Your First 90 Days of DORA — An IT Controls Implementation Roadmap for Fintech Startups

DORA is now live across the EU, setting uniform rules for ICT risk management, incident reporting, testing, and third‑party risk for financial entities — and it applies from 17 January 2025. If you’re a Fintech startup operating in Europe, your next 90 days determine whether you can withstand audits, secure partnerships, and continue scaling in regulated markets. Here is a pragmatic, regulator‑aligned plan you can execute immediately.

Who this roadmap is for

  • CTOs, Heads of Product/Engineering, CISOs in EU Fintechs that fall under DORA’s scope (e.g., payments, e‑money, investment, insurance intermediaries, crypto‑asset service providers where applicable).
  • Founders preparing for bank partnerships, licensing, or entering multiple EU markets.

DORA in 60 seconds — what you must operationalize

  • ICT risk management — governance, policies, controls, monitoring.
  • Major ICT incident reporting — classification thresholds, initial/intermediate/final reporting timelines, harmonised templates.
  • Digital operational resilience testing — from basic testing to TLPT, aligned with TIBER‑EU and the TLPT delegated act.
  • ICT third‑party risk — Register of Information (RoI) templates, contract clauses, subcontracting, and CTPP oversight.
  • Information sharing and sector coordination — lex specialis vis‑à‑vis NIS2 for financial entities.

The 90‑day sprint at a glance

  • Days 1 — 30: Foundation and gap assessment
  • Days 31 — 60: Control implementation and monitoring
  • Days 61 — 90: Proving resilience — drills, testing posture, audit evidence

Day 0 — Prerequisites and success criteria

  • Name a senior accountable owner (management body responsibility).
  • Define success metrics: mean time to detect/respond (MTTD/MTTR), backup success rate, patch SLAs, vendor coverage, incident drill timings.
  • Set up an “evidence library” from day one: store policies, approvals, scans, monitoring screenshots, reports, tickets.

Days 1 — 30: Build your foundation

1) Governance and risk

  • Approve an ICT Risk Management Policy and control standard; adopt a risk taxonomy aligned to DORA.
  • Map business services to “critical or important functions” (CIFs) and define RTO/RPO targets.
  • Perform a gap assessment against ISO 27001, NIST CSF, and SOC 2 to prioritize near‑term controls.

2) Incident reporting playbook — align to RTS/ITS timelines

  • Create a one‑page escalation matrix from “detection” to “classification” to regulator notification.
  • Implement timers and checklist for the DORA time limits: initial notification within 4 hours of classification and within 24 hours of detection; intermediate at 72 hours; final within 1 month. Rehearse once in the first 30 days.
  • Prepare data fields required by the standard forms and templates (ITS) to avoid scrambling during an incident.

3) Register of Information (RoI) — start early

  • Stand up your RoI using the official templates (providers, services, CIF linkage, locations, data types, subcontractors, exit plans).
  • Identify providers using LEI or EUID as permitted; capture both if available.
  • Set a weekly governance slot to enrich and validate the RoI — it becomes supervisory data and feeds CTPP oversight.

4) Third‑party contracting and procurement controls

  • Insert DORA‑aligned clauses: audit/access rights, incident notification, subcontracting conditions, exit/termination, data location/sovereignty, resilience KPIs.
  • Flag critical/important functions and define pre‑approval for any subcontracting chain.

5) Proportionality and simplified framework

  • If you qualify for the simplified ICT risk management framework, document justification and scope, but do not skip core controls (asset inventory, access control, backup/restore, logging, vulnerability management).

Deliverables by Day 30

  • Board‑approved ICT policy and risk appetite
  • Gap assessment and 90‑day remediation plan
  • Incident reporting runbook and on‑call rota
  • RoI v0.9 completed for top 10 vendors
  • Contract addendum template for DORA clauses

Days 31 — 60: Implement controls and monitoring

1) Core controls that stick

  • Asset inventory and CMDB; access governance (RBAC, MFA, joiner‑mover‑leaver), secure default configurations.
  • Logging and monitoring: centralize application and infrastructure logs; set alerts for availability, integrity, and authentication events.
  • Backup and recovery: test restores for systems supporting CIFs; evidence RTO/RPO drills.
  • Vulnerability management: 14–30 day SLA by severity; change management tied to risk.
  • SDLC controls: code scanning, dependency risk, secrets management, pre‑prod testing.

2) Incident readiness — drill against the clock

  • Run a tabletop exercise with the 4‑hour/24‑hour/72‑hour/1‑month reporting cadence; fill the templates you’ll actually submit.
  • Add communications paths to your competent authority’s portal/process.

3) RoI hardening and supervisory readiness

  • Extend RoI coverage to 100% of ICT third‑party arrangements; link each to CIFs and exit strategies.
  • Validate provider identifiers (LEI/EUID) and subcontractor chains for critical services.

4) Concentration and CTPP awareness

  • Identify cloud/SaaS concentration, region dependencies, and portability gaps.
  • Understand the 2025 CTPP designation process so you can respond to oversight implications downstream.

Deliverables by Day 60

  • Monitoring dashboards and alert runbooks
  • Evidenced restore test and failover notes
  • Vulnerability backlog burn‑down; patch metrics
  • RoI v1.0 complete with data quality checks

Days 61 — 90: Prove resilience and close gaps

1) Testing posture — from basic to TLPT

  • Document your testing scope: vulnerability scans, config reviews, incident drills, supplier failover tests.
  • Decide if and when you may fall under Threat‑Led Penetration Testing (TLPT) and align future steps with the TLPT delegated act; track the Eurosystem TIBER‑EU alignment for deliverables and approach.

