Digital operational resilience (DORA)
The English and German versions of this document are legally binding. Translations into other languages are provided for convenience only.
1. TicTac Learn and the financial sector
TicTac Learn provides learning platforms and content creation services and distributes eLearning authoring and video creation tools from selected technology partners to organizations across the Nordics and parts of Europe. Our customers include companies in the financial sector that are subject to the Digital Operational Resilience Act (Regulation (EU) 2022/2554, DORA).
We take the regulatory requirements of our financial sector customers seriously. This page explains our security posture, how DORA applies to our services and what we can offer DORA-regulated customers in terms of contractual and operational support.
Our security posture
TicTac Learn is ISO 27001 vcertified. Our information security management system covers risk management, access control, incident handling, business continuity and supplier management.
We maintain and continuously improve our security practices to meet the expectations of regulated customers. For details on our technical and organizational security measures, please visit our Trust centre or contact us directly.
3. DORA and TicTac Learn
3.1 Critical ICT third-party service provider designation
TicTac Learn has not been designated as a critical ICT third-party service provider under DORA Article 31. That designation is made by the European Supervisory Authorities, not by individual providers or their customers.
3.2 Critical or important functions
DORA requires each financial entity to assess whether the ICT services it receives support a critical or important function of that entity (Article 3(22)). This is a separate concept from the ESA designation above. It is the financial entity's own assessment, based on the nature, scale and complexity of its business.
Where a financial entity concludes that TicTac Learn's services support a critical or important function, the stricter DORA requirements for contractual arrangements, governance, subcontracting, exit planning and register documentation apply to that relationship. Where the entity concludes otherwise, the general DORA requirements for ICT third-party arrangements still apply, but in a lighter form.
This assessment is the financial entity's responsibility. TicTac Learn does not make this determination on behalf of its customers, but we are prepared to provide the information and documentation our customers need to complete their assessment.
3.3 Contractual requirements under DORA
DORA imposes specific contractual requirements on arrangements between financial entities and their ICT service providers (Articles 28 and 30). These requirements apply to all ICT third-party arrangements, with additional requirements where the services support a critical or important function.
TicTac Learn is prepared to accommodate DORA-aligned contractual provisions.
4. Supporting your DORA information register
DORA Article 28(3) requires financial entities to maintain a register of information on all contractual arrangements with ICT third-party service providers. TicTac Learn can provide the information our customers need to populate and maintain this register, including service descriptions, data processing locations, subcontracting arrangements and contact details.