DORA - The New Compliance Challenge for European Fintechs

Recap: With the adoption of the Digital Operational Resilience Act (DORA) by the European Union (EU), the main objective is to strengthen the security and operational resilience of financial institutions in the face of growing risks, particularly those related to cybersecurity. The goal is to ensure that the entire financial sector, including fintechs, is capable of withstanding service disruptions and cyberattacks.

1. Are Fintechs a Priority for European DORA Regulation?

Open banking allows third-party financial service providers to access bank data via APIs, aiming to promote bank interoperability, competition, innovation, and customer empowerment. Unlike traditional banking systems, where data is siloed, open banking facilitates information sharing and enables consumers to manage their finances across multiple platforms. Some APIs play a key role by offering standardized communication between banks and third parties. This model, while innovative, presents security and compliance challenges, requiring additional protective measures to ensure confidentiality and prevent cyberattacks. It is in this context that the DORA regulation also imposes on fintechs the need to strengthen their operational resilience requirements to avoid any systemic risk.

Fintechs have particular vulnerabilities that justify their central place in the DORA framework. Unlike traditional financial institutions, which often have hybrid infrastructures, fintechs generally rely on a 100% digital architecture, thereby multiplying potential points of exposure. This technological dependence is accompanied by strong interconnectivity with multiple partners: traditional banks, cloud service providers, other fintechs, creating a complex ecosystem where the failure of one actor can quickly spread. Additionally, the culture of rapid innovation that characterizes these companies, with short development cycles and frequent updates, can sometimes create unanticipated vulnerabilities. Their relative youth also means that their risk management processes may be less mature than those of more established institutions.

2. DORA: What is the Cost of Resilience for Fintechs?

One of the first major impacts of DORA on fintechs will be the increase in budgets allocated to compliance and cybersecurity. While they already need to meet strict regulatory requirements for security and data protection, DORA introduces new obligations that will likely require additional investments.

It is important to distinguish between the cost of compliance with the DORA regulation (audits, contract reviews, training, and awareness) and the continuous increase in operational resilience budgets. Firstly, fintechs will need to invest more in advanced cybersecurity technologies to comply with the new standards. This includes solutions for incident detection, continuous monitoring, and system resilience against failures and cyberattacks. The costs associated with implementing DORA requirements can be significant, especially for small fintechs.

According to a survey conducted by McKinsey in March 2024, EU financial institutions plan to allocate between 5 and 15 million euros to comply with the requirements of the Digital Operational Resilience Act (DORA). These expenses focus on the strategies, planning, design, and orchestration needed to meet regulatory standards. The majority of respondents (58%) expect to spend around 15 million euros, while 25% estimate expenses close to 5 million euros, and 17% anticipate costs up to 30 million euros.

It should be recalled that fintechs and financial services already need to comply with strict security and resilience standards to obtain the necessary authorizations for their activities. These include the Payment Services Directive (PSD2), which requires strong customer authentication, and the General Data Protection Regulation (GDPR), which mandates data protection measures. Additionally, the Network and Information Systems Security Acts (NIS I & II) aim to ensure a high level of cybersecurity within the EU, while the ISO 27001 standards provide an international framework for information security management. Furthermore, the guidelines of the European Banking Authority (EBA) impose operational resilience and cybersecurity requirements.

3. DORA: How to Transform the Culture and Organization of Fintechs?

Initially, there was significant mistrust of online financial services and fintechs, fueled by concerns about transaction security and data confidentiality. However, these companies have redefined the rules of the banking sector by introducing mobile banking apps and instant payment services, making financial services more accessible and tailored to consumer needs. To obtain the necessary licenses and authorizations and gain user trust, fintechs have had to invest in advanced security measures, such as multi-factor authentication, to comply with regulations. This evolution has led to increased adoption of digital banking services and has encouraged traditional institutions to modernize their offerings and collaborate with fintechs.

Compliance with licenses and authorizations is essential for the banking sector, but DORA requires an evolution in risk management culture, anchored in four fundamental pillars. Firstly, security issues must be a priority at the board level, aligning operational resilience with profitability goals. Secondly, creating cross-functional teams is crucial for addressing systemic risks, particularly those related to compliance, cybersecurity, and digital service providers, including rigorous evaluations of the risks associated with digital service providers, considering their potential impact on data security and business continuity. Thirdly, establishing a culture of systematic documentation of actions strengthens transparency and accountability while enabling proactive risk management through the segmentation of providers. Finally, promoting continuous awareness and training is vital for enabling teams to respond more quickly to emerging threats and ensuring transparent communication about security incidents.

The entry into force of DORA thus marks a turning point for fintechs, which must now strengthen their resilience capabilities against cyber risks and other operational disruptions. Although the cost of compliance is high, the benefits are numerous: increased security, better risk management, and strengthened trust from customers and regulators. For fintechs, DORA is not just a constraint but an opportunity to prove their solidity in an increasingly interconnected sector exposed to digital risks.