DORA for Fintechs — Compliance Requirements, Delegated Acts, and API Tools

DORA (Digital Operational Resilience Act, Regulation 2022/2554) applies to virtually all financial entities in the EU, including fintechs, payment institutions, e-money institutions, and crypto-asset service providers. It has been in force since January 17, 2025. Unlike high-level explainers that stop at the five-pillar overview, this page covers the actual requirements — including all 12 delegated acts (RTS/ITS) that contain the detailed technical standards your fintech needs to implement.

The Problem

Most DORA guides for fintechs summarize the five pillars and leave it there. But the real compliance work lives in the 12 delegated acts — technical standards that specify ICT risk management framework details, incident classification criteria, reporting templates and timelines, mandatory contractual clauses for ICT vendors, subcontracting conditions, and threat-led penetration testing procedures. These delegated acts are scattered across EUR-Lex with no unified interface, no cross-referencing to parent articles, and no programmatic access.

A fintech CTO trying to understand what contractual clauses DORA requires for their cloud provider agreement has to find Article 30, then locate RTS 2024/1773, then manually cross-reference the two. Multiply that across every ICT arrangement, every incident process, and every risk management policy, and the problem is clear.

Does DORA Apply to Your Fintech?

DORA applies to 21 types of financial entities under Article 2. Here are the categories most relevant to fintechs:

| Entity Type | DORA Article | Notes | |------------|-------------|-------| | Payment institutions | Article 2(1)(d) | Licensed under PSD2 | | E-money institutions | Article 2(1)(e) | Licensed under EMD2 | | Crypto-asset service providers | Article 2(1)(f) | Licensed under MiCAR | | Account information service providers | Article 2(1)(d) | PSD2 AISP | | Crowdfunding service providers | Article 2(1)(j) | Under ECSP Regulation | | Investment firms | Article 2(1)(b) | Under MiFID II |

If your fintech is regulated by any EU financial supervisory authority, DORA almost certainly applies to you. The regulation does not distinguish between traditional banks and fintechs — the obligations are the same, subject to proportionality under Article 4.

The 12 Delegated Acts You Need to Know

The base regulation (64 articles) sets the framework. The delegated acts contain the detailed technical standards that define what compliance actually looks like in practice. All 12 have been adopted:

| Delegated Act | CELEX | Covers | |--------------|-------|--------| | RTS ICT Risk Management | 2024/1774 | Detailed requirements for ICT risk management frameworks | | RTS Incident Classification | 2024/1772 | Criteria for classifying major ICT-related incidents | | RTS Incident Reporting | 2025/301 | Content and timelines for incident reports | | ITS Incident Templates | 2025/302 | Standardized notification forms for incident reporting | | RTS Contractual Arrangements | 2024/1773 | Required clauses for ICT third-party provider contracts | | RTS Subcontracting | 2025/532 | Conditions for ICT subcontracting chains | | ITS Register of Information | 2024/2956 | Standardized format for the register of ICT third-party providers | | Critical Provider Criteria | 2024/1502 | Criteria for designating ICT providers as critical | | RTS Oversight Harmonisation | 2025/295 | ESA oversight procedures for critical providers | | RTS Joint Examination | 2025/420 | Joint examination procedures for oversight | | Oversight Fees | 2024/1505 | Fee structure for critical ICT provider oversight | | RTS TLPT | 2025/1190 | Threat-led penetration testing standards |

For fintechs, the most immediately relevant are the ICT risk management RTS (2024/1774), the incident classification and reporting RTS (2024/1772, 2025/301, 2025/302), and the contractual arrangements RTS (2024/1773). These define the technical detail behind Articles 5-16, 17-23, and 28-30 respectively.

Key Requirements for Fintechs

ICT Risk Management (Articles 5-16)

Every fintech must establish and maintain an ICT risk management framework. Article 6 requires a comprehensive framework that includes strategies, policies, procedures, and tools necessary to protect all information and ICT assets. RTS 2024/1774 specifies the details — what the framework must contain, how it must be documented, and how it must be governed.

Microenterprises (under 10 employees) can use the simplified framework under Article 16, which reduces documentation and governance requirements while maintaining core protections.

Incident Reporting (Articles 17-23)

Fintechs must classify ICT-related incidents using the criteria in RTS 2024/1772 and report major incidents to their competent authority. The timeline is strict:

• Initial notification: within 4 hours of classifying an incident as major
• Intermediate report: within 72 hours
• Final report: within one month

RTS 2025/301 defines the content requirements for each report stage. ITS 2025/302 provides the standardized templates.

Third-Party ICT Risk (Articles 28-44)

This is where most fintechs feel the impact. Article 28 requires ongoing monitoring of ICT third-party risk. Article 30 mandates specific contractual clauses in every agreement with ICT service providers — covering service levels, data location, audit rights, exit strategies, and incident support obligations. RTS 2024/1773 details exactly what these clauses must contain.

Article 28(3) also requires maintaining a register of all contractual arrangements with ICT third-party providers, in the format specified by ITS 2024/2956.

Resilience Testing (Articles 24-27)

Fintechs must conduct regular digital operational resilience testing. The scope depends on size and risk profile. Larger fintechs may be required to conduct threat-led penetration testing (TLPT) under Articles 26-27, with technical standards defined in RTS 2025/1190.

