How SEBA Achieved DORA Compliance with ARIS

Meet our customer hero

Founded in 1856, SEB is a leading northern European financial services group headquartered in Stockholm, Sweden. Its 19,000 employees work across more than 20 countries, offering a wide range of leading financial services with home markets in Nordics, Baltics, Germany, UK, Austria, Switzerland and the Netherlands. In Sweden and the Baltics, SEB is a leading universal bank with millions of private individuals as customers. 

What is DORA compliance in banking?

The Digital Operational Resilience Act (DORA) is an EU regulation that requires financial institutions to strengthen ICT risk management in banking, ensure DORA operational resilience, and report major incidents within strict timelines. Its goal is to ensure operational resilience in banking and across the financial system.

Managing a complex process network

As a company with a long heritage, SEB is known for strong governance and stability. In recent years, the increasing volume and scope of regulatory requirements, combined with tight implementation timelines, as well as the need for digital solutions, have posed a challenge for the bank.

“The urgency to digitalize and automate meant we didn’t always take the time to make full use of our corporate memory or process documentation,” says Delphine Daggfeldt, Process Management & Automation at SEB. “Since then, we’ve made progress, but it’s taken us longer to get there.” Today, SEB has over 200 robots feeding, verifying, and ensuring end-to-end data flow for around 800,000 transactions every month.

With the right foundations for data-driven automation in place, the bank began preparing for DORA compliance in 2023. The EU’s Digital Operational Resilience Act (DORA) requires financial institutions to strengthen digital resilience to prevent disruptions that could have far-reaching repercussions on society. With the law coming into force in January 2025, the timeline was tight — especially as the regulation was revised just three months before the deadline. SEB decided that this time, the focus should be on becoming compliant by leveraging existing structures — an approach rooted in process management for compliance, thereby driving operational excellence.

DORA holds banks accountable not only for their own ICT systems, but for those of their suppliers and sub-suppliers. For example, SEB partners with a Swedish provider of instant phone payments. Under DORA, the bank must ensure that the provider and its suppliers deliver reliable IT services, maintain robust business continuity plans, and follow defined process standards.

Major ICT incidents must be reported to authorities within four hours, requiring SEB to know which ICT assets support each critical process. “A single process can rely on more than 50 internal and external systems, including those of vendors,” explains Delphine Daggfeldt. This creates a complex network of processes that must be mapped, monitored, and risk-assessed to maintain operational resilience.

Operational resilience, the DORA way

To meet DORA requirements, processes must be clear and precisely defined. Since it adopted ARIS in 2008, SEB has built a powerful central hub for managing processes ARIS process management capabilities and making sense of its data. Today, more than 3,500 processes are modeled in ARIS, with around 2,000 actively maintained.

This strong process culture created a solid foundation to tackle DORA compliance. “Because time was tight, we didn’t want to create a whole new set of processes,” says Delphine Daggfeldt, “so we looked for overlaps with existing regulations.” Risk officers quickly identified clear parallels with FFFS 2014:4, the Swedish regulation concerning operational risk. Under this framework, SEB had already mapped its most critical processes, carried out risk assessments, and tested contingency plans—foundations that could be built on for DORA, which covers around 50% of those same critical processes. This allowed SEB to accelerate DORA compliance by extending existing structures instead of creating new ones from scratch.

As DORA owners also oversee SEB’s most critical processes, it was important to avoid overloading them. To achieve this, SEB built DORA into its existing process review. During the review, process owners complete a checklist in ARIS to ensure their processes are up-to-date. The checklist was simply extended to include DORA-specific questions, increasing the total number of questions by 40%.  This ensures DORA requirements are properly adopted and monitored across the organization.

Working with IT partner Solita, SEB enhanced ARIS with updated checklists, dashboards, workflows, and quality controls. APIs played a key role, connecting ARIS with other SEB systems to provide visibility across dependencies, including ICT assets, third party vendors, and Business Continuity Planning. “For DORA, you need to understand how different functions are connected,” explains Delphine Daggfeldt. “If one system goes down, it can affect 20 others.”

In June 2025, SEB migrated to ARIS Cloud, making it easier to onboard entities in the Baltics using a different IT infrastructure. Once again, APIs simplified data interaction across the bank’s ecosystem.

Better data culture. Faster compliance.

The ARIS platform delivered both immediate and long-lasting benefits for SEB.

• Faster, simpler compliance: Reusing existing process structures meant DORA requirements could be absorbed quickly, without overloading teams or introducing new ways of working. As a result, SEB was ready to launch its process review, complete with DORA requirements, on time.
• Efficient, reliable reporting: Centralized and interconnected data makes it easy to produce DORA reports based on trusted information. “The Swedish Financial Supervisory Authority recently visited and showed real interest in how we work and in our data architecture. It sparked some great discussions,” says Delphine Daggfeldt. “Having a single source of truth removes uncertainty and saves us valuable time.”
• Stronger cross-functional collaboration: compliance required teams across the business to work together more closely, bringing together different disciplines, such as Business Continuity and ICT Asset Management, to cover the full scope of DORA. What started as a regulatory necessity has become a more transparent and structured way of working.
• A stronger data culture: Mapping dependencies and data flows helped teams understand how their data is used, and why accuracy matters. Keeping data clean and up to date is now ingrained in everyday work, strengthening SEB’s operational resilience.

Scaling compliance beyond DORA— powered by ARIS

The DORA journey has helped SEB reach a new level of operational maturity, putting processes firmly on the map. By reusing existing processes rather than reinventing them, SEB has uncovered a valuable and scalable approach to regulatory compliance — one that can be quickly and easily adopted in ARIS for future requirements.  The method will now be applied to upcoming regulations, including changes to the Bank Recovery and Resolution Directive (BRRD) and the new EU AI Act, improving operational efficiency across the board. Looking ahead, SEB sees many new opportunities: “We want to use ARIS to help us improve and automate, not just to meet regulations,” says Delphine Daggfeldt. “Process mining and AI will play a growing role in highlighting where processes can be optimized and recurring questions eliminated. We also want to scale automation where it matters.”

These initiatives highlight how SEB has turned compliance into a strategic advantage, boosting process maturity, transparency across a complex supplier network, and operational resilience. There’s no denying, that today, the bank is more connected and future-ready than ever.