What does DORA mean for fintech?

Rupert Bull, CEO, The Disruption House

As we get ever closer to January 17, 2025, fintechs across Europe face a pivotal regulatory milestone. The European Union’s Digital Operational Resilience Act (DORA) introduces a new comprehensive framework to bolster digital resilience across the financial services industry. While DORA’s ultimate goal is to fortify operational stability and protect against rising cyber threats, its requirements are sweeping and demand no small amount of attention from fintechs.  

Too many firms are hoping they fall out of the regulation’s scope thanks to DORA’s proportionality clauses. However, failure to prepare could result in reputational harm, severe penalties, and a blow for new business prospects. With 20,000 firms expected to be impacted, it’s best not to count on luck alone.

Instead, fintechs should ready themselves today. This is why its important to explore how DORA impacts firms, the steps to take to meet DORA’s requirements, and how these align with the UK’s post-Brexit regulatory context.

What is DORA?

DORA sets a high bar for operational resilience. The first legislation of its kind, it mandates financial firms and fintechs to implement robust frameworks for managing Information and Communication Technology risks, governing third-party relationships, and handling incidents. This calls for an approach that is proactive, yet methodical.

Deliberately defined in broad terms, “ICT providers” under DORA will encompass the expected suppliers of cloud services providers, data analytics platforms, datacentre services and other digitally managed services, as well as those operating in non-traditional and fast-moving sub-sectors such as crypto-asset service providers and crowdfunding platforms. For all of these types of players, DORA signifies a shift in how the whole ecosystem approaches resilience and cybersecurity.

Moreover, while fintechs operate as suppliers to financial services firms, they should still check if any ICT suppliers they work with also meet the necessary standards, as these partnerships could be considered as integral to their operational frameworks. That means most third-party contracts will need significant revisions to explicitly account for data accessibility, integrity, and security in order to be compliant.

How fintechs can meet new IT compliance standards

At its core, DORA makes clear that operational resilience and cybersecurity are everybody’s responsibility. However, according to the Luxembourg Financial Sector Supervisory Commission, 71% of firms are only partially prepared for DORA. Clearly, there is still some way to go before everyone fully shoulders this joint responsibility.

This regulation transforms operational resilience from a back-office concern into an integral component of daily operations. We see this reflected in the vigorous testing requirements set out in the legislation. This means transitioning from reactive responses to ICT failures or cyber incidents, to proactive, continuous oversight of ICT risks and supplier performance.

The first critical step to achieving this is conducting a comprehensive readiness assessment. Fintechs must find the gaps in existing operational resilience measures against DORA’s standards, and fill them. The key things to identify are a clear governance and accountability structure if something goes wrong, whether monitoring tools are able to spot any issues and breaches in good time, and if extensive operational resilience measures are stress tested and updated regularly. Should a cybersecurity incident occur, firms must be able to communicate it to relevant authorities quickly to contain any systemic risks. With these as starting points, many firms will place themselves in good stead.

Recognising the dependencies between customers and suppliers in the healthy functioning of the financial system, DORA compliance also means deepening collaboration between fintechs and financial services firms and institutions. This entails, for example, conducting joint testing and risk assessments to ensure everyone is operating with the same standard of resilience.

This is no box-ticking compliance exercise, but a foundational shift that ensures long-term security and stability in a digital-first financial ecosystem. In treating it as such, fintechs will be ready for the new regime.

Does DORA matter post-Brexit?

Although the UK is no longer bound by EU regulations, DORA’s principles closely align with the Financial Conduct Authority’s operational resilience framework. Both emphasise the importance of managing ICT risks and safeguarding critical financial services. However, divergence between UK and EU approaches creates unique challenges and opportunities for firms operating in both jurisdictions.

For firms with EU operations, the dual compliance burden of adhering to DORA and FCA standards presents a logistical challenge. Managing two distinct regulatory frameworks requires careful coordination to avoid duplication and ensure alignment, as well as additional resources.

On the other hand, firms that achieve compliance with both sets of standards early can position themselves as leaders in operational resilience, strengthening their competitiveness in an increasingly global financial market. It’s also a strong statement on any fintech’s commitment security – a prerequisite for fintechs looking to forge partnerships with top-tier banks and institutions. 

It’s also worth noting that firms which operate outside of the EU entirely cannot afford to ignore DORA either. Europe’s leadership in the regulatory space often sets the global standard, with many international regulators adopting legislation to their own geographies. It’s only a matter of time before the DORA regime, under different names, crosses borders.

The path to 2025

DORA is more than a regulatory requirement; it is an opportunity to enhance resilience, build trust, and gain a competitive edge. By aligning their operational models with DORA’s vision, fintechs can demonstrate their commitment to security and reliability, making them more attractive partners in a sector that demands resilience as a baseline expectation.

At heart, DORA recognises that operational resilience and cybersecurity are universal responsibilities. The delivery of financial services in the digital age rests on the strength of the weakest link. If we all play by the same rules, as DORA demands, cyberthreats won’t be able to find their way through any open back door. Firms that fail to demonstrate their willingness to play their part, will fail to stay in the game. In partnering with The Disruption House, firms can determine a systematic approach to DORA readiness and operational resilience, ensuring they get an actionable and credible path to compliance.

spot_img
Ad Slider
Ad 1
Ad 2
Ad 3
Ad 4
Ad 5

Subscribe to our Newsletter