Facebook-f X-twitter Linkedin Youtube
Subscribe
FinTech BoostUP > Blogs > How DORA Will Impact FinTech
Global Trending Finance News Insights - Roger Alexander1- FinTech BoostUP

How DORA Will Impact FinTech

By FinTech BoostUP
Posted On 2 April 2025
7 minutes read
354 Views
0 Comments

After two years since its enactment, the Digital Operational Resilience Act (DORA) has come into force across the European Union (EU), promising to be a landmark in regulatory efforts to bolster the operational resilience of IT systems within the financial sector.

While it may appear to be a complex and highly technical piece of legislation, a deeper understanding reveals that DORA addresses critical vulnerabilities in the fintech ecosystem’s IT infrastructure—something made abhorrently apparent by the CrowdStrike outage in July of last year—ultimately safeguarding the cyber stability of both individual firms and the broader economy who depend on data centers and cloud computing solutions.

Who Does DORA Apply To?

DORA is primarily aimed at ‘Critical ICT Third Party Providers’ (CTTPPs). While the terms ‘ICT’ (Information and Communications Technology) and ‘Third Party Providers’ are straightforward, what qualifies as ‘critical’ is less so. For instance, a platform’s core payment processing software is undoubtedly critical. But what about a budgeting app integrated into a bank’s Open Banking ecosystem? Such tools may not be central to operations but still form an essential part of the customer experience and trust.

This ambiguity means financial institutions will need to carefully evaluate their vendors’ ability to be compliant . For CTTPPs, compliance with DORA involves adhering to a set of strict requirements for managing and reporting operational risks. Importantly, DORA’s scope extends beyond traditional financial services firms to include fintech startups, cryptocurrency exchanges, and even cloud service providers whose systems underpin financial applications.

What Does DORA Entail?

While DORA introduces rigorous guidelines, many reputable software companies already meet some of its standards. One of its standout excerpts is the standardisation of reporting requirements. Historically, incident reporting varied significantly between firms, creating inconsistencies in how issues were identified and addressed. With DORA, all organisations must follow a unified reporting format, enhancing transparency and enabling regulatory bodies to respond more effectively to systemic risks.

Another significant area of DORA’s focus is resilience testing. Financial institutions and their ICT providers will be required to conduct regular assessments, including:

  • Red Team Exercises: Simulating cyberattacks to test defensive capabilities.
  • Black Team Scenarios: Stress-testing for large-scale failures, such as data centre outages.
  • Purple Team Collaborations: Combining offensive and defensive exercises to evaluate end-to-end response mechanisms.

Beyond testing, the legislation also dictates that organisations must also ensure continuity of service, which means software and data must remain accessible even during severe disruptions or outages. For example, escrow services will need to safeguard source code and operational data to ensure businesses can maintain critical functions, even if a key supplier ceases operations.

How Will DORA Benefit Fintech?

Standardisation and resilience planning under DORA promises several advantages. For fintech firms, compliance can serve as a competitive differentiator, showcasing operational safeguards to clients and investors that only 57% of British financial institutionshave been able to adopt over the last two years.

From an industry-wide perspective, DORA’s implementation will reduce fragmentation in how operational risks are managed. By requiring firms to adhere to a consistent framework, regulators will gain a clearer picture of systemic vulnerabilities. This alignment will not only improve incident response but also create opportunities for collaborative risk mitigation, driving innovation in areas like cybersecurity solutions and disaster recovery technologies.

Moreover, the act’s emphasis on transparency will foster greater trust across the financial ecosystem. First, the standardised risk management requires all financial institutions to follow the same set of rules for managing ICT risks, meaning DORA creates a level playing field, as well as consistency in security practices. As mentioned, this also extends to third-party vendors that financial institutions rely on, ensuring that critical service providers also meet high cybersecurity standards.

Institutions are also mandated to report cyber incidents promptly, allowing regulators and the public to better understand potential risks and how effectively institutions are responding to them. While DORA also requires regular testing of systems and processes to assess their ability to withstand cyberattacks, demonstrating a proactive approach to risk mitigation. By safeguarding the digital operations of financial institutions, DORA ultimately protects consumers from potential disruptions to their financial services due to cyber incidents.

