Proportionate DORA compliance for lean, ECSPR-authorised crowdfunding platforms.
Crowdfunding service providers authorised under Regulation (EU) 2020/1503 (ECSPR) are financial entities within the scope of DORA from 17 January 2025. Because the platform itself is the entire service, ICT resilience is not a back-office concern for a CSP, it is the core of the business model: if the platform is down, no investment offers can be made, no investors can be onboarded, and no funds can flow to project owners.
The good news is that DORA is explicitly proportionate. The overwhelming majority of CSPs are microenterprises or small firms, and most qualify for the simplified ICT risk management framework set out in Article 16 of DORA. The challenge is translating a regulation written with large banks in mind into a workable, affordable programme for a team that may number a dozen people, all while keeping the platform available and investor data secure.
DORA applies to crowdfunding service providers as defined in and authorised under ECSPR (Regulation (EU) 2020/1503), per Article 2(1)(p) of DORA. However, Article 16 provides a simplified ICT risk management framework for entities that are small, non-interconnected investment firms, small or micro CSPs, and similar smaller players, meaning most CSPs apply a lighter-touch regime rather than the full Article 5 to 15 governance stack. Firms must nonetheless self-assess against the proportionality criteria and document why the simplified framework applies, since size, risk profile and the nature of services determine eligibility.
DORA layers on top of, and does not replace, the operational and organisational requirements that CSPs already meet under ECSPR Articles 4 to 12 (sound governance, business continuity, conflicts of interest, and the use of third parties). Most CSPs do not hold client funds directly and rely on an authorised payment service provider or e-money institution to execute investor payments, so PSP dependency becomes a critical ICT third-party relationship that must be mapped and contractually managed under DORA. Platform availability, the integrity of the bulletin board, and accurate processing of investment commitments are where ECSPR conduct duties and DORA resilience obligations most clearly converge.
For a CSP the website or app is the entire service offering, so uptime and recovery objectives sit at the heart of DORA Article 16 obligations. An outage during an active offer can stop investment commitments, freeze the bulletin board, and trigger conduct issues under ECSPR. Set realistic RTO and RPO targets and test that the hosting and CDN configuration can meet them.
The entry-knowledge test, appropriateness assessment and AML or KYC checks under ECSPR run through ICT systems that must be resilient and protected under DORA. A failure or compromise here can let unsuitable investors through or expose identity documents. Treat the onboarding pipeline as a high-criticality function in your asset and risk inventory.
Because most CSPs route investor funds through an authorised PSP or e-money institution rather than holding them, that provider is a key ICT third-party service supporting a critical function. Map this dependency, ensure the contract carries DORA-compliant clauses (audit, sub-outsourcing, exit, incident notice), and understand what happens to in-flight investments if the PSP suffers an outage.
DORA expects ICT business continuity and response-and-recovery plans, but for a small CSP these must be proportionate and genuinely usable by a handful of people. Document who does what when the platform fails, including key-person backups, and avoid plans that assume a 24x7 operations centre you do not have. A short, tested, role-based plan beats a 60-page document nobody can execute.
CSPs hold sensitive personal and financial data on retail and sophisticated investors and on project owners. DORA Article 16 requires protection and prevention measures (access control, encryption, backups) that also reinforce GDPR obligations. A breach of investor data is both a DORA-relevant ICT incident and a personal-data breach, so align your detection and notification workflows across both regimes.
Lean CSPs typically run on cloud infrastructure and SaaS tooling rather than owned data centres, which concentrates risk in a few critical providers. DORA requires a register of information on all ICT third-party arrangements and a pre-contractual risk assessment, even under the simplified framework. Identify which providers support critical or important functions and ensure exit and portability are realistic.
Everything tailored to your sector, ready to use on day one.
Yes. DORA applies to all crowdfunding service providers authorised under ECSPR, regardless of size and regardless of whether you hold client funds, because the regulation targets ICT risk rather than balance-sheet risk. What changes with size is the intensity of obligations: most small CSPs qualify for the simplified ICT risk management framework under Article 16 rather than the full regime. So the answer is that DORA applies, but proportionately.
Article 16 replaces the detailed Article 5 to 15 governance and risk-management architecture with a lighter, principle-based set of duties: maintaining a sound ICT framework, identifying and protecting key assets, detecting anomalous activity, having business continuity and recovery measures, and learning from incidents. You still need governance accountability, a third-party register and incident handling, but you do not need the full-scale threat-led penetration testing, dedicated control functions, or the depth of documentation expected of large banks. The framework must remain proportionate to your size, risk profile and the nature of your services.
For a microenterprise CSP the main cost is staff time to document and operationalise the simplified framework rather than expensive tooling, because much of what DORA requires (backups, access control, a continuity plan, third-party contracts) overlaps with existing ECSPR and GDPR obligations you already meet. Budget for an initial gap assessment, updating your key cloud and PSP contracts with DORA clauses, and an annual review and incident-response test. A focused programme reusing existing controls is far cheaper than building from scratch.
Almost certainly not. TLPT under DORA Articles 26 and 27 is reserved for entities identified by authorities as significant from an ICT and systemic perspective, which excludes the typical small or micro CSP. You do still owe proportionate digital operational resilience testing under the simplified framework, meaning periodic vulnerability assessments and reviews appropriate to your size, but not the full TIBER-EU style red-team exercise.
Your PSP or e-money partner is an ICT third-party provider supporting a critical function (investor payments), so it must appear in your register of information and be covered by a contract with the required DORA provisions on access, audit, incident notification, sub-outsourcing and exit. You should also assess concentration risk and understand the PSP's own resilience, because an outage on their side directly halts investor fund flows on your platform. Engage them early, as many PSPs are updating contracts sector-wide.
Your national competent authority (NCA), the same body that authorised you under ECSPR, is responsible for supervising your DORA compliance, with ESMA playing a coordinating and standard-setting role at EU level and maintaining the public ECSPR register. There is no separate DORA licence; supervision is integrated into the existing ECSPR relationship with your NCA. Expect DORA matters, including your register of information and incident reporting, to be handled through that authority.
Start free: check your DORA scope, run a gap analysis, or estimate implementation cost. Need the full risk view? See the Risk Assessment Toolkits or compare all kits. All prices exclude VAT; an EU VAT invoice is issued at checkout. Professional templates, not legal advice.
Take our free 5-minute assessment and get an instant DORA compliance score with personalised recommendations.