§What DORA requires
Source: Regulation (EU) 2022/2554 — Digital Operational Resilience Act for the financial sector — accessed 2026-05-11.
Jurisdiction. Applies to 21 categories of EU financial entities (banks, payment institutions, e-money institutions, investment firms, crypto-asset service providers, etc.) and to ICT third-party service providers designated as critical by the European Supervisory Authorities. Entered into force 16 January 2023; applies from 17 January 2025.
Personal data definition. DORA is not a data-protection regulation per se — it does not define personal data. Its scope is ICT-related to financial entities: information and communication technology systems, their resilience, and the third parties that provide ICT services to them.
Key requirements relevant to mobile analytics. ESMA highlights five core areas: (1) a framework setting principles and requirements on ICT risk management; (2) mitigation of ICT third-party risk with key contractual provisions; (3) an operational resilience testing programme including advanced threat-led penetration testing for the largest entities; (4) management of ICT-related incidents with mandatory notification of major ones and significant cyber threats to competent authorities; and (5) an oversight framework for ICT third-party providers designated as critical.
⚑Where mobile analytics typically creates exposure for crypto & web3 apps
For a mobile-banking, payments, or crypto-asset app that is itself a regulated financial entity (or a critical ICT third-party provider to one), an analytics SDK is part of the ICT estate that has to meet DORA's risk-management, incident-reporting, and third-party oversight obligations. The conventional pattern of 'add an SDK from a US vendor and let them store events with little scrutiny' does not match the third-party-risk standard DORA introduces.
Crypto apps process wallet addresses, transaction hashes, token symbols and amounts, NFT contract addresses, and on-chain holdings. Many also log fiat onramp KYC data, IP geolocation, and device fingerprints for fraud detection.
A wallet address, while pseudonymous on-chain, becomes a persistent identifier under GDPR once any link to a real-world identity exists. Fiat onramp KYC data is personal data outright. Combined with IP and device fingerprints, an analytics SDK can build a persistent profile that triggers GDPR, CCPA/CPRA, and AML/KYC concerns simultaneously.
▸What Respectlytics's design does (technical facts)
Respectlytics's API does not accept wallet addresses or transaction hashes as event parameters — those identify on-chain activity that lives on-chain. Product analytics records that a user opened the swap screen, completed an onramp, or viewed an NFT collection, without per-event identifiers tying those actions to a wallet.
Reduces the surface. Removing the surface where the categories covered by DORA could be collected in the first place narrows what a DORA review needs to scope. Whether the resulting posture meets the regulation's requirements for your specific app is something to discuss with your legal team.
❓Frequently asked questions
Does DORA apply to our app?
DORA applies to financial entities listed in Article 2 (banks, payment institutions, investment firms, crypto-asset service providers, etc.) operating in the EU, and to ICT third-party service providers designated as critical by the European Supervisory Authorities. Whether your specific app falls into any of those categories is a fact-specific question for your legal team.
Does using an analytics SDK count as 'ICT third-party risk' under DORA?
If your app is a financial entity in scope of DORA, any third-party service that processes data for ICT functions of your business is within the third-party risk framework — including contractual provisions, monitoring, and exit strategies. Reducing the number and complexity of those third parties is one way to keep that surface manageable.
Does using Respectlytics by itself resolve DORA obligations for our crypto & web3 apps app?
No — and no analytics SDK can credibly answer that question. Whether your product meets DORA's requirements is a property of your whole product, contracts, and operational practice, evaluated by your legal team. Respectlytics's contribution is a smaller data surface: identifying fields and the regulation's special categories are rejected at the API. Whether that posture, combined with your other controls, satisfies DORA for your specific app is a conversation for your counsel.
What if we already use a different analytics SDK today?
The starting point is an inventory of what your current SDK actually collects and where it sends it. Our privacy self-assessment worksheet walks through that in seven sections — it outputs an educational summary you can bring to your legal team.