Does DORA Apply to the UK and US?

Although DORA is an EU regulation, its implications will be felt globally. Companies outside the EU, including those in the UK and US, must comply if their software or services are used by entities within the EU. Conversely, EU-based firms serving clients abroad will also need to ensure compliance, as their obligations extend beyond regional borders.

UK firms may find parallels between DORA and the UK’s operational resilience frameworks introduced by the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA). Meanwhile, US-based companies might align with DORA’s requirements by building on existing frameworks from the Federal Financial Institutions Examination Council (FFIEC) and the National Institute of Standards and Technology (NIST).

Isn’t This Just About Cybersecurity?

While cybersecurity is a crucial element of DORA, its scope extends far beyond data breaches and other digital threats. The act addresses a wide array of risks, including service outages caused by natural disasters, software bugs, and even geopolitical events. For instance, a hostile takeover or bankruptcy of a critical supplier could have cascading effects on financial operations. DORA aims to mitigate these risks by mandating comprehensive and thorough contingency planning.

Another notable requirement is the legal right for organisations to access their software and data in all circumstances. This provision ensures uninterrupted access to critical tools and information, even during supplier disruptions. Firms will need to negotiate contracts that prioritise operational continuity, potentially reshaping how fintechs and financial institutions engage with their vendors.

Even small IT outages can cost organizations big, many times losing hundreds of millions on top of reputational damage and overencumbered IT staff. Additionally, regulatory fines for such incidents can reach tens of millions. 

Challenges and Opportunities

For fintech companies, the road to DORA compliance may present initial challenges. Smaller firms, in particular, might find the costs of resilience testing, incident reporting, and contractual renegotiations burdensome. However, these measures also offer opportunities for growth and differentiation. Firms that incorporate  resilient, compliant, and secure IT systems will likely attract more customers and secure strategic partnerships, not to mention prevent catastrophic revenue loss in the event of an outage.

Moreover, another side effect of DORA introduction could be accelerated innovation. The demand for advanced tools and services is ever-present—from AI-driven anomaly detection to blockchain-based data escrow solutions. With operational and technological benchmarks now being mandated across the EU, this creates a fertile ground for tech providers who are looking to deliver cutting-edge solutions quickly and that meet the standard.

Overall, DORA represents a pivotal shift in how risks are managed in the financial services industry. By standardising IT protocols, promoting transparency, and ensuring continuity, it addresses the vulnerabilities exposed when critical systems fail, especially for banks, insurers, securities exchanges, trading venues and other financial services providers. While compliance may pose challenges, setting in place contingency plans for critical failures also offers fintech companies an opportunity to strengthen their operations, build trust, and gain a competitive edge over those slow to integrate. As the regulation comes into effect, its impact will extend far beyond the EU, reshaping the global financial landscape for the better.

To learn more, visit: https://chargebacks911.com. 

About Roger Alexander 

Roger Alexander serves as a key advisor to Chargebacks911’s Advisory Board and its CEO, Monica Eaton, assisting the company with its expansion initiatives, including the highly-anticipated launch of its dispute resolution solution set to address the record spike of authorised push payment (APP) fraud claims.  

With nearly 40 years of payments experience, Alexander has previously served in various leadership roles within the payments and financial services sectors, including more than 20 years in directorial roles at Barclays and subsequently as the CEO of Switch (the UK’s Debit Card) and President of Elavon Merchant Services Europe. He is currently a strategic advisor for Tarci and Pennies, a major UK charity, and previously held key NED positions with ACI Worldwide, Caxton and Valitor, among others. 

Image source: https://images.squarespace-cdn.com/content/v1/590eeff5b8a79b2147a783be/1742929152134-89IVRR1VVJZP0WCC1M9T/Archie+Norman+photo.jpg?format=1500w

Tags:

You Might Also Like

Mastercard and Nomba Join Forces to Revolutionize Payment Solutions in Africa
2 minutes read
Temenos survey finds three quarters of banks are exploring GenAI deployment
3 minutes read