> ./exec Infosec.sh — ARTICLE
DORA Compliance for Fintechs: Timeline, Costs, and the Six Most Expensive Pitfalls
MarcusMarcus, Solution Architect
Since January 17, 2025, DORA is binding. No transition period, no grace period, no "we're still reviewing this." The European Supervisory Authorities expect full compliance, and BaFin has made clear it will actively enforce the regulation. Anyone still debating whether DORA applies to their fintech is asking the wrong question.
The right question is: Which of the five DORA core areas poses the greatest risk to your organization, and how do you prioritize the next twelve months?
This article does not offer diplomatic answers. It gives you an honest cost assessment, a realistic timeline, and a plain-spoken account of the pitfalls that most mid-sized fintechs stumble into, based on direct experience. The DORA compliance advisory your organization needs does not begin with a slide deck on the five pillars of the regulation. It begins with an honest assessment of where you stand today and what full implementation actually costs.
DORA Is Not a BAIT Upgrade
Many CISOs, especially at firms that have already operated under BaFin's KAIT/BAIT regime, make the same mistake: they treat DORA as a version upgrade of their existing IT governance framework. That is wrong, and the mistake is expensive.
BAIT and KAIT define minimum requirements for information security at banks and insurers in Germany. DORA defines an EU-wide framework for digital operational resilience. The regulation is structured around five core areas: ICT risk management, reporting of ICT-related incidents, digital operational resilience testing, management of third-party ICT risk, and information sharing on cyber threats.[1]
The difference between BAIT and DORA is not a matter of degree; it is categorical. BAIT asks: "Do you have a documented IT security policy?" DORA asks: "Can you prove that your entire ICT supply chain remains operationally resilient under a realistic disruption scenario, and if not, why have you accepted that residual risk and which member of your management body documented that acceptance?"
DORA explicitly anchors ultimate accountability for ICT risk management at the level of the management body.[1] That is not a footnote in Article 5. It is the fundamental governance requirement that causes most DORA projects to fail, because nobody takes it seriously until an auditor asks.
This applies to all financial entities within the regulation's scope: credit institutions, payment institutions, e-money institutions, investment firms, providers of crypto-asset services (CASPs), insurance undertakings, and a range of other regulated entities. For fintechs, this means in practice that almost every company holding a BaFin license or a passporting authorization from another EU member state falls under DORA. There is no "we're too small" exemption in the regulation, only a proportionality clause for non-significant institutions that allows the simplified ICT risk management framework under Article 16.
What the Timeline Actually Means
The official timeline reads straightforwardly: DORA was published in the EU Official Journal on December 27, 2022, entered into force on January 16, 2023, and has been applicable since January 17, 2025.[1] Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) from the European Supervisory Authorities were adopted in several waves through the end of 2024.[3]
What that timeline means in practice is a different story.
The RTS on the ICT risk management framework were not finalized until January 2024. The RTS on Threat-Led Penetration Testing (TLPT) followed in March 2024. This means fintechs had less than twelve months for a substantial portion of the concrete implementation work, even though DORA formally offered two years of lead time.[3]
There is also a structural problem: the requirements for the third-party information register were less precisely specified in the original DORA regulation than in the later implementing regulations. Organizations that began building such a register in 2023 often had to restructure it from scratch in 2024, because the ESAs provided very detailed templates in their ITS that diverged significantly from earlier internal approaches.
The third aspect missing from most timelines: DORA contains no once-and-done compliance. The regulation requires a permanent operational regime with annual resilience tests, regular reviews of the ICT risk management framework, and ongoing monitoring of third-party service providers. Anyone who treats DORA as a completed project has not understood the regulation.
What has been in force since January 2025:
The complete ICT risk management framework under Articles 5 to 16 must be implemented and documented.[1] Reporting obligations for major ICT incidents are active: the initial report must be filed within four hours of identifying a major incident, the intermediate report follows no later than 72 hours after, and the final report is due within one month.[1] The information register of all ICT third-party service providers must be complete and current. Contractual requirements under Article 30 DORA must be implemented across all relevant ICT service agreements. An annual resilience testing program must be conducted and documented.
