DORA and Non-Banks – Digital Operational Resilience Beyond Banking Labels

DORA governance non-banks – In discussions about the Digital Operational Resilience Act (DORA), a persistent misconception continues to surface: that non-bank financial institutions face lighter governance expectations because they are “not banks”. This assumption is not only inaccurate; it is increasingly dangerous.

DORA does not differentiate between banks and non-banks on the basis of labels or business models. It differentiates on the basis of digital dependency and potential impact. In many cases, non-bank institutions are at least as digitally exposed as banks, and sometimes more so.

Payment institutions, electronic money institutions, fintech platforms, asset managers and insurers often operate highly digital, real-time and customer-facing services. Their resilience depends almost entirely on ICT systems, data integrity and third-party providers. When these systems fail, there is often no analogue fallback.

This article examines DORA from a non-bank governance perspective. It explains why DORA governance expectations for non-banks are frequently underestimated, where boards are most exposed in practice, and how proportionality must be applied without eroding accountability.

This blog is part of a serie of two other blogs:

1. DORA and the Boardroom – Why Digital Operational Resilience Has Become a Core Governance Responsibility,

2. DORA and Non-Banks – Digital Operational Resilience Beyond Banking Labels.

Why “non-bank” does not mean “lower risk”

The term “non-bank” is primarily a regulatory classification. It says little about how an institution actually operates. Many non-banks are:

fully digital by design,
dependent on real-time processing,
heavily outsourced,
and highly visible to customers and markets.

From a digital resilience perspective, these characteristics often increase risk rather than reduce it. A payment institution processing transactions continuously has little tolerance for downtime. An asset manager reliant on valuation systems and data feeds may face immediate integrity risks if systems fail. An insurer dependent on digital claims processing may be unable to operate during prolonged outages.

DORA reflects this reality. It does not assume that non-banks are inherently less critical. Instead, it asks whether an institution’s governance is proportionate to its actual digital exposure.

Boards that rely on the “non-bank” label as a shield against governance intensity are likely to face supervisory challenges under DORA.

Fintech is not a regulatory category

A related source of confusion is the widespread use of the term “fintech”. While common in media and market discourse, fintech has no formal meaning in EU financial regulation. DORA does not recognise fintech as a distinct category, nor does it associate innovation with reduced governance expectations.

From a governance perspective, the fintech narrative can be actively misleading. Innovation often increases digital dependency, shortens recovery windows and amplifies reputational risk. These effects demand stronger governance, not weaker.

Boards of so-called fintech institutions must therefore resist the temptation to equate agility with informality. DORA does not reward speed at the expense of control. It evaluates whether innovation is governed in a way that preserves operational resilience.

Digital operational resilience as the core operating condition

For many non-banks, digital operational resilience is not one risk among many; it is the primary operating condition. Unlike banks, which may retain some manual or branch-based fallbacks, many non-banks operate exclusively through digital channels.

This has two important governance implications.

First, digital failures immediately become business failures. There is no buffer between ICT disruption and customer impact. Outages, data issues or third-party failures translate directly into service disruption, regulatory breaches and reputational damage.

Second, risk concentration is often higher. Non-banks frequently rely on a limited number of platforms, providers or APIs. This creates structural dependencies that are difficult to unwind and easy to underestimate.

DORA forces boards to confront these realities. It requires them to understand not only what systems exist, but how the institution would function—or fail—if those systems were unavailable.

Read more from the EIOPA on Digital Operational Resilience Act (DORA) – EIOPA’s.

Governance challenges specific to non-banks

While banks struggle with scale and complexity, non-banks often struggle with governance maturity. Common weaknesses include:

informal decision-making,
limited board documentation,
reliance on founder expertise,
and heavy dependence on third-party providers without adequate oversight.

DORA exposes these weaknesses by demanding traceability of decisions, clarity of accountability and demonstrable control. Boards that are accustomed to operating with minimal formal structure may find this challenging.

However, DORA does not require non-banks to replicate bank-level bureaucracy. It requires them to demonstrate that governance arrangements are fit for purpose given their digital risk profile. Simplicity is acceptable; ambiguity is not.

Proportionality in non-bank governance: where it often goes wrong

Proportionality is often invoked by non-banks as a justification for limited governance. This is where misunderstandings are most likely to arise.

