DORA Compliance for Fintech
The Digital Operational Resilience Act has been in application since January 17, 2025. DORA regulates the operational resilience of financial entities and the ICT third-party service providers they rely on. For fintech companies operating in the EU, DORA is a real and current obligation alongside GDPR.
This page covers what DORA requires, who it applies to, and how it interacts with privacy compliance.
Does DORA apply to you
DORA applies to a broad range of financial entities operating in the EU:
Banks (including challenger banks and neobanks)
Investment firms and asset managers
Insurance and reinsurance undertakings and intermediaries
Payment institutions, electronic money institutions, and account information service providers
Crypto-asset service providers
Crowdfunding service providers
Central counterparties, central securities depositories, and trading venues
Credit rating agencies
Administrators of critical benchmarks
It also applies to ICT third-party service providers that financial entities rely on, particularly those providing critical or important functions.
Most fintech companies operating in the EU are in scope either as a financial entity or as an ICT third-party service provider to financial entities.
What DORA requires
DORA has five pillars:
ICT risk management. Financial entities must have a comprehensive ICT risk management framework covering identification, protection, detection, response, recovery, and learning.
ICT-related incident management, classification, and reporting. Major ICT incidents must be classified and reported to competent authorities within specific timelines.
Digital operational resilience testing. Regular testing of ICT systems including advanced threat-led penetration testing for designated entities.
ICT third-party risk management. Comprehensive management of ICT third-party providers including pre-contractual due diligence, contractual requirements, ongoing monitoring, and exit strategies.
Information sharing. Voluntary information sharing arrangements on cyber threats.
Specific contractual requirements
DORA imposes specific contractual requirements on ICT services agreements between financial entities and ICT providers. Required contract content includes:
Clear and complete description of services
Service locations including data processing locations
Service availability and quality requirements
Security measures
Termination rights
Audit and inspection rights
Cooperation with competent authorities
Reporting obligations
Subcontracting provisions
Exit strategies
These contracts must be in place for all ICT services. Existing contracts may need amendment to comply with DORA.
Incident reporting
Major ICT-related incidents must be reported to competent authorities. The reporting framework includes:
Initial notification: within 4 hours of incident classification as major
Intermediate report: within 72 hours
Final report: within 1 month
Classification of "major" follows specific thresholds in the regulatory technical standards covering impact on clients, financial counterparts, duration, geographical spread, data losses, economic impact, and reputational impact.
Third-party register
Financial entities must maintain a register of all ICT third-party service providers covering details of contracts, services, criticality, and supplementary information for critical ICT services.
The register must be available to competent authorities on request and is the basis for several DORA obligations including risk assessment and incident management.
How DORA differs from GDPR
DORA and GDPR are separate frameworks with different scopes:
DORA regulates operational resilience of financial entities and ICT providers. GDPR regulates personal data processing across all sectors.
DORA's incident reporting covers ICT-related incidents (whether or not personal data is involved). GDPR's breach notification covers personal data breaches specifically.
DORA has specific contractual requirements for ICT services. GDPR has Article 28 requirements for processor relationships involving personal data.
DORA includes operational resilience testing requirements. GDPR does not specifically require this.
Both frameworks have substantial supervisory authority enforcement powers.
Where DORA and GDPR overlap
The overlap is in security controls. Both require appropriate technical and organizational security measures, both require breach/incident response capability, and both require third-party risk management.
Operationally, most fintech companies coordinate DORA and GDPR compliance through:
A combined risk and incident management function covering both ICT incidents (DORA) and personal data breaches (GDPR).
Coordinated third-party risk management covering both ICT services contracts (DORA) and Data Processing Agreements (GDPR).
Combined supervisory authority engagement strategy across the lead financial authority (for DORA) and the data protection authority (for GDPR).
Penalties
DORA penalties depend on member state implementation but include administrative penalties from competent authorities and potential criminal penalties in some jurisdictions.
For critical ICT third-party providers, the European Supervisory Authorities can impose periodic penalty payments.
How Engage Compliance helps
For fintech clients, we provide GDPR fractional DPO services and coordinate with DORA compliance work. Specific support includes:
GDPR compliance for fintech-specific processing (payments, KYC, AML, credit scoring, transaction monitoring).
Coordination between GDPR breach notification and DORA incident reporting where incidents affect both.
ICT third-party register coordination with vendor management for personal data.
DPA template updates to reflect DORA-required terms.
EU AI Act compliance for AI use in fintech (credit scoring, fraud detection, recommendation systems).
For specialist DORA compliance work, we coordinate with financial services compliance specialists.
Get started
If you are a fintech company evaluating DORA and GDPR compliance together, book a consultation.