Financial Services Regulation

EU DORA: What Financial Firms and FinTechs Must Know

December 16, 2025 Comments Off on EU DORA: What Financial Firms and FinTechs Must Know
EU DORA
  • Regulation applies to 20,000 financial institutions in the EU from 17.01.2025.
  • Third-party ICT suppliers also in scope, regardless of location.
  • EU DORA creates new requirements for the security and resilience of ICT networks and systems.
  • 5 pillars of EU DORA have higher and more prescriptive requirements than previously.
  • Some exemptions apply and EU DORA is applied proportionately.

What is EU DORA?

The EU Digital Operational Resilience Act (EU DORA) became mandatory on 17.01.2025 and seeks to improve operational risk and business continuity in EU financial services.

With 70+ pages and hundreds of requirements, EU DORA creates a higher regulatory standard for managing information and communication technology (ICT), especially for FinTechs in scope for the first time.

Why does EU DORA matter?

Digital financial services have increased, driven by innovation, efficiency, and client demands, reaching 99% in locations such as Estonia.

In parallel, ICT-related risks have also increased significantly:

  • Cyber-attacks and ransomware
  • System outages and data breaches
  • Failures at outsourced ICT providers
  • Operational disruptions with cross-border impact

As risks increase, so financial systems and transactions require greater protection and resilience to remain trustworthy.

Who does EU DORA apply to?

  1. credit institutions
  2. payment institutions
  3. electronic money institutions
  4. account information service providers
  5. investment firms
  6. crypto-asset service providers 
  7. central securities depositories
  8. central counterparties
  9. trading venues
  10. trade repositories
  11. managers of alternative investment funds
  12. management companies
  13. data reporting service providers
  14. insurance and reinsurance undertakings
  15. insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
  16. institutions for occupational retirement provision
  17. credit rating agencies
  18. administrators of critical benchmarks
  19. crowdfunding service providers
  20. securitisation repositories

FinTechs such as core banking, payments, hosting and ICT solution providers are also in scope.

5 pillars of DORA?

The requirements of EU DORA are assessed using five pillars:

ICT Risk Management

What governance, systems, tools, and processes are used to identify, protect, detect, and recover from ICT-related risks.

Incident Reporting

Regulated entities must notify their national competent authorities of major ICT-related incidents and cyber threats.

Digital Operational Reslience Testing

Regular, advanced testing to ensure security, improve resilience and recovery procedures.

3rd Party Risk Management

Development of frameworks to identify and mitigate risks arising from 3rd party suppliers of ICT.

Information Sharing

Voluntary sharing of data about cyber threats and vulnerabilities to enhance system defences.

Proportionality in EU DORA

Financial entities and technology providers are required to implement EU DORA using the principle of proportionality, meaning they consider their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations.

Continue reading