Compliance Chaos: DORA Regulation takes effect, Fintechs abandon vendor 'fragmentation'

DORA imposes stringent third-party risk management. Reducing the API vendor count is becoming a legal obligation, favouring unified orchestration platforms

LONDON/MILAN, UNITED KINGDOM, December 12, 2025 /EINPresswire.com/ -- The period of tolerance is over. With the complete implementation of Regulation (EU) 2022/2554, better known as DORA (Digital Operational Resilience Act), the European banking technology landscape is taking a forced, painful restructuring. Regulators’ focus has drastically shifted away from financial analysis toward technical resilience. It specifically targets Article 28, with stringent rules on the risk management of third-party ICT service providers.

For years, Fintechs and Neobanks have built their onboarding processes in a "best-of-breed" manner, piece by piece, like Lego bricks: one provider for document OCR, another for Anti-Money Laundering (AML) checks, and yet another for facial biometrics. Today, this fragmented architecture-known technically as "API Sprawl"-represents not only an integration cost but an unsustainable compliance risk.

Governance grounds this proverbial nightmare-the "outsourcing chain". Article 28, paragraph 4, and the subsequent Article 30 of DORA make financial institutions obliged to monitor the entire supply chain, including subcontractors.

"Many CTOs have not yet realised the operational impact of this regulation," says Rodriguez, Senior Risk Analyst at Openapi in London. "Maintaining contracts, security audits, and risk registers for six different API providers just to verify a single user has become a bureaucratic nightmare. Under the DORA regime, every 'hop' between one service and another is a potential point of failure that must be documented and justified."

The Race for Vendor Consolidation This has created a mass exodus toward Identity Orchestration platforms. The market is leaving the vertical "mono-product" vendors to look for infrastructure aggregators.

The sector has traditionally been dominated by vertical enterprise giants such as SumSub or Onfido; however, it is seeing new, nimbler infrastructure players emerge, such as Bureau van Dijk for the corporate side, or "developer-centric" platforms like OpenAPI.com.

"Banks are in search of 'radical simplicity'," confirms Sarah Jenkins, Technology Strategist for the Fintech sector. "Whereas traditional platforms offer complex, and often rigid, enterprise suites, an analysis of the specifications of emerging solutions - such as Full KYC modules - reveals a clear trend towards unification: a single ecosystem of endpoints aggregating document checks, liveness detection, and PEP/Sanctions screening."

This advantage is not only technical but also legal: the shift from five providers to a single "Orchestrator" reduces the auditing complexity required by DORA by 80% and greatly streamlines the compilation of the "Register of Information" obliged by the Supervisory Authority.

The AI Act and Deepfake Threat Making things even more complex is the European AI Act, which is looming large. The need to determine real users from hyper-realistic "deepfakes" produced by AI involves technologies for Presentation Attack Detection, PAD, certified to the ISO 30107-3 standard.

"It is no longer just a matter of knowing who the client is, but if the client is real," warns Elena Rinaldi, a lawyer specialising in new technology law. "Platforms that by nature do not integrate these biometric controls into the main flow expose the bank to cross-sanctions involving both DORA violations and AML deficiencies."

Conclusions: The Compliance Passport The war of 2026 in the RegTech space will not be about the cost of an individual API call anymore, where the pricing seems to go toward zero, but about who can offer a turnkey "compliance passport." Where the potential penalties may be as much as 2% of total global annual turnover-in the case, for example, of specific DORA violations-relieving the financial institution from the technical burden associated with multiple-vendor integration has become the definitive value-add. The days of assembling manually are behind us; the days of guaranteed orchestration are here.

Luca Scuriatti
Openapi Spa
+39 0651958008
email us here
Visit us on social media:
LinkedIn
Instagram
Facebook
YouTube

Legal Disclaimer:

EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.