For systemically important institutions, the elevated requirements for Threat-Led Penetration Testing apply, which must be carried out every three years.
DORA and NIS2: Drawing the Line
One point that creates confusion at many organizations is the relationship between DORA and the NIS2 Directive. The short answer: for financial entities that fall under DORA, DORA applies as lex specialis, and NIS2 recedes in those cases.[1]
That sounds simpler than it is. Fintechs that simultaneously provide regulated financial services and operate critical infrastructure within the meaning of NIS2 must draw this distinction carefully. A payment service provider that operates its own telecommunications infrastructure for its product cannot simply invoke DORA as a blanket cover.
The practical recommendation: have the regulatory classification explicitly documented for each of your operating units. DORA or NIS2 is not an academic question; the differences in requirements touch concrete points such as reporting channels, definitions of major incidents, and the responsible authorities.
What both regulations share: they shift the compliance logic from "What can we document?" to "Can we prove that our security measures actually work?"[2] This is a fundamental cultural shift for organizations that have historically thought in terms of policies and process documents without testing their operational effectiveness.
The Real Costs
Any cost estimate for DORA compliance that responds with a single round number is not credible. The costs depend on too many variables: the baseline maturity of IT governance, the complexity of the ICT supply chain, the number of critical third-party service providers, the maturity of existing incident management processes, and available internal staff.
Based on several DORA implementations, I can say this: for a mid-sized fintech with 50 to 250 employees that wants to achieve genuine compliance rather than paper compliance, the real effort runs between 250,000 and 800,000 euros in the first year. That figure includes external advisory, tooling, and internal effort.
This number shocks many management teams. It is realistic regardless. Budgeting 100,000 euros and expecting full compliance buys you a gap analysis and a polished presentation deck. It does not buy compliance.
The cost blocks in detail:
ICT risk management framework: 40,000 to 120,000 euros for development and implementation. This covers building a complete framework including asset inventory, risk assessment, business impact analysis, and documentation. Organizations already running an ISMS under ISO 27001 sit at the lower end of this range. Those starting from zero sit at the upper end.
Third-party risk management: 60,000 to 200,000 euros. For most fintechs, this is the single most expensive item in the entire DORA implementation. Cloud-native fintechs routinely have between 15 and 40 ICT third-party providers, including critical providers such as AWS, GCP, or Azure as well as specialized payment service providers, KYC vendors, and fraud detection systems. Each of these providers must be assessed, brought into contractual alignment with DORA requirements, and entered into the information register.
Incident management and reporting infrastructure: 30,000 to 80,000 euros. Building or overhauling processes for detecting, classifying, and reporting major ICT incidents. The four-hour window for the initial report is not a paper process. It requires functioning technical alerting systems, clearly defined escalation paths, and personnel who can actually navigate those paths under pressure.
Resilience testing program: 50,000 to 150,000 euros annually. Foundational tests such as vulnerability assessments and penetration tests, plus the formal governance and board-level documentation of those tests.
GRC tooling: 20,000 to 80,000 euros annually. GRC platforms, SIEM systems, third-party risk management tools. Many fintechs try to cut costs here and end up with a spreadsheet tangle that gets flagged as inadequate at the next audit.
Internal personnel effort: This item is absent from almost every cost estimate that external consultants present. Realistically, 0.5 to 2.0 full-time equivalents will be tied up in DORA activities in the first year and unavailable for product development. This is the least visible but often the most painful cost driver, because it never appears in any project budget.
One more point that is systematically underestimated: DORA compliance must be funded on a permanent basis. After the initial implementation year, recurring annual costs of 80,000 to 180,000 euros for testing, register maintenance, third-party monitoring, and regulatory reporting are realistic.
