AboutStandardsBlog ✦ AI AssessmentGet a Quote →

DORA Compliance — What FinTech Companies Need to Know in 2026

The Digital Operational Resilience Act is now fully enforceable. This guide explains the five pillars, who is in scope, and how FinTech companies can build a compliance programme that satisfies regulators without stalling innovation.

REGULATORY 9 min read

What Is DORA?

The Digital Operational Resilience Act (DORA), formally Regulation (EU) 2022/2554, is a European Union regulation that establishes a comprehensive framework for managing information and communication technology (ICT) risk in the financial sector. Unlike a directive, DORA is directly applicable across all EU Member States without the need for national transposition.

DORA was published in the Official Journal of the EU on 27 December 2022 and entered into force on 16 January 2023, with a two-year implementation period. The regulation became fully applicable on 17 January 2025, meaning all in-scope entities must now demonstrate compliance.

The regulation was developed in recognition that the financial sector's increasing dependence on technology creates systemic risk. A significant ICT disruption at a major financial institution or a critical third-party provider can cascade across the entire financial system. DORA aims to ensure that financial entities can withstand, respond to, and recover from ICT-related disruptions.

Who Is in Scope?

DORA applies to a broad range of financial entities, encompassing virtually the entire EU financial services ecosystem:

  • Credit institutions (banks)
  • Payment institutions and electronic money institutions
  • Investment firms and trading venues
  • Insurance and reinsurance undertakings
  • Central counterparties and central securities depositories
  • Crypto-asset service providers (under MiCA)
  • Crowdfunding service providers
  • Account information service providers
  • Management companies and alternative investment fund managers
  • Credit rating agencies

Critically, DORA also extends to critical ICT third-party service providers (CTPPs). Cloud providers, data analytics companies, software vendors, and managed service providers that serve the financial sector may be designated as critical and subjected to direct oversight by EU financial supervisory authorities (the European Supervisory Authorities: EBA, ESMA, and EIOPA).

For FinTech companies, this dual scope is particularly important. Many FinTech firms are both in-scope financial entities and ICT service providers to other regulated firms.

The Five Pillars of DORA

Pillar 1: ICT Risk Management

Financial entities must establish and maintain a comprehensive ICT risk management framework that is integrated into the overall risk management system. Key requirements include:

  • Identification and classification of all ICT-supported business functions, assets, and dependencies
  • Continuous identification and assessment of ICT risks, including threats, vulnerabilities, and potential impacts
  • Implementation of protection and prevention measures, including access controls, encryption, patch management, and network security
  • Detection mechanisms for anomalous activities and ICT incidents
  • Response and recovery plans with defined roles, communication procedures, and tested backup and restoration capabilities
  • Learning and evolving processes, including post-incident reviews and incorporation of lessons learned

The management body (board of directors or equivalent) bears ultimate responsibility for ICT risk management and must approve the ICT risk management framework, allocate sufficient resources, and stay informed through regular reporting.

Pillar 2: ICT-Related Incident Reporting

DORA establishes a harmonised incident reporting framework for the financial sector. Entities must:

  • Classify ICT-related incidents using criteria defined by the European Supervisory Authorities (severity, duration, geographical spread, data losses, criticality of affected services)
  • Report major ICT-related incidents to the relevant competent authority using a standardised template
  • Submit an initial notification, an intermediate report, and a final report within defined timeframes
  • Voluntarily report significant cyber threats that could have a material impact

The reporting framework is designed to complement, not duplicate, existing sectoral reporting obligations. The European Supervisory Authorities have published Regulatory Technical Standards (RTS) that specify classification criteria, reporting templates, and timelines.

Pillar 3: Digital Operational Resilience Testing

All in-scope entities must conduct regular testing of their ICT systems and controls. The testing programme must include:

  • Vulnerability assessments and network security scans
  • Open-source software analysis
  • Gap analyses and performance testing
  • Scenario-based testing and compatibility testing
  • Source code reviews where feasible

Entities identified as significant must additionally conduct Threat-Led Penetration Testing (TLPT) at least every three years. TLPT must be performed in accordance with the TIBER-EU framework and must cover critical or important functions. The tests must be carried out by independent qualified testers, although the use of internal testers is permitted under certain conditions with regulatory approval.

Pillar 4: ICT Third-Party Risk Management

This pillar addresses the systemic risk posed by concentration of ICT services among a small number of providers. Requirements include:

  • Maintaining a comprehensive register of all ICT third-party arrangements, including information on the services provided, the provider, and the criticality assessment
  • Conducting due diligence before entering into ICT third-party arrangements
  • Including mandatory contractual provisions covering security, audit rights, exit strategies, and sub-outsourcing restrictions
  • Monitoring the performance and risk profile of ICT third-party providers on an ongoing basis
  • Developing and testing exit strategies and transition plans for all critical or important functions

Critical ICT third-party providers designated by the ESAs will be subject to a direct oversight framework, including inspections, recommendations, and the power to impose penalty payments for non-compliance.

Pillar 5: Information Sharing

DORA encourages (but does not mandate) financial entities to participate in voluntary cyber threat intelligence sharing arrangements. These arrangements must comply with data protection requirements and should use trusted information-sharing communities. The goal is to improve collective situational awareness and enable faster response to emerging threats.

DORA and NIS2 — Understanding the Relationship

DORA and NIS2 both address cybersecurity and operational resilience, but they serve different purposes. NIS2 is a horizontal directive that applies across all critical sectors, while DORA is a sector-specific regulation tailored to the financial services industry.

Under the principle of lex specialis, DORA takes precedence over NIS2 for financial entities within its scope. However, financial entities that also provide services in NIS2-covered sectors (such as digital infrastructure) may need to comply with both. ICT third-party service providers not designated as critical under DORA may still fall under NIS2 as digital service providers.

In practice, organisations should treat DORA as the primary framework for financial sector compliance and use NIS2 to address any additional requirements that apply to their non-financial activities.

Implementation Steps for FinTech Companies

Given that DORA is now fully applicable, FinTech companies that have not yet achieved compliance should prioritise the following actions:

  • Scope determination: Confirm which DORA provisions apply based on your entity type, size, and the nature of your ICT services. Smaller entities benefit from a simplified ICT risk management framework under Article 16.
  • ICT risk management framework: Establish or enhance your framework in line with Articles 5–16. Ensure board-level governance, documented policies, and integration with your overall risk management.
  • Third-party register: Build and maintain the register of information on ICT third-party arrangements as required by Article 28. This is often one of the most labour-intensive initial tasks.
  • Incident classification and reporting: Implement processes to classify and report ICT incidents in accordance with the RTS. Integrate these with your existing incident response procedures.
  • Testing programme: Design a testing programme proportionate to your risk profile. If designated as significant, plan for TLPT within the required three-year cycle.
  • Contractual reviews: Review and amend existing ICT third-party contracts to include the mandatory provisions specified in Article 30.
  • Training and awareness: Ensure management and relevant staff understand DORA requirements and their responsibilities.

How BALTUM Supports DORA Compliance

BALTUM offers specialised DORA compliance services for FinTech companies and financial institutions. Our services include gap assessments against all five pillars, ICT risk management framework development, third-party register compilation, incident response planning, and preparation for resilience testing programmes.

We also assist ICT service providers in understanding their obligations under DORA and preparing for potential designation as a critical third-party provider. Contact BALTUM to schedule an initial assessment and develop your DORA compliance roadmap.