Finansinspektionen Regulations on DORA Incident Reporting and Contractual Registers

Finansinspektionen’s Regulatory Code Publisher: Acting Chief Legal Counsel Sophie Degenne, Finansinspektionen, Sweden, www.fi.se ISSN 1102-7460 This translation is furnished solely for information purposes. Only the printed version of the regulation in Swedish applies for the application of the law. 1 Finansinspektionen’s regulations regarding reporting of incidents and registers of information according to the EU Regulation on digital operational resilience for the financial sector; decided on 18 December 2024. Finansinspektionen prescribes the following pursuant to section 2 of the Supplemental Provisions for the EU Regulation on Digital Operational Resilience for the Financial Sector Ordinance (2024:1292). Scope Section 1 These regulations contain provision on financial entities’ reporting under Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011, referred to as the DORA Regulation in these regulations. The regulations apply to reporting of

1. serious ICT-related incidents, and
2. registers containing information on contractual agreements. Terms and expressions in these regulations have the same meaning as in the DORA Regulation. Section 2 These regulations apply to financial entities subject to both the scope of Article 2 of the DORA Regulation and Finansinspektionen’s supervision. Reporting of serious ICT-related incidents and voluntary notification of significant cyber threats Section 3 A financial entity shall report to Finansinspektionen serious ICT-related incidents pursuant to Article 19(1) of the DORA Regulation in the manner set out on Finansinspektionen’s website. The same applies to voluntary reporting of significant cyber threats as referred to in Article 19(2) of the DORA Regulation. Reporting of registers containing information on contractual arrangements Section 4 A financial entity shall grant Finansinspektionen access to its full register of information on contractual arrangements pursuant to Article 28(3), fourth FFFS 2024:20 Published on 27 December 2024

FFFS 2024:20 2 paragraph of the DORA Regulation by submitting the register to Finansinspektionen on a yearly basis no later than 28 February. The register shall be submitted in accordance with the instructions provided on Finansinspektionen’s website. The version of the submitted register shall refer to the circumstances at the end of the immediately preceding calendar year.

1. These regulations shall enter into force on 17 January 2025.
2. Reporting pursuant to section 4 shall be submitted for the first time no later than 15 April 2025. The version of the register that is submitted at this point in time, in derogation of that set out in section 4, shall refer to the circumstances at the end of March 2025. DANIEL BARR Agneta Blomquist