How Gibs Helps

Gibs indexes all 64 DORA articles plus all 12 delegated acts — 641 chunks total, scoring 90% accuracy on an expert-curated evaluation dataset. Every answer cites both the parent regulation article and the specific delegated act provision where applicable.

import gibs

client = gibs.Client(api_key="sk-gibs-...")

# Check specific DORA requirements for your fintech
result = client.check(
    question="What contractual clauses must a fintech include in agreements with cloud providers under DORA?",
    regulations=["dora"]
)

print(result.answer)
# "Under Article 30(2), financial entities must ensure that contractual
#  arrangements with ICT third-party service providers include provisions
#  on service level descriptions, data processing locations, audit and
#  access rights, exit strategies, and incident notification obligations.
#  RTS 2024/1773 further specifies..."

print(result.sources)
# ["Article 30(2)", "Article 30(3)(a)-(e)", "RTS 2024/1773 Article 3"]

import { Gibs } from '@gibs-dev/sdk'

const gibs = new Gibs({ apiKey: 'sk-gibs-...' })

const result = await gibs.check({
  question: 'Does DORA require my fintech to conduct penetration testing?',
  regulations: ['dora']
})
// result.sources: ["Article 24", "Article 25", "Article 26", "RTS 2025/1190"]

Gibs also provides an MCP (Model Context Protocol) server at mcp.gibs.dev, so AI coding assistants like Cursor, Claude Desktop, and Windsurf can query DORA requirements directly within your development environment.

Who This Is For

• Fintech CTOs mapping ICT systems and vendor agreements to DORA requirements
• Compliance officers at payment institutions and e-money institutions building DORA compliance programs
• Crypto-asset service providers navigating DORA alongside MiCAR obligations
• Third-party ICT providers to financial entities understanding the contractual and oversight requirements they face indirectly
• Developers building DORA compliance checks into internal tools, vendor onboarding flows, or audit pipelines

Try It Now

Free tier: 50 requests per month, no credit card required.

curl -X POST https://api.gibs.dev/v1/check \
  -H "Authorization: Bearer sk-gibs-..." \
  -H "Content-Type: application/json" \
  -d '{"question": "Does DORA apply to crypto-asset service providers?", "regulations": ["dora"]}'

Get your API key | Read the docs | Try the MCP server

FAQ

Does DORA apply to small fintechs?

Yes, but with proportionality. Article 4 requires financial entities to implement DORA requirements proportionate to their size, overall risk profile, and the nature, scale, and complexity of their services. Microenterprises (under 10 employees and annual turnover or balance sheet under EUR 2 million) benefit from a simplified ICT risk management framework under Article 16, which reduces documentation and governance requirements while maintaining core protections.

What is the DORA incident reporting timeline for fintechs?

Under Article 19 and RTS 2025/301: initial notification within 4 hours of classifying an incident as major, an intermediate report within 72 hours, and a final report within one month. Incident classification criteria — including thresholds for what qualifies as "major" — are defined in RTS 2024/1772 based on factors like the number of clients affected, duration, geographical spread, data losses, and criticality of services impacted.

How does DORA interact with PSD2 for payment institutions?

DORA replaces the ICT risk management provisions that payment institutions previously followed under PSD2 and the EBA Guidelines on ICT and security risk management. Article 1(2) specifies that DORA's ICT requirements take precedence where they overlap with sector-specific legislation. Payment institutions already subject to EBA ICT Guidelines need to upgrade to DORA's more comprehensive and prescriptive framework, particularly around incident reporting timelines and third-party contractual clauses.

Do ICT providers to fintechs need to comply with DORA?

ICT third-party service providers are not directly regulated by DORA in most cases. However, financial entities must include specific contractual clauses in agreements with ICT providers under Article 30, and RTS 2024/1773 details what those clauses must contain — covering service levels, audit rights, data location, incident notification, and exit strategies. Additionally, ICT providers designated as critical under the criteria in Delegated Regulation 2024/1502 are directly overseen by the European Supervisory Authorities under the oversight framework in Articles 31-44.

What is the Register of Information?

Article 28(3) requires every financial entity to maintain a register of all contractual arrangements with ICT third-party service providers. The register must follow the standardized format defined in ITS 2024/2956. It must be kept up to date and made available to the competent authority upon request. This is one of the most operationally intensive DORA requirements for fintechs with multiple ICT vendors.

Can Gibs check DORA and GDPR obligations together?

Yes. Many ICT incidents involve personal data, triggering both DORA incident reporting obligations (Article 19) and GDPR breach notification requirements (Article 33). Gibs supports cross-regulation queries and returns cited answers from both regulations in a single response, with clear attribution of which obligation comes from which regulation. Gibs currently covers DORA, the EU AI Act, and GDPR.

How current is the DORA corpus?

The Gibs DORA corpus includes the base regulation (2022/2554) and all 12 delegated acts adopted through February 2026. The corpus contains 641 indexed chunks and is version-tracked — every API response includes the corpus version used to generate the answer. When new delegated acts or amendments are adopted, the corpus is updated, re-evaluated against the expert-curated dataset, and redeployed.