DORA: why it touches startups that aren't banks
The EU's Digital Operational Resilience Act is in force since January 2025. If you sell software to financial institutions, you're a "third party" - and that's now your problem.
DORA (the Digital Operational Resilience Act) is the EU's regulation on digital operational resilience, in full force since 17 January 2025. Its goal is to ensure that financial institutions can withstand cyberattacks and technical failures without taking the economy down with them.
At first glance it's a law for banks. In practice it touches every startup that sells to them.
The five pillars
The regulation requires companies to cover five core areas:
- ICT risk management. A clear strategy, security policies and continuous monitoring of systems. (ICT = information and communication technology.)
- Incident reporting. Strict deadlines to notify authorities of serious cyberattacks - often within hours.
- Resilience testing. Regular testing, including penetration tests, to find gaps.
- Third-party risk. The most important pillar for startups (see below).
- Information sharing. The exchange of threat intelligence between companies in the sector is encouraged.
Why the fourth pillar is about you
Financial institutions are responsible for the security of the software they buy from outside vendors. If you're a startup selling to a bank, you are a "third party" - and the bank will treat you as a risk.
More than that: the bank will also look at your own subcontractors. This is concentration risk - if 100 fintech startups all use the same small server and it goes down, the whole system is threatened at once.
How DORA changes a startup's life
As a B2B supplier. If you sell software, cloud services or data to banks, insurers or fintechs, you become part of their supply chain. Your customers will demand dramatically higher security standards, will inspect you, and will want specific contract clauses and evidence that your systems won't fail at a critical moment. If you're not "DORA-compliant," they simply won't buy.
As a fintech yourself (B2C). If you're a neobank, crypto platform or payments platform, you fall directly under DORA. It's no longer enough that "the code works" - it must be provably resilient, which takes a serious compliance investment.
The proportionality principle
The good news for small companies: DORA recognizes that a 10-person startup can't carry the administration of a 10,000-person bank. Measures must fit the scale and complexity of your business. But be careful - "proportionate" doesn't mean "none."
The fines
DORA isn't a recommendation. Penalties reach up to 1% of average daily worldwide turnover for critical-service providers, imposed daily until compliance is achieved. There are also individual fines for managers who failed to ensure system resilience.
The takeaway
If your product touches the financial sector, DORA compliance isn't optional - it's a condition of sale. Start early: document your security, map your own subcontractors, and be ready to answer the bank's questions before it asks them.