§What DORA requires
Source: Regulation (EU) 2022/2554 — Digital Operational Resilience Act for the financial sector — accessed 2026-05-11.
Jurisdiction. Applies to 21 categories of EU financial entities (banks, payment institutions, e-money institutions, investment firms, crypto-asset service providers, etc.) and to ICT third-party service providers designated as critical by the European Supervisory Authorities. Entered into force 16 January 2023; applies from 17 January 2025.
Personal data definition. DORA is not a data-protection regulation per se — it does not define personal data. Its scope is ICT-related to financial entities: information and communication technology systems, their resilience, and the third parties that provide ICT services to them.
Key requirements relevant to mobile analytics. ESMA highlights five core areas: (1) a framework setting principles and requirements on ICT risk management; (2) mitigation of ICT third-party risk with key contractual provisions; (3) an operational resilience testing programme including advanced threat-led penetration testing for the largest entities; (4) management of ICT-related incidents with mandatory notification of major ones and significant cyber threats to competent authorities; and (5) an oversight framework for ICT third-party providers designated as critical.
⚑Where mobile analytics typically creates exposure for fintech & mobile banking apps
For a mobile-banking, payments, or crypto-asset app that is itself a regulated financial entity (or a critical ICT third-party provider to one), an analytics SDK is part of the ICT estate that has to meet DORA's risk-management, incident-reporting, and third-party oversight obligations. The conventional pattern of 'add an SDK from a US vendor and let them store events with little scrutiny' does not match the third-party-risk standard DORA introduces.
Fintech apps process account numbers, transaction amounts, merchant categories, card last-four, IBANs, transfer recipients, and KYC documents. Many also log credit-score read events, loan-application data, and balance snapshots.
Account credentials paired with security codes are sensitive personal information under CPRA. Account numbers and full PANs are personal data under GDPR Art. 4(1) and trigger the PCI-DSS data flow obligations regardless of jurisdiction. Even transaction descriptions can reveal special-category information (e.g., merchant names tied to health, religion, or politics).
▸What Respectlytics's design does (technical facts)
Respectlytics is not your payments processor or your transaction store. It tracks product signals — transfer_initiated, card_added, investment_purchase_completed — without per-event amounts, account numbers, or merchant descriptions. The authoritative financial data lives in your payments backend; product analytics tells you the funnel rate, not the dollar values.
Reduces the surface. Removing the surface where the categories covered by DORA could be collected in the first place narrows what a DORA review needs to scope. Whether the resulting posture meets the regulation's requirements for your specific app is something to discuss with your legal team.
❓Frequently asked questions
Does DORA apply to our app?
DORA applies to financial entities listed in Article 2 (banks, payment institutions, investment firms, crypto-asset service providers, etc.) operating in the EU, and to ICT third-party service providers designated as critical by the European Supervisory Authorities. Whether your specific app falls into any of those categories is a fact-specific question for your legal team.
Does using an analytics SDK count as 'ICT third-party risk' under DORA?
If your app is a financial entity in scope of DORA, any third-party service that processes data for ICT functions of your business is within the third-party risk framework — including contractual provisions, monitoring, and exit strategies. Reducing the number and complexity of those third parties is one way to keep that surface manageable.
Does using Respectlytics by itself resolve DORA obligations for our fintech & mobile banking apps app?
No — and no analytics SDK can credibly answer that question. Whether your product meets DORA's requirements is a property of your whole product, contracts, and operational practice, evaluated by your legal team. Respectlytics's contribution is a smaller data surface: identifying fields and the regulation's special categories are rejected at the API. Whether that posture, combined with your other controls, satisfies DORA for your specific app is a conversation for your counsel.
What if we already use a different analytics SDK today?
The starting point is an inventory of what your current SDK actually collects and where it sends it. Our privacy self-assessment worksheet walks through that in seven sections — it outputs an educational summary you can bring