By Sofia Nordin, COO at fintech platform, Sharpfin
When the Digital Operational Resilience Act (DORA) officially came into force earlier this year, it created a wave of urgency. Panels filled up, consultants rushed out playbooks, and compliance teams got to work. Now, as the rules near enforcement, the buzz has faded but the regulation itself looms larger than ever, especially for fund managers and fintechs across Europe.
DORA represents a mindset shift. It asks firms to take cyber risk, digital infrastructure, and operational resilience seriously. And that’s a good thing. The industry is increasingly dependent on third-party tech, SaaS platforms, and cloud-based tools, so even small glitches can carry major consequences. DORA helps build trust and stability and ultimately makes digital innovation more sustainable.
But the way forward isn’t the same for everyone. Large firms have compliance teams and legal departments. Smaller players, those driving much of the innovation, don’t. The risk is that regulation, which is meant to level the playing field, could unintentionally tilt it further, reinforcing the dominance of those with the deepest pockets.
That doesn’t mean smaller firms are doomed to fall behind. On the contrary, DORA is an opportunity for nimble, tech-forward fund managers to future-proof their operations.
One Nordic fund manager told me how they’d developed a cutting-edge risk engine using machine learning. But to meet DORA’s demands around cybersecurity and vendor oversight, they faced costs almost as high as the platform itself. They hit pause, not because the innovation wasn’t good, but because the compliance setup was too fragmented. It’s a story we risk seeing repeated, unless we rethink the tools firms use to meet these expectations.
This isn’t a call to water down regulation. We need strong rules but we also need implementation that reflects reality. That means creating compliance paths that scale with firm size and complexity. It also means regulators listening not just to the biggest institutions, but to the startups, digital-first firms, and fund managers that make Europe’s financial ecosystem so vibrant.
Without adapting for scale, regulation risks doing the opposite of what it intends. We’ve seen this before. Post-2008 banking rules designed to increase stability ended up helping big banks and pushing smaller ones out.
If the rules don’t flex for smaller players, we risk building a system where only the largest can survive. One-size-fits-all may sound fair, but it often misses the real-world differences between markets, firms, and countries.
DORA enforcement is coming. But instead of seeing it as a burden, smaller firms should view it as a moment to build smarter. With the right systems and partners, compliance doesn’t have to kill innovation. It can protect it.