DORA for Fintech Startups
Whether DORA applies to a fintech depends on its regulated status, not its self-description. A fintech that is a licensed payment institution, e-money institution, investment firm or CASP is in scope under Article 2; an unregulated software vendor selling to financial entities is instead treated as an ICT third-party provider. DORA has applied since 17 January 2025.
"Fintech" is not a DORA category
DORA lists financial-entity types; "fintech" is a business descriptor. The right question is which regulated licence, if any, the firm holds, that determines whether it complies as a financial entity or supports its clients as an ICT third party.
Proportionality and microenterprises
In-scope fintechs that are microenterprises may use a simplified ICT risk-management framework and are generally outside mandatory TLPT, a meaningful relief for early-stage teams. Governance, incident reporting, and the third-party register still apply.
Selling to financial entities
If your fintech provides ICT services to banks or insurers, expect DORA-driven contractual demands (audit rights, exit strategies, sub-outsourcing controls) even when you are not directly regulated. See ICT third-party providers.
Frequently asked questions
Does DORA apply to every fintech?
No. It applies to fintechs that hold a relevant financial licence. Unregulated fintech vendors are covered indirectly as ICT third-party providers.
Do early-stage fintechs get proportionality relief?
Yes. In-scope microenterprises may apply a simplified ICT risk-management framework and are generally outside mandatory threat-led penetration testing.
We sell software to banks, does DORA affect us?
Indirectly but materially: your financial-entity customers must impose DORA contractual terms and register your services, so expect audit, exit, and security requirements.