Skip to main content
DORA Auditor

DORA for Fintech Startups

Last updated: 2 authoritative sourcesDORA Auditor Editorial Team

Whether DORA applies to a fintech depends on its regulated status, not its self-description. A fintech that is a licensed payment institution, e-money institution, investment firm or CASP is in scope under Article 2; an unregulated software vendor selling to financial entities is instead treated as an ICT third-party provider. DORA has applied since 17 January 2025.

"Fintech" is not a DORA category

DORA lists financial-entity types; "fintech" is a business descriptor. The right question is which regulated licence, if any, the firm holds, that determines whether it complies as a financial entity or supports its clients as an ICT third party.

Proportionality and microenterprises

In-scope fintechs that are microenterprises may use a simplified ICT risk-management framework and are generally outside mandatory TLPT, a meaningful relief for early-stage teams. Governance, incident reporting, and the third-party register still apply.

Selling to financial entities

If your fintech provides ICT services to banks or insurers, expect DORA-driven contractual demands (audit rights, exit strategies, sub-outsourcing controls) even when you are not directly regulated. See ICT third-party providers.

Frequently asked questions

Does DORA apply to every fintech?
Do early-stage fintechs get proportionality relief?
We sell software to banks, does DORA affect us?

Sources

  1. Regulation (EU) 2022/2554 (DORA), EUR-Lex
  2. ESMA, Digital Operational Resilience Act (DORA)