Under DORA, proportionality allows non-banks to adopt governance structures that reflect their size and complexity. It does not allow them to:

avoid formal oversight,
rely on undocumented assumptions,
or outsource responsibility.

In fact, supervisors often apply proportionality more critically to non-banks, precisely because governance structures are leaner. Where there are fewer committees, fewer reports and fewer layers of control, boards must compensate with clarity and explicit reasoning.

A small non-bank that cannot explain how digital risks are governed is likely to face more scrutiny, not less.

Read more on the Digital Operational Resilience Act (DORA) on Euronext.

The board’s role in non-bank DORA governance

For non-banks, the board’s role under DORA is often transformative. Many boards must move from a largely strategic or advisory role to a more explicit governance and oversight role.

Key expectations include:

understanding digital dependencies,
overseeing outsourcing and third-party risk,
engaging with incidents and test outcomes,
and ensuring that governance decisions are documented.

This does not require technical expertise. It requires governance discipline. Boards must be able to ask informed questions, challenge optimistic assumptions and ensure follow-up.

DORA therefore accelerates the professionalisation of governance in the non-bank sector. Institutions that embrace this shift can strengthen resilience and credibility simultaneously.

The core message of Part I

For non-banks, DORA dismantles the illusion that digital operational resilience is primarily a technical or operational concern. It establishes it as a core governance responsibility, regardless of institutional label.

In Part II, the focus will shift to how the DORA pillars operate specifically in non-bank institutions, with particular attention to outsourcing, concentration risk and real-time dependency.

Part II – How the DORA pillars manifest in non-bank governance

From regulatory abstraction to operational reality

For non-bank financial institutions, the five pillars of DORA often collide more directly with daily operations than they do in banks. This is not because the regulation is stricter, but because buffers are thinner. Many non-banks operate without balance-sheet shock absorbers, without diversified channels and without legacy fallback processes. Digital disruption therefore translates more quickly into regulatory, reputational and commercial consequences.

The DORA pillars should therefore be understood by non-bank boards not as abstract compliance domains, but as practical governance mechanisms through which resilience—or fragility—becomes visible.

Pillar I – ICT risk management: when the system is the business

In non-bank institutions, ICT risk management often overlaps almost entirely with business risk management. Payments, asset servicing, trading platforms, onboarding, pricing and reporting are frequently executed through a limited number of tightly integrated systems.

From a governance perspective, this creates a fundamental challenge: there is little separation between digital failure and business failure. Unlike many banks, non-banks often cannot fall back on manual processes, branch networks or alternative channels.

Under DORA, boards are expected to ensure that ICT risk management provides insight into:

which systems are genuinely critical to continuity,
how failure would manifest externally,
and where dependencies are concentrated.

A common weakness in non-banks is that ICT risk registers describe systems, but not impact. DORA implicitly requires boards to move from technical inventories to impact-driven visibility. Supervisors are less interested in how many systems exist than in whether boards understand which failures would be existential.

Pillar II – Incident management: no room for invisibility

In non-banks, ICT incidents often escalate faster and more visibly than in banks. Payment delays, failed transactions, valuation errors or platform outages immediately affect customers and counterparties. Social media and customer communication channels amplify impact.

DORA treats incidents as governance events. For non-banks, this has particular implications:

escalation thresholds must be realistic,
board awareness must be timely,
and response must consider reputational and regulatory impact, not just technical recovery.

A recurring governance failure in non-banks is the tendency to treat incidents as “operational noise” if systems are restored quickly. DORA challenges this mindset. Even short-lived incidents may reveal structural weaknesses in architecture, outsourcing or decision-making.

Boards are expected to ensure that incident reviews go beyond root cause analysis and address governance questions: Why was this dependency accepted? Why was impact underestimated? Why did escalation occur—or not occur—when it did?

Pillar III – Digital resilience testing: assumptions without buffers

Testing under DORA is often most confronting for non-banks, precisely because assumptions are less protected by buffers. Many non-banks assume that:

recovery times are achievable,
providers will perform as contracted,
data integrity will be maintained under stress.

Testing frequently reveals that these assumptions are optimistic.

From a governance perspective, test outcomes are not technical failures; they are decision signals. They indicate whether current operating models remain defensible given actual resilience capabilities.

