Banking & Financial ServicesDORANIS2ISO 27001GDPR

From spreadsheet chaos to DORA-compliant ICT register in 8 weeks

“We had 340 ICT service arrangements tracked across 14 spreadsheets maintained by 6 different teams. Nobody had a complete picture. FortisEU gave us a single source of truth and the confidence to face our supervisor.”

— CISO, Nordic Financial Group

Industry

Banking & Financial Services

Size

2,500 employees

Headquarters

Nordic region

Frameworks

DORA, NIS2, ISO 27001, GDPR

The Challenge

When DORA's application date of 17 January 2025 approached, the group's compliance team faced an uncomfortable reality: their ICT third-party risk management existed primarily in spreadsheets, email threads, and the institutional memory of long-serving staff. The Article 28(3) register of information — a core DORA requirement — simply did not exist as a unified, auditable dataset.

The group operated across three Nordic jurisdictions with multiple banking licences, an asset management subsidiary, and a payment services provider. Each entity maintained its own vendor lists, contract repositories, and risk assessments — with no standardised taxonomy, no concentration risk view, and no automated way to identify which ICT providers supported critical or important functions.

Their national competent authority had signalled that ICT third-party risk management would be an early supervisory priority, with on-site inspections expected within the first 12 months of DORA application. The clock was ticking.

Fragmented ICT provider inventory

340 ICT service arrangements spread across 14 spreadsheets maintained by 6 teams, with no single authoritative register or consistent categorisation methodology.

No concentration risk visibility

Unable to quantify dependency on individual ICT providers across group entities. Cloud concentration risk — particularly on two hyperscaler providers — was assessed qualitatively, not quantitatively.

Manual contract review backlog

Over 200 contracts needed review against DORA Article 30 contractual requirements. At the existing pace, contract remediation would take 18+ months.

Supervisor expectations imminent

National competent authority signalled ICT third-party risk as a Year 1 supervisory priority, with on-site inspections expected within 12 months of DORA application.

The Solution

The group deployed FortisEU's DORA compliance module across all regulated entities within the group. Implementation followed a phased approach: first the centralised ICT third-party register, then incident classification workflows, and finally integration with the existing ISO 27001 control framework.

FortisEU's register of information module provided the Article 28(3) structure out of the box: provider identity, services provided, data storage jurisdictions, sub-contractor chains, criticality classification, and concentration risk scoring. The group imported existing vendor data from their fragmented spreadsheets and used FortisEU's questionnaire workflows to fill gaps directly with ICT providers.

ICT Third-Party Register

Centralised, Article 28(3)-compliant register with automated concentration risk scoring, sub-contractor chain tracking, and jurisdiction mapping for all 340 ICT service arrangements.

Contract Gap Analysis

Automated assessment of existing contracts against DORA Article 30 requirements, generating remediation checklists and priority rankings based on provider criticality.

Incident Classification

Pre-configured major incident classification criteria aligned with DORA Article 18, with automated 4-hour/72-hour/1-month reporting workflow triggers.

Cross-Framework Mapping

Automatic control mapping between DORA ICT risk management, ISO 27001 Annex A, and NIS2 Article 21 — eliminating duplicate evidence collection across the group's three overlapping frameworks.

8 weeks from deployment to supervisor-ready register

The Results

340

ICT arrangements centralised

From 14 spreadsheets to a single Article 28(3)-compliant register

8 weeks

Time to supervisor readiness

From deployment to complete, auditable DORA register across all group entities

62%

Contract gaps auto-identified

Of 200+ contracts flagged for Article 30 remediation, prioritised by provider criticality

Faster evidence collection

Cross-framework mapping eliminated duplicate evidence requests across DORA, ISO 27001, and NIS2

Within 8 weeks of deployment, the group had a complete, supervisor-ready ICT third-party register covering all regulated entities. The national competent authority conducted its first on-site review 4 months after DORA application and specifically commended the group's register completeness and concentration risk documentation.

Beyond the immediate DORA compliance outcomes, the centralised register revealed several previously invisible concentration risks that the group was able to address proactively — including a single cloud provider supporting 73% of critical functions across the group.

“The supervisor review went from our biggest anxiety to a non-event. We could demonstrate a complete register, articulate our concentration risks, and show remediation progress on contract gaps — all from a single dashboard. That is what operational readiness looks like.”

— Head of Compliance, Nordic Financial Group

Four frameworks, one platform: eliminating compliance duplication at enterprise scale

A Dutch Insurance Group — Insurance & Financial Services

SOC 2 Type IIISO 27001GDPR

EU sovereignty as competitive advantage: winning US enterprise deals with compliance-first positioning

A Belgian B2B SaaS Company — Enterprise Software

Ready to Build Your Compliance Story?

See how FortisEU can operationalise your compliance programme. Create an account or schedule a personalised demo.

Create Account Schedule Demo