The Six Most Expensive Pitfalls
Pitfall 1: Treating the ICT Asset Inventory as an Afterthought
The ICT asset inventory is in practice consistently the most critical bottleneck in the entire DORA implementation. The regulation requires that financial entities identify and document all their ICT assets along with their configurations and dependencies.[1] That sounds trivial. It is not.
Sam Newman describes in "Building Microservices" how, in distributed architectures, knowledge about system dependencies spreads across many teams and repositories and is never fully consolidated in any single system.[5] Fintechs are hit especially hard by this phenomenon: a modern fintech architecture consists of dozens of microservices, serverless functions, managed database services, external APIs, and third-party libraries. Individually, none of these elements is undocumented. Taken together and prepared in a form usable for compliance purposes, they almost always are.
The recommendation is clear: begin with the asset inventory before launching any other DORA workstream. It is the prerequisite for everything else, for the risk analysis, for third-party identification, and for the business impact analysis. Anyone who starts third-party risk management without this foundation is building on sand.
Pitfall 2: Reducing Third-Party Risk Management to Contract Work
DORA contains detailed requirements for managing ICT third-party providers in Articles 28 to 44.[1] The most common reaction in practice: a legal team revises MSAs and SLAs with key providers, and the matter is considered resolved.
That is dangerously shortsighted. DORA does not only require correct contracts. It requires a continuous monitoring regime, regular risk assessments, exit strategies for critical service providers, and the operational capability to respond to ICT incidents at third parties.
A contract with AWS that contains all the DORA clauses but is not backed by a contingency plan for a regional AWS outage is DORA-compliant on paper and operationally worthless.
The question every CISO must put to their teams: "If our most critical ICT third-party provider goes down for 48 hours tomorrow, what happens exactly, who does what, and in what order?" If the honest answer is "we'll figure it out then," the third-party risk management is not compliant, regardless of contract quality.
Pitfall 3: Underestimating the Reporting Obligations
The DORA reporting obligations for major ICT incidents are severely underestimated in their operational complexity. The initial report must be filed within four hours of identifying a major incident, and in that initial report the financial entity must already provide the incident type, the affected services, and a first impact assessment.[1] The intermediate report follows no later than 72 hours after, the final report after one month.
This sounds like bureaucratic documentation work. In reality, it is a stress test for the entire incident response organization. Anyone who has managed a real security incident knows: in the first four hours there is chaos. Teams are coordinating, facts are unclear, responsibilities are at best half-defined.
Concretely: your incident response playbooks must include the DORA reporting classification as an integral part of the workflow, not as an appendix. This workflow must be practiced, at minimum annually in a tabletop exercise that explicitly includes the DORA reporting procedure. Anyone who runs their first DORA-compliant reporting process during an actual incident will miss the four-hour deadline.
Pitfall 4: Treating Resilience Tests as a Compliance Checkbox
DORA requires a resilience testing program ranging from basic vulnerability assessments to threat-led penetration tests. The temptation is strong to commission an annual penetration test, file the report in a folder, and consider the matter done.
DORA requires something more fundamental: test findings must be integrated into the ICT risk management framework, identified vulnerabilities must be remediated through a defined process with clearly assigned owners and deadlines, and the governance of these tests must be anchored at board level.
Martin Fowler describes in "Patterns of Enterprise Application Architecture" how technical debt accumulates in systems when no systematic reduction is organizationally enforced.[6] The same applies to security vulnerabilities. A penetration test whose findings do not land in a tracking system with an owner and a deadline is not just useless. It is actively harmful, because it creates a false sense of security and at the next audit serves as evidence that known vulnerabilities were ignored.
Pitfall 5: Treating DORA as an IT Project Rather Than a Governance Matter
This is the cultural pitfall, and it is especially common at mid-sized fintechs. DORA lands with the CISO or CTO, who turns it into a project team with a backlog. The result: DORA compliance as a feature branch, eventually to be merged into the main branch of the organization.
