Cybersecurity as a Competitive Advantage – The DORA Regulation in Practice
Introduction
In April 2025, Northwave hosted a webinar on the new DORA regulation. DORA (Digital Operational Resilience Act) is an EU framework aimed at strengthening the digital resilience of the financial sector, bringing increased requirements for cybersecurity, risk management, and reporting. Although the regulation officially came into force in January 2025, many organizations are still struggling to understand how to apply it in practice – especially when it comes to governance, strategic risk management, and third-party supplier oversight. For those who couldn’t attend our webinar, we’ve summarized the key insights in this article.
In addition to moderator Kim Elman from Northwave Cyber Security, the panel included Regina Sipos, Chair of the Board at Frilans Finans; Markus Alin, Founder and CEO of Sharpfin; Sheila Majstorovic, CISO at Lynx Asset Management; and Per Bäckström Grå, CISO at UC. The discussion focused on how executive teams and boards should handle DORA strategically, how organizations must act to ensure compliance, and how the directive changes the management of third-party providers.
DORA from a Leadership Perspective
Cybersecurity is now a critical issue from several angles. For board members, it involves overarching responsibility for risk management across the company and the ability to keep the business running.
“The board should have knowledge surrounding DORA, but this requires expertise that board members may not always have. A competent chairperson must therefore bridge the knowledge gap through education, external support, and self-learning,” said Regina Sipos.
At the same time, DORA is a highly detailed framework that requires deep understanding to fully grasp. Per Bäckström Grå highlighted that the directive enforces systematics and clarity – especially within risk management. Companies already working with structured risk processes will likely find DORA easier to implement. Sheila Majstorovic agreed:
“The role of the CISO becomes crucial in helping leadership make DORA central and understandable by linking it to business value. A common misconception is that the IT department handles security, but in fact, it's a business risk – and leadership must treat it as such by understanding, investing, and prioritizing,” she said.
The panel agreed that recent years have shown a shift: boards and leadership teams are now more interested and aware of the importance of cybersecurity. This shift is driven partly by today’s geopolitical climate and partly by multiple examples of devastating consequences from cyberattacks.
“The penny has dropped – though the hard way. Today, there’s a real understanding of how bad things can get,” said Regina Sipos.
DORA’s Impact on Technology and Cybersecurity
The webinar also addressed how DORA requires companies to invest in secure technologies, improve incident reporting, and enhance risk management at a technical level. Markus Alin pointed out that much of it is about understanding the risks an organization is exposed to.
“The entire organization must be aware of the risks in order to drive the strategic work forward. If you don’t take DORA seriously, you should be concerned – especially if your IT landscape is fragmented,” he said.
The DORA regulation will require thorough risk assessments and even customer reporting. Per Bäckström Grå noted that it might be a challenge for some companies to expose their “dirty laundry.” However, a well-articulated security strategy and the DORA framework can work well in synergy.
“It's all about strengthening resilience against digital threats and building organizational robustness. I use DORA as a catalyst to drive change from reactive to proactive. The result is that one plus one equals three,” said Sheila Majstorovic.
DORA’s Demands on Third-Party Risk Management
One clear effect of DORA is the increased demands on third-party risk management, meaning that companies now need clear processes and contracts in place. For those who have worked on implementing the CSRD directive for sustainability reporting, many similarities can be found.
“There are two key takeaways from CSRD that we can reuse. First, we’ve learned that this is a cultural issue. Boards must live and breathe the importance of following regulations. Second, it’s about how we report risk. Audit firms have developed matrix-based thinking around CSRD, which can also be applied to DORA,” said Regina Sipos.
Requirements on suppliers extend deep into the supply chain, and risks from subcontractors must also be addressed. As a vendor, it’s essential to ensure contracts clearly outline what must be fulfilled. Many companies now want audit clauses in agreements that extend to third- and fourth-party vendors – something that can be a significant challenge.
“Although it’s challenging, it’s critical to gain that visibility and the ability to audit third-party providers. DORA requires us to take responsibility for the entire supply chain,” said Sheila Majstorovic.
What Should Companies Prioritize Now?
So, what is most important for companies to do right now to ensure everything is in place? From a leadership perspective, Regina Sipos emphasized the need for education, budgeting for the issue, and building a culture that prioritizes this work. Markus Alin added that the first step is understanding the spirit of the regulation and focusing on the most value-creating areas within the organization.
“At Sharpfin, we embrace all regulations. If we’re good at it, our customers are more likely to buy our product. There’s also a willingness to pay a higher price if we offer a service that goes beyond just software,” he said.
“We’re all in the same boat. No one has all the answers on how to handle DORA – but we just have to start rowing,” concluded Per Bäckström Grå.
We are here for you