DORA for E-Money Institutions: Compliance Requirements Explained

If you're a compliance officer at an E-Money Institution (EMI), you've likely spent the past year watching DORA unfold with a mix of concern and confusion. The regulation that was designed for large banks now applies to your 25-person fintech—and the compliance burden feels disproportionate.

Here's the reality: DORA does apply to you. But it also includes proportionality principles that matter. This guide explains exactly what EMIs need to know, what you're actually required to do, and how to approach compliance without the enterprise-level budget.

EMIs Are Explicitly In Scope

Let's start with the legal certainty. Under Article 2(1)(d) of DORA, the regulation applies to:

"electronic money institutions, including electronic money institutions exempted pursuant to Directive 2009/110/EC"

This is significant. DORA doesn't just cover fully licensed EMIs—it also covers exempted EMIs under the E-Money Directive (EMD2). If you're operating under an Article 9 exemption in your Member State, you're still subject to DORA.

The January 17, 2025 application date has passed. If you haven't started your DORA compliance program, you're already operating outside the regulatory framework.

What DORA Requires From EMIs

DORA establishes five pillars of digital operational resilience. For most EMIs, the practical focus areas are:

1. ICT Risk Management Framework

You must maintain a documented framework for managing ICT risks. This includes:

• Policies and procedures for ICT security
• Identification of critical assets and dependencies
• Protection measures appropriate to your risk profile
• Detection mechanisms for anomalies
• Response and recovery procedures

For smaller EMIs, this doesn't require enterprise-grade documentation. A proportionate framework scaled to your operations is acceptable.

2. ICT-Related Incident Reporting

Major ICT incidents must be reported to your competent authority within required timelines.

3. Digital Operational Resilience Testing

You must test your ICT systems. For smaller EMIs, basic testing (vulnerability assessments, scenario testing) is acceptable—not the advanced threat-led penetration testing required of larger entities.

4. Third-Party ICT Risk Management

This is where most EMIs spend the bulk of their compliance effort. You must:

• Assess and manage risks from ICT service providers
• Ensure contracts include specific DORA-required provisions
• Monitor provider performance against contractual commitments
• Maintain exit strategies for critical services

5. Register of Information (RoI)

The most operationally demanding requirement. You must maintain a comprehensive register of all contractual arrangements with ICT third-party service providers, and report this to your competent authority.

The Register of Information: EMI-Specific Challenges

For Payment Institutions, we covered the RoI basics in a previous guide. EMIs face similar requirements but with some specific challenges:

Common ICT Dependencies for EMIs

E-Money Institutions typically rely on more technology providers than they initially document. When building your register, consider:

• Core e-money platforms — The systems managing e-money issuance and redemption
• Card issuing infrastructure — BIN sponsorship, card production, tokenization
• Payment scheme connections — Visa, Mastercard, SEPA integration partners
• Mobile wallet infrastructure — App hosting, push notification services
• KYC/AML providers — Identity verification, transaction monitoring, screening
• Cloud infrastructure — Where your customer data and transaction records live
• Communication services — SMS gateways for OTPs, email providers
• Fraud detection systems — Often provided by specialized third parties
• Banking partners — Safeguarding account providers, correspondent banks

Each of these arrangements needs documentation in your register with contract details, criticality assessments, data locations, and subcontractor information.

The 93.5% Failure Rate and EMI Implications

The ESA dry run in 2024 found that 93.5% of financial entities had at least one data quality error in their Register of Information submissions. Only 6.5% passed all validation checks on the first attempt.

For EMIs, the most common failure points include:

LEI Validation Issues (32% of submissions)

Many smaller ICT providers serving EMIs don't have LEIs. You may need to request that providers obtain them—or document why an alternative identifier is used.

Missing Mandatory Fields (86% of all errors)

Contract start dates, end dates, SLA terms—information that exists but wasn't captured systematically. EMIs often have less formalized vendor management than banks, making this gap more acute.

Subcontractor Chain Documentation

Your card issuing partner uses a processor who uses a cloud provider who uses a data center operator. DORA wants visibility into this chain for critical services. Many EMIs discovered their providers couldn't or wouldn't provide this information.

Proportionality: What It Actually Means for Small EMIs

DORA includes proportionality principles that recognize not every financial entity is JPMorgan. Article 4 states that entities must implement requirements "taking into account their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations."

What Proportionality Covers

ICT Risk Management Documentation

A 20-person EMI doesn't need the same governance structure as a systemic bank. Your policies can be simpler, your committees smaller, your documentation less extensive—as long as they're effective for your risk profile.

Testing Requirements

Smaller entities can conduct basic testing (vulnerability assessments, scenario testing) rather than advanced threat-led penetration testing (TLPT) required of larger entities.

Governance Structures

You don't need a dedicated Chief Information Security Officer if your scale doesn't warrant it—but someone must own ICT risk.

What Proportionality Does NOT Cover

All 116 validation rules apply. Your data must pass the same checks as Deutsche Bank's. The ESAs don't have a "small entity" validation tier.

Reporting deadlines are the same. You submit on the same timeline as everyone else.

Practical Steps for EMI Compliance

Step 1: Confirm Your Scope and Ownership

Verify your EMI is subject to DORA (if you're licensed or exempted under EMD2, you are). Assign clear ownership—someone needs to drive this process. For smaller EMIs, this is often the Head of Compliance or Head of Operations wearing an additional hat.

Step 2: Complete Your ICT Inventory

Before touching templates, document every technology service: list all systems, identify providers, classify which support critical functions, and gather contract documentation. Be thorough—EMIs often discover undocumented dependencies.

Step 3: Engage Your Providers

You'll need information from each ICT provider:

• Legal Entity Identifier (LEI) or alternative identifier
• Registered name and jurisdiction
• Data processing and storage locations
• Subcontractor information (for critical services)
• Contract terms including exit provisions

Start early. Providers can be slow to respond, and smaller providers may need to obtain LEIs they don't yet have.

Step 4: Assess Criticality

For each ICT service, determine:

• Does it support a critical or important function?
• What's the business impact if it fails for 4 hours? 24 hours? 7 days?
• How quickly could you substitute the service?

This assessment drives your substitutability ratings and determines reporting priority.

Step 5: Build and Validate Your Register

Populate the 15 RoI templates (B_01 through B_05 and beyond) with your gathered data. Ensure cross-references between templates are consistent—this is where many submissions fail validation.

The ESAs published 116 validation rules. Your submission must pass all of them. Common checks include:

• All mandatory fields populated
• LEIs valid and current (verify at gleif.org)
• Date formats correct (ISO 8601)
• Country codes valid (ISO 3166-1)
• Cross-template references consistent

Conclusion: Compliance Is Achievable at EMI Scale

DORA wasn't written with 25-person EMIs in mind, but compliance is achievable. The proportionality principles provide genuine flexibility on governance and testing. The Register of Information is the hard part—but structured processes and appropriate tooling make it manageable.

The 93.5% failure rate in the dry run shows what happens without preparation. You can be in the 6.5% that passes on the first attempt—it requires starting now, gathering data systematically, and validating before submission.