Under Pressure: What does DORA mean for FinTech firms?

What does DORA mean for FinTech firms
Mike Powell

Financial services digitisation has brought immense opportunities and efficiencies to the capital markets but also created new vulnerabilities. With cyberattacks on the rise and operational disruptions posing significant threats, the European Union is taking a proactive approach through the Digital Operational Resilience Act (DORA).

This landmark regulation, effective December 2022, aims to fundamentally reshape how financial institutions manage operational risks and build resilience. And while the enforcement deadline is not until 17 January 2025, the clock is ticking for financial institutions to step up.

Importantly, the DORA initiative resonates beyond banks, brokers and asset managers, with a central tenant of the legislation focused on third-party risk management. In an increasingly technology-driven industry, financial firms are more reliant than ever on vendor technology, application providers, managed infrastructure and cloud services. Suppliers will come under intense scrutiny to ensure they can support their customers’ compliance with the new rules and FinTech firms should brace themselves for the inevitable wave of IT questionnaires, architecture reviews and tougher vendor onboarding benchmarks.

While IT security should never be taken lightly, the focus on technology vendors creates yet another challenge to the FinTech sector which is already struggling with a tight funding environment and weak European economic landscape. At the same time, FinTechs are critical to the industry, often providing the agility and fast innovation that financial organisations can struggle to achieve through internal initiatives alone. So, with the DORA deadline rapidly approaching, what should FinTechs do to give their customers confidence?

Here are five areas we think firms should focus on:

1. Comprehensive Risk Management Framework

Implementing a robust risk management framework is the cornerstone of DORA compliance, and this applies to FinTechs as much as it does to their customers. Firms must have clear policies to identify, assess, and mitigate operational risks.

However, while a well-defined policy might look great on paper, the key question is whether your team understands the policy and can effectively instigate the plan when an issue arises. Ongoing review, firm-wide education, staff buy-in, and scenario planning are all essential to ensuring your organisation can effectively respond when something goes wrong. Operational risk can come in multiple forms, but a simple and well-understood framework will give organisations a strong basis on which to build effective responses to different potential threats.

2. Robust Incident Reporting and Response Mechanisms

DORA also mandates the establishment of robust incident reporting and response mechanisms. Certainly, your customers will want timely notification, clear communication of the potential impact, and a meaningful response plan to address a given issue. Walking them through your latest policies is a good step to build confidence and can help in post-incident reviews if the customer has signed off on the process you followed. Agreeing the correct customer contacts, together with their preferred communication channels in advance will save time when things go wrong, while pre-agreed escalation processes will ensure both parties know what to do when needed. Scratching around for contact details during a major incident is not where you want to be!

3. Third-Party Risk Management

Your customers are not the only ones reliant on third-party vendors. FinTechs also leverage tech suppliers for various services and components of their solutions and infrastructure, introducing additional downstream risks. DORA emphasises the need for rigorous third-party risk management practices – this applies equally to FinTechs who must also scrutinise their own suppliers. Vendor due diligence and ongoing supplier monitoring create yet more overheads for small firms but must be taken seriously. FinTechs can learn from the scrutiny they are put under by their customers, perhaps plagiarising IT questionnaires to play back to their suppliers. Ideally, this should be done when contracting, but a comprehensive vendor review before DORA is fully operational might be wise. Who knows, you might even identify some cost savings! But at a minimum, you can confirm whether they have the necessary policies in place to protect your business.

4. Strong Governance and Oversight

FinTech leadership teams will already be spinning many plates–hitting growth targets, keeping customers happy, managing investors, dealing with staff issues…the list goes on. It is natural to want to delegate IT security and operational policies to other staff or kick cyber certification down the road as ‘important but not urgent’. Given the proliferation of cyber-attacks, the barrier to doing business if not meeting vendor onboarding requirements, and the potential existential risk of a system vulnerability, senior leaders can no longer afford to take a back seat on this topic. Executives from the board level down should actively engage in operational resilience efforts and governance, providing the necessary budget, resources and focus to ensure their organisation is robust.

5. Cybersecurity and Data Protection Measures

DORA places significant emphasis on cybersecurity and data protection. Smaller Fintech firms are often less siloed, with teams having multiple responsibilities and a broader view of customer implementations. While this can be helpful to customers, giving them easier access to domain expertise and a more personal level of service (for instance, being able to engage directly with a key developer) it can also encourage a less stringent approach to data protection. Balancing customer responsiveness with cyber security and data protection is hard. Developer-led firms do not like unnecessary restrictions and burdensome processes because they are not ‘agile’. However, this approach introduces risks that need to be addressed. Again education, discussion and staff buy-in are critical to prevent a tick-box mentality. Ideally, firms should engage their teams in policy design regarding data categorisation, encryption, multi-factor authentication, and so on. Creating a culture of ownership rather than ‘top-down’ directives can go a long way towards building a resilient organisation.

Mike Tyson famously said that “everyone has a plan ‘till they get punched in the mouth”. But while even the best-laid plans can unravel in the face of adversity, sleepwalking into DORA represents its own risk to FinTechs. Working with your teams and identifying specialist firms who can help review your policies and implement good practices will put you in a stronger position with your customers and prospects and may even prove a competitive advantage.

Rapid views




Rapid Addition Launches New Web UI to Simplify Trading Workflow Deployment and Monitoring

FIX Protocol–The Journey to Frictionless Electronic Trading

What is API Integration in Finance and Why Do You Need it

Under Pressure: What does DORA mean for FinTech firms?

ipushpull and Rapid Addition Transform Trading Activity Monitoring

Building Competitive Advantage: The Evolution of Buy and Build in Financial Technology

Rapid Addition and Chainlink To Build FIX-Native Blockchain Adapter for Institutional Digital Asset Trading

Demystifying AI in Electronic Trading: Insights from the EMEA FIX Trading Conference