Recent attacks on BankID, warnings from Riksbanken, a sharper Swedish focus on cyber resilience and the rapid development of advanced AI models all point in the same direction: for DORA-covered firms, operational resilience is not a project to close, but a capability to prove, continuously.

 

Ingress

When the Digital Operational Resilience Act (DORA) started to apply on January 17, 2025, many financial entities quite naturally focused on implementation. Policies were updated, registers created, governance clarified and supplier arrangements reviewed. One year later, the key question changed. The issue is no longer whether the programme was completed on time. The issue is whether resilience has improved in the real operating environment, under real pressure, against real threats.

The warning signs are no longer theoretical

Three hours can be enough to expose how fragile a digital financial system really is. In April 2025, BankID was hit by an advanced overload attack that affected services such as Swish and bank logins. Even where user data remained protected, the incident showed how quickly disruption in a single digital dependency can spread into payments, authentication and access to essential services. It was not an isolated warning. In June 2025, Sweden’s Prime Minister said the country was “under attack” after several days of cyber-related disruptions and stated that banks and BankID had also been affected by DDoS attacks. Around the same time, Riksbanken warned that cyberattacks had increased in both strength and scope, that the risk of new attacks remained significant, and that digitalization was making the payments system more vulnerable.

For financial firms, the lesson is straightforward: the real risk is not only that an attacker gets in, but that disruption in identity services, payment flows, outsourced ICT services or critical suppliers rapidly becomes a customer issue, a continuity issue and a regulatory issue at the same time. As our expert John Wallhoff puts it: “Availability is now a board-level priority for financial institutions”.

A further shift is now emerging. Advanced AI models are beginning to change the speed and scale of cyber risk. The same capabilities that can help defenders identify vulnerabilities, improve threat detection and strengthen resilience testing can also help attackers find weaknesses faster, automate parts of the attack chain and put pressure on traditional patching, remediation and incident response processes. For financial firms, this makes the DORA agenda more urgent, not less.

 

Why DORA still matters one year after go-live

This is precisely the context in which DORA should be understood in 2026. It was never designed as a one-off regulatory sprint. It was designed as a resilience regime for a sector whose dependence on technology, outsourced services and interconnected digital ecosystems continues to deepen. As advanced AI becomes more capable, this dependency becomes even more important. AI can strengthen resilience, but it can also expose weak governance, poor dependency mapping and slow remediation processes.

That is why the hardest part of DORA begins after implementation. It is one thing to complete a gap assessment, approve governance documentation and establish reporting lines. It is another to show that those measures work under operational stress. Many firms have now reached that point: baseline compliance may have been achieved, but maturity is still uneven, and the real challenge is moving from compliance to defensibility.

 

The real test is operational, not documentary

That distinction matters more than many organisations admit. A firm can close actions, approve policies and formally complete a DORA programme without being operationally resilient. Governance can look robust in documentation while remaining weak in practice. Reporting lines can exist on paper without functioning under time pressure. Supplier oversight can appear complete while still leaving material blind spots in subcontracting chains, incident responsibility or contractual enforceability.

The question is therefore no longer simply, Have we implemented DORA? The question is, can we prove that DORA works in practice?

This becomes especially important in resilience testing and third-party risk. Annual testing plans may exist, but advanced testing readiness is often limited. Supplier registers may have been established, but uncertainty often remains around dependency mapping, incident coordination and liability. In many firms, the real gaps only become visible when operations are disrupted or when realistic scenarios are tested across functions.

Supply-chain attacks must therefore be addressed much more directly. Resilience can no longer stop at the firm’s own boundary and it must include outsourced ICT services, suppliers and subcontracting chains that support critical functions. This is where the development of advanced AI models becomes especially relevant. On the opportunity side, AI can support vulnerability detection and resilience testing. On the risk side, the same type of capability can help threat actors identify weaknesses faster, exploit software flaws at scale and target less mature suppliers in the wider ecosystem. Under DORA, TLPT can extend to critical outsourced ICT services and relevant third parties, which is why firms should start working with TLPT today rather than treating it as a future compliance exercise. At the same time, recent developments in AI-driven cyber defense show how swiftly threat detection and response are accelerating. In this environment, “swiftly” increasingly means yesterday.

 

DORA is becoming more relevant—not less

Some organisations may ask whether Sweden’s new Cyber legislation (Cybersäkerhetslag) changes the equation. In practice, it strengthens the case for continued DORA work. For the financial sector, DORA remains the sector-specific resilience framework. At the same time, the broader Swedish regulatory direction reinforces the same underlying expectations: stronger governance, clearer management accountability, more disciplined incident handling and continuously improved resilience capability.

The message to firms which needs to be DORA compliant is therefore straightforward: the compliance deadline may be behind you, but the resilience expectation is not. In that context, DORA is not becoming less relevant over time. It is becoming more revealing.

 

What financial firms should focus on now

One year after go-live, the right questions are sharper than they were during implementation:

  • Is governance actually working in practice, or does DORA still sit mainly with IT?
  • Are boards of directors and senior management receiving decision-useful insight on ICT risk, or mostly progress updates?
  • Are incident and escalation processes tested against realistic scenarios, or mainly described in documentation?
  • Can the organisation demonstrate that supplier oversight goes beyond certifications and questionnaires?
  • And if a serious disruption happened tomorrow, could the firm show not only that it had controls on paper, but that those controls had been used, validated and improved?
  • Are AI-related risks being treated as part of ICT risk, supplier governance and resilience testing or still as a separate innovation topic?

This is also where the Nordic threat picture matters. Resilience in financial services can no longer be built only around internal controls. It must also be built around governance of external ICT dependencies and the ability to withstand disruption that originates outside the institution itself.

 

How Opticos can help

For many financial entities, the next logical step is not another implementation project. It is a structured post-implementation reality check.

At Opticos, we see this next phase as a DORA Annual Health Check: a focused review of scope, governance, implementation, evidence, validation and documentation; an assessment of how incident handling has worked over the past twelve months; and a practical evaluation of whether decision-making, escalation and ownership are clear, credible and defensible.

This often points to adjacent support areas that firms now need as well: pre-audit readiness, TLPT programme support, third-party and ICT vendor reality checks, stress testing and crisis validation, and targeted support on supplier governance and remediation planning. It also drives both technical and organizational change and, for TLPT in particular, AI-enabled support is becoming available and increasingly important.

 

Final thought

Cyber risk in the Swedish financial ecosystem is not standing still. The disruption of BankID, the warnings from Riksbanken, the growth of supply-chain exposure and the rapid development of advanced AI models all point in the same direction: resilience must be active, exercised and continuously improved.

One year after implementation, DORA should therefore not be viewed as a completed milestone. It should be treated as an ongoing management discipline. For financial firms in Sweden, the real question is no longer whether DORA was implemented last year. The real question is whether the organisation is genuinely better prepared for the next disruption than it was before.

 

From formal compliance to operational resilience

Has your organisation proven that DORA works in practice—and not just on paper? Opticos helps financial entities move from implementation to defensible resilience through services such as Annual Health Check, pre-audit readiness, third-party and ICT vendor reality checks, stress testing and crisis validation, and targeted support on supplier governance and remediation planning.

Don’t wait to reach out.