This does not work, for a structural reason the regulation addresses explicitly: ultimate responsibility for ICT risk management lies with the management body of the financial entity.[1] That means the board or executive management, not the CTO, not the CISO.
The practical consequences: the governance structure must ensure that the board is regularly informed about the state of ICT risk management, that decisions on risk acceptance are made and documented at board level, and that DORA-relevant policies are approved by executive management. Anyone who treats DORA as a pure IT project without setting these governance anchors will have a great deal of explaining to do at the first supervisory conversation.
Pitfall 6: Treating the Third-Party Service Provider Information Register as a Static Document
The information register is one of the technically unassuming but operationally demanding DORA requirements. It requires complete, current documentation of all ICT third-party service providers, including contract details, the functions they support, the geographic locations of data storage and processing, and a criticality assessment.[3]
The ESAs have provided precise templates for this register with more than 50 data fields per provider. A mid-sized fintech with 25 ICT third-party providers that correctly populates this register will initially commit several person-months to the effort.
The mistake I see repeatedly: the register is treated as a one-time project and not maintained after initial population. DORA requires that this register be updated whenever there are material changes and reviewed in full at least annually. An outdated register is not a register; it is a compliance risk that becomes immediately visible at an inspection.[2]
A Pragmatic Implementation Plan
For a fintech that wants to approach DORA compliance in a structured way, I recommend the following prioritization. This sequence is not academic; it follows the actual dependencies that block projects in practice.
Phase 1 (months 1 to 3): Foundation
The ICT asset inventory comes first. No other workstream can move forward meaningfully without this foundation. In parallel: gap analysis against the DORA requirements catalog and the final RTS, identification of critical ICT third-party service providers, establishment of the DORA governance structure with explicit board-level anchoring, and appointment of a responsible program lead with direct access to executive management.
Realistic budget for Phase 1: 60,000 to 150,000 euros.
Phase 2 (months 4 to 8): Core Compliance
Development and implementation of the ICT risk management framework, revision of contracts with critical third-party providers under Article 30 DORA, build-out of the information register using the ESA template, implementation of incident management processes including DORA classification and reporting channels to BaFin.
Realistic budget for Phase 2: 120,000 to 350,000 euros.
Phase 3 (months 9 to 12): Testing and Operationalization
Conducting the first complete resilience testing program, tabletop exercises for incident response that explicitly include the DORA reporting procedure, review and finalization of documentation, initial internal audit-readiness check.
Realistic budget for Phase 3: 70,000 to 200,000 euros.
Ongoing operations from month 13: 80,000 to 180,000 euros annually for continuous testing, register maintenance, third-party monitoring, and regulatory reporting.
These phases can be accelerated or extended depending on the starting maturity level. What cannot be accelerated is organizational embedding. The governance structures DORA demands need time to integrate into day-to-day operations.
What Good DORA Compliance Advisory Actually Delivers
The market for DORA advisory services has grown strongly since 2023. Every major management consultancy and many specialized providers offer DORA packages. The quality differences are substantial.
What distinguishes credible DORA compliance advisory can be measured against three criteria:
Technical depth in third-party risk assessment: An advisor who reduces third-party risk management to contract optimization without understanding the technical dependencies and architectures is delivering half a service. Assessing critical ICT third-party providers requires an understanding of the technical integration, not just the legal basis. Anyone who does not understand how a multi-cloud architecture with its dependencies is structured cannot produce a meaningful third-party risk profile.
Operational orientation rather than documentation optimization: DORA compliance does not emerge from perfect policies and procedures; it emerges from working processes. An advisor who primarily produces documents without accompanying the operational implementation is solving the wrong problem. The decisive question is not whether the incident response handbook formally covers the DORA requirements, but whether the organization would actually behave that way in a real incident.