2) Third‑party resilience and exit

  • Walk through an exit drill for one critical SaaS: data export, re‑platform steps, and roll‑back.
  • Verify contractual rights for audits, on‑site visits, and incident cooperation.

3) Audit evidence and metrics

  • Consolidate a 12‑item evidence pack (see checklist below) and lock your KPI baselines (MTTD/MTTR, backup success, patch SLAs, incident drill timings).
  • Schedule a mock supervisory Q&A using your RoI and incident templates.

Deliverables by Day 90

  • Testing strategy and TLPT readiness memo
  • Executed third‑party exit rehearsal notes
  • Complete evidence library and KPI baseline

Control checklist — what supervisors will expect to see

  • Governance: management body minutes, risk appetite, policy approvals.
  • Risk: CIF mapping, risk register, treatment plans.
  • Assets & access: inventories, access reviews, MFA coverage, admin hardening.
  • Monitoring: logging scope, alert rules, SIEM/SOAR playbooks.
  • Data protection: encryption, key management, secure backups, restore proofs.
  • Change & vuln: change tickets linked to risk, scan results, patch reports.
  • Incident: classification matrix, on‑call rota, reporting templates, drill evidence.
  • Third‑party: RoI, due diligence packs, DORA clause addenda, subcontracting disclosures.
  • Testing: test plans, results, fixes, and TLPT roadmap where applicable.
  • Metrics: MTTD/MTTR, RTO/RPO tests, vendor coverage, concentration analysis.

Mapping DORA pillars to popular frameworks

DORA requirement ISO 27001 (2022) NIST CSF 2.0 SOC 2 (TSC)
ICT risk management A.5, A.8, A.5.36, A.5.23, A.5.30 Identify, Protect Security, Availability
Incident mgmt & reporting A.5.24, A.5.25, A.5.29 Detect, Respond Security, Availability
Digital resilience testing A.8.8, A.8.9, A.8.16 Detect, Respond Security
ICT third‑party risk & RoI A.5.19, A.5.20, A.5.21 Identify, Protect Security, Availability
Info sharing & coordination A.5.7 (relevant) Identify, Respond Security

Use this mapping to translate existing audits into DORA evidence and to spot gaps quickly.

Incident reporting — the operational details that matter

  • Classify and timebox: initial notification within 4 hours of classification and within 24 hours after detection; intermediate in 72 hours; final within 1 month. Build timers into your on‑call flow.
  • Populate the harmonised forms: root cause hypothesis, impact, mitigations, cross‑entity effects, and external dependencies per the ITS.
  • Align overlaps with NIS2 where applicable, noting DORA’s lex specialis role for financial entities.

ICT third‑party risk — RoI, contracts, and CTPP oversight

  • Maintain the RoI at entity/sub‑consolidated/consolidated levels, using the official templates; ensure CIF linkage, data locations, and subcontractor chains are captured.
  • Use LEI or EUID for provider identification as per the Commission’s position clarified by supervisors; validate identifiers early to avoid rework.
  • Expect authorities to collect RoIs and feed ESAs’ 2025 criticality assessments — submit clean, deduplicated data on request.
  • Keep contract conditions aligned with the delegated RTS on third‑party policy and subcontracting expectations.

TLPT and testing — right‑sizing for startups

  • Not all entities will immediately be in scope for TLPT, but you should maintain a forward plan aligned with the TLPT delegated regulation and TIBER‑EU updates.
  • Prioritize basic testing with real fixes: restore tests, failover, key compromise drill, supplier outage simulation, and a red/blue tabletop.

Evidence library — what to file for audits and partnerships

  • Board approval of ICT policy and risk appetite
  • CIF map, RTO/RPO, data flow diagrams
  • Incident classification matrix, drill decks, and filled templates
  • Monitoring dashboards, alert rules, and sample tickets
  • Backup and restore logs, failover test reports
  • Vulnerability scans, patch cadence reports
  • RoI export (current), vendor risk files, contract addenda
  • TLPT readiness memo and annual test plan

Interplay with NIS2 — clarity for multi‑regulated firms

For financial entities within scope of DORA, DORA operates as a sector‑specific lex specialis for cybersecurity measures and incident reporting; do not duplicate obligations under NIS2 where DORA applies. Ensure your internal compliance matrix reflects this to avoid double reporting.

Common pitfalls to avoid

  • Treating RoI as a procurement spreadsheet — it is a supervisory artifact with strict taxonomy and identifiers.
  • Reusing US‑centric SOC 2 controls without EU regulatory mapping — you’ll miss incident reporting and subcontracting depth.
  • Underspecifying exit and portability for critical SaaS — regulators will ask for evidence.
  • Practicing incident response without the real RTS/ITS time checks and forms.

What to do next — a 2‑week quick start

1) Approve ICT policy and risk appetite; name accountable owner. 2) Stand up RoI with top vendors and correct identifiers; schedule weekly data quality checks. 3) Run a 60‑minute tabletop using the 4h/24h/72h/1‑month cadence and fill the templates once end‑to‑end. 4) Lock backup/restore tests for systems supporting CIFs and record evidence. 5) Issue DORA addendum to critical supplier contracts.

Summary

  • DORA is in force EU‑wide — the next 90 days are about operationalizing controls, not drafting policies.
  • Nail three things early: a working incident playbook with RTS/ITS timings, a regulator‑grade RoI with correct identifiers, and a tested recovery capability.
  • Right‑size testing now and plan for TLPT alignment; keep contracts and subcontracting under tight control, and maintain clean evidence for supervisors and partners.