impact on the institution’s operations for DORA reporting.

DORA Reporting Readiness Checklist:

  • Assess and update the ICT risk management framework.
  • Review and enhance incident response procedures.
  • Map critical functions and supporting ICT assets.
  • Conduct gap analysis for third-party contracts.
  • Train staff on DORA reporting obligations and timelines.
  • Establish clear internal communication protocols.
  • Test reporting workflows end-to-end.

Proactive engagement with Finanstilsynet for local clarifications, thematic studies, and consultative models is advised. Leveraging automation for data collection and partnering with DORA compliance service providers knowledgeable in Danish regulations and the EU context is also recommended.

8. Frequently Asked Questions about DORA Reporting Finanstilsynet Denmark

When does DORA officially apply in Denmark?
DORA has been applicable since January 17, 2025.
What types of financial entities are covered by DORA in Denmark?
Credit institutions, payment institutions, investment firms, insurance companies, crypto-asset service providers, and critical ICT third-party service providers.
What is a “major ICT-related incident” under DORA?
Defined by DORA Article 18 and RTS, considering quantitative (financial impact, client impact, downtime, data volume) and qualitative factors (reputation, geography, criticality).
What are the key reporting deadlines for DORA incidents to Finanstilsynet?
Initial notification: within 4 hours of classification as major, no later than 24 hours of awareness. Intermediate report: within 72 hours. Final report: within one month of resolution.
How do DORA reporting requirements interact with NIS2 in Denmark?
DORA, as the “lex specialis,” takes precedence for financial entities, but adherence to both may be necessary.
What role does Finanstilsynet play in DORA supervision?
Oversees and enforces compliance, conducts inspections, and provides guidance.
Can financial entities voluntarily report cyber threats under DORA?
Yes, voluntary notification of significant cyber threats is permitted.
What are the consequences of non-compliance with DORA in Denmark?
Sanctions, stricter supervision, increased capital requirements, and reputational damage.

9. Conclusion: Securing Denmark’s Financial Future Through DORA Compliance

DORA reporting to Finanstilsynet in Denmark is a strategic opportunity to enhance digital operational resilience, strengthen consumer trust, and secure the nation’s financial future. Proactive engagement, meticulous implementation, and continuous improvement are key to achieving compliance and building a robust cybersecurity posture. Engaging a virtual CISO can provide expert support in navigating this complex regulatory landscape. CyAdviso offers DORA readiness assessments, reporting design, and vCISO services to assist Danish financial institutions.

Close Menu