Understanding the supervisory examination logic: BaFin and the ESAs do not audit DORA with a static checklist approach. They examine whether internal processes and governance structures are genuinely suited to achieving the regulation's objectives.[2] An advisor who knows only the letter of the regulation but not the examination philosophy of the German supervisory authority is preparing their client for a compliance picture that falls apart at the first supervisory conversation.
DORA and Technical Architecture
One aspect that receives too little attention in many DORA implementations: the regulation has direct implications for technical architecture decisions.
This is especially true for the requirements around business continuity and recovery. DORA requires that financial entities define Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for critical functions and validate these through actual tests.[1] This is not a documentation exercise; it is an architecture constraint.
A system that declares an RTO of two hours for critical payment functions but runs on a single-region deployment architecture without automated failover is not DORA-compliant. The architecture must be able to technically support the declared RTOs and RPOs. Anyone who does not bring the two into alignment is knowingly writing compliance documents that cannot be honored in a real incident.
Vaughn Vernon, whose work on Domain-Driven Design practice has fundamentally shaped the strategic design of distributed systems, shows that careful delineation of Bounded Contexts is not merely a semantic tool but has direct implications for fault propagation in distributed architectures. This approach is directly relevant to DORA implementations: a fintech architecture in which the failure of a single payment service brings down the entire system has a structural problem that no governance documentation can fix.
The recommendation is clear: bring technical architects into the DORA implementation, not as observers but as active co-designers. RTO/RPO definitions must be reconciled with actual architecture capabilities. If the architecture cannot meet the defined targets, either the architecture must be adjusted or the targets must be realistically corrected. One or the other, but not both left open.
Conclusion: Compliance as a Permanent Operational State
DORA is not a one-time investment and not a project with a completion date. It is a permanent operational regime that requires continuous attention, resources, and governance. Fintechs that view this purely as a cost burden will be frustrated. Fintechs that understand it as a measure of maturity in their operational IT organization will find that many DORA requirements actually lead to a more resilient operation, independent of supervisory requirements.
What makes the difference between "compliant on paper" and "genuinely compliant" can be summarized in one sentence: real DORA compliance means your organization can detect a major ICT incident, classify it, report it to the supervisory authority, and manage it operationally, without anyone having to open a handbook to do so.
That is the actual objective of the regulation. The documentation is the proof, not the goal itself.
If you want to know exactly where your organization stands, start with a structured gap analysis against the finalized RTS and ITS, not the original DORA regulation from 2022 but against the state the ESAs defined in their final standards from 2024.[3] That difference alone produces surprises in every other project.
Sources
[1] Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011. Official Journal of the EU, L 333, 27 December 2022. https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX%3A32022R2554
[2] BaFin, "DORA: Digital Operational Resilience Act, Important Information for Supervised Entities," fact sheet, updated 2025. https://www.bafin.de/DE/Aufsicht/DigitaleFinanzdienstleistungen/DORA/dora_node.html
[3] European Supervisory Authorities (EBA, EIOPA, ESMA), "Final Report: Draft Regulatory Technical Standards on ICT risk management framework and on simplified ICT risk management framework under Articles 15 and 16 DORA," JC 2023 86, January 2024. https://www.eba.europa.eu/regulation-and-policy/operational-resilience/digital-operational-resilience-act-dora-policy-products
[4] ENISA, "Technical Guidance on the Digital Operational Resilience Act (DORA) for Financial Entities," European Union Agency for Cybersecurity, 2024. https://www.enisa.europa.eu/topics/digital-operational-resilience
[5] Sam Newman, "Building Microservices: Designing Fine-Grained Systems," 2nd edition, O'Reilly Media, 2021, ISBN 978-1492034025.
[6] Martin Fowler, "Patterns of Enterprise Application Architecture," Addison-Wesley Professional, 2002, ISBN 978-0321127426.
Marcus
Solution Architect
Overall architecture, ADRs, technical coherence, knowledge graphs.
Need help with Infosec?
Free initial consultation, fixed price after audit.
INIT_CONSULTATION() →