Boards of non-banks are expected to engage actively with testing results, even where testing programmes are proportionate in scale. Repeated findings without follow-up are particularly problematic, as they suggest tolerance of known weaknesses rather than conscious risk acceptance.

DORA does not require non-banks to run bank-style stress tests. It requires them to test what matters, and to govern the results.

Pillar IV – Third-party risk: the central non-bank vulnerability

For non-banks, ICT third-party risk is often the dominant governance challenge under DORA. Many non-banks rely on:

a single core platform,
one or two cloud providers,
specialised service providers with limited substitutes.

These dependencies are structural, not incidental.

DORA makes clear that outsourcing does not dilute responsibility. Boards remain accountable for resilience outcomes even where they have limited operational control. For non-banks, this creates a governance tension: dependence is high, exit options are limited, and negotiating power may be weak.

Supervisors do not expect non-banks to eliminate these dependencies. They do expect boards to:

understand the dependency,
assess concentration risk realistically,
acknowledge limits of exit strategies,
and manage residual risk transparently.

A non-bank board that claims full control where none exists is likely to face greater scrutiny than a board that openly documents constraints and mitigation.

Pillar V – Information sharing: visibility without exposure

Information sharing under DORA is often perceived as less relevant for non-banks. This is a mistake. Non-banks are often early indicators of emerging digital vulnerabilities precisely because they operate at the edge of innovation and real-time processing.

Participation in controlled information-sharing arrangements enhances sector-wide resilience and supports supervisory confidence. For non-banks, it also serves as a governance signal: willingness to learn from others and contribute to collective stability.

Boards should view this pillar not as an obligation, but as an opportunity to reduce blind spots in environments where internal visibility may be limited.

Lean governance structures and DORA oversight

Many non-banks operate with lean governance structures: small boards, limited committees and informal reporting lines. DORA does not prohibit this. It does, however, require that governance remains effective and demonstrable.

Where structures are lean, boards must compensate with:

clarity of roles,
explicit decision documentation,
regular engagement with digital risk topics.

DORA does not mandate bureaucracy. It mandates accountability. Supervisors increasingly accept simple governance models where they can see that boards genuinely understand and govern digital resilience.

The core message of Part II

For non-banks, the DORA pillars operate without the protective buffers often present in banks. Digital failures translate more directly into business, regulatory and reputational consequences. This makes governance quality—not organisational size—the decisive factor.

In Part III, the focus will shift to:

proportionality without complacency,
documentation as evidence of governance maturity,
the evolving role of non-bank boards,
and how DORA reshapes supervisory dialogue for non-banks.

Read more from ESMA on Why is DORA needed?

Part III – Proportionality, governance maturity and supervisory accountability

Proportionality without complacency

For non-bank financial institutions, proportionality is both an opportunity and a risk. DORA explicitly allows governance arrangements to be tailored to the size, nature and complexity of the institution. This flexibility is essential for a diverse sector that ranges from small payment institutions to global asset managers and insurers.

At the same time, proportionality is the area where governance failures most frequently emerge. Non-banks often interpret proportionality as permission to remain informal, under-documented or lightly governed. DORA rejects that interpretation. Proportionality affects how governance is organised, not whether it exists.

Supervisors assess proportionality by examining actual digital dependency and potential impact. A small institution that operates a real-time, customer-facing platform may face stricter governance expectations than a larger institution with limited digital criticality. Boards must therefore be able to explain why their governance arrangements are appropriate to their specific risk profile.

Proportionality that is implicit, assumed or undefended quickly becomes a supervisory concern.

When lean governance becomes fragile governance

Many non-banks pride themselves on lean governance. Flat structures, rapid decision-making and limited bureaucracy are often seen as competitive advantages. Under DORA, these features can become vulnerabilities if they are not accompanied by governance discipline.

Lean governance becomes fragile when:

decisions are made without documented rationale,
risk acceptance is implicit rather than explicit,
responsibility is blurred between founders, executives and boards,
reliance on third parties is not actively overseen.

DORA exposes these weaknesses by requiring traceability. Supervisors are not interested in whether governance is lightweight; they are interested in whether it is effective. Where structures are lean, boards must compensate with clarity, consistency and engagement.

In practice, this often requires a cultural shift. Non-bank boards accustomed to advisory roles must step more firmly into oversight. DORA accelerates the professionalisation of governance across the non-bank sector.

Documentation as proof of governance maturity

For non-banks, documentation under DORA often represents the most visible change. Many institutions operate with limited formal documentation beyond regulatory minimums. DORA raises expectations by treating documentation as evidence of governance maturity.

Effective documentation does not mean extensive paperwork. It means that key decisions can be reconstructed:

What digital risks were identified?
Which options were considered?
Why was a particular approach chosen?
How was follow-up ensured?

Boards that document these elements demonstrate control, even where resources are limited. Boards that cannot produce such evidence leave supervisors to infer that governance is weak or absent.

In supervisory assessments, the absence of documentation is rarely interpreted as efficiency. It is interpreted as a lack of oversight.

Demonstrable control in the absence of buffers

Unlike banks, many non-banks operate without prudential buffers such as capital or liquidity cushions that can absorb shocks. This makes demonstrable control over digital resilience even more important.

Supervisors therefore look closely at whether non-bank boards:

engage actively with incident reviews,
challenge optimistic recovery assumptions,
ensure that test findings lead to change,
understand the limits of third-party control.

Formal compliance—policies, frameworks, contracts—is not sufficient. DORA requires evidence that governance functions under stress. Institutions that experience incidents but respond transparently and learn structurally often fare better than those that claim to be incident-free but cannot demonstrate resilience.

DORA governance non-banks DORA governance non-banks DORA governance non-banks DORA governance non-banks DORA governance non-banks DORA governance non-banks DORA governance non-banks DORA governance non-banks DORA governance non-banks DORA governance non-banks DORA governance non-banks DORA governance non-banks DORA governance non-banks DORA governance non-banks DORA governance non-banks

The evolving role of non-executive directors

Non-executive directors play a critical role in non-bank DORA governance. In many non-banks, boards are relatively small and non-executives may have limited technical background. DORA does not require them to become technologists. It requires them to exercise informed challenge.

Key questions for non-executive directors include:

Which digital dependencies are most critical to continuity?
Where are we overly reliant on specific providers?
How confident are we in recovery and exit assumptions?
What have we learned from recent incidents or tests?

Non-executives who engage actively with these questions strengthen governance credibility. Those who rely solely on management assurances risk being perceived as passive under DORA scrutiny.

DORA in supervisory dialogue for non-banks

DORA reshapes supervisory dialogue for non-banks in subtle but significant ways. Discussions increasingly focus on governance behaviour rather than technical detail. Supervisors ask:

How does the board oversee digital resilience?
How are trade-offs between growth and resilience made?
How are third-party dependencies governed?
How does the institution respond when assumptions fail?

Non-banks that can articulate a coherent governance narrative—consistent across board minutes, policies and supervisory interactions—are perceived as mature, even where resources are constrained. Those that rely on fragmented explanations or fintech rhetoric are not.

DORA therefore rewards clarity over sophistication. Boards that understand their limitations and govern transparently are better positioned than those that claim control they do not have.

DORA as a catalyst for governance professionalisation

For many non-banks, DORA represents a turning point. It forces institutions to move beyond founder-led, intuition-driven governance towards more structured oversight. This shift can be uncomfortable, but it also brings benefits.

Clear governance of digital resilience:

improves decision quality,
reduces supervisory friction,
strengthens stakeholder trust,
and enhances long-term sustainability.

Institutions that treat DORA as a governance framework rather than a compliance burden often emerge stronger, more credible and more resilient.

Something similar has happened (but on a voluntary basis) in respect of accountability for the Report of the Managing Directors see this blog: IFRS Practice Statement 1 Management Commentary.

Final conclusion – governance without labels

DORA ultimately dismantles the idea that governance expectations can be inferred from institutional labels. “Non-bank” does not mean “low risk”, and “fintech” does not mean “light governance”.

Digital operational resilience is now a defining governance responsibility for all financial institutions. For non-banks, the absence of buffers and the intensity of digital dependency make this responsibility even more immediate.

DORA places accountability where it belongs: with the board. Institutions that accept this reality and govern accordingly will not only comply with regulation, but will also build resilience that supports sustainable growth in an increasingly digital financial system.

Also read this blog: Building Embedded Analytics In-House: A Governance Roadmap for CFOs and Data Leaders.

FAQ’s – DORA non-bank governance

DORA governance non-banks DORA non-bank governance digital operational resilience non-banks board responsibility non-bank institutions ICT risk governance non-banks third-party risk non-banks DORA proportionality DORA non-banks

FAQ 1 – Why does DORA apply fully to non-bank financial institutions?

DORA applies to non-bank financial institutions because digital operational resilience is not linked to banking status, but to digital dependency and potential impact. Many non-banks operate highly digital, real-time and customer-facing services where ICT systems are essential to continuity.

Payment institutions, electronic money institutions, asset managers and insurers often rely almost entirely on digital platforms and third-party providers. When these systems fail, there is little or no operational fallback. Disruption therefore translates immediately into service failure, regulatory exposure and reputational damage.

DORA reflects this reality by applying the same governance principle to all financial entities: the board is responsible for digital operational resilience. Proportionality allows flexibility in how governance is organised, but it does not reduce accountability. Non-bank institutions with high digital dependency are therefore fully within DORA’s governance scope.

FAQ 2 – What are board responsibilities under DORA for non-banks?

Under DORA, boards of non-bank financial institutions are responsible for governing digital operational resilience as a core organisational risk. This includes understanding digital dependencies, overseeing outsourcing arrangements and ensuring that incidents and weaknesses are addressed structurally.

Boards are not required to manage ICT operations or become technical experts. They are required to exercise informed oversight. This means asking how digital risks affect continuity, customer trust and regulatory compliance, and ensuring that decisions are documented and followed up.

In many non-banks, DORA represents a shift from advisory governance to active oversight. Supervisors assess whether boards genuinely understand how the institution operates digitally, not whether they approve policies in principle.

FAQ 3 – How does proportionality work for non-banks under DORA?

Proportionality under DORA allows non-banks to tailor governance structures to their size and complexity, but it does not permit informality or reduced responsibility. Boards remain fully accountable for digital operational resilience regardless of institutional scale.

Supervisors assess proportionality based on actual digital dependency and potential impact. A small but fully digital payment institution may face higher governance expectations than a larger firm with limited digital criticality.

Boards must be able to explain why their governance arrangements are appropriate, how risks are consciously accepted and how oversight is maintained. Proportionality that is implicit or undocumented quickly becomes a supervisory concern.

FAQ 4 – Why is third-party risk central to DORA governance for non-banks?

For many non-banks, third-party ICT providers are critical to daily operations. Core platforms, cloud services and specialised vendors often have no immediate substitutes. This creates structural dependency and concentration risk.

DORA makes clear that outsourcing does not transfer responsibility. Boards remain accountable for resilience outcomes even where operational control is limited. Supervisors expect boards to understand dependencies, assess lock-in risk realistically and document residual risks transparently.

Governance maturity is demonstrated not by claiming full control, but by acknowledging constraints and managing them consciously. For non-banks, third-party risk is often the most scrutinised aspect of DORA.

FAQ 5 – How are ICT incidents assessed for non-banks under DORA?

In non-banks, ICT incidents often escalate rapidly and visibly. Payment failures, platform outages or data issues immediately affect customers and counterparties. DORA treats such incidents as governance events rather than technical disruptions.

Boards are expected to ensure that incident escalation works in practice, that impact is assessed beyond technical metrics and that lessons lead to structural improvement. Even short-lived incidents may reveal governance weaknesses.

Supervisors pay close attention to how boards engage with incidents, particularly whether follow-up actions are tracked and implemented. Efficient recovery without governance involvement is unlikely to satisfy DORA expectations.

FAQ 6 – How does DORA affect supervisory dialogue for non-banks?

DORA reshapes supervisory dialogue by focusing on governance behaviour rather than technical detail. Supervisors ask how boards oversee digital resilience, how trade-offs are made and how dependencies are managed.

Non-banks that can articulate a coherent governance narrative—consistent across board discussions, documentation and supervisory meetings—are perceived as mature. Institutions that rely on fintech rhetoric or fragmented explanations face increased scrutiny.

DORA therefore rewards clarity, transparency and governance discipline. Boards that understand their digital operating reality and govern accordingly strengthen both resilience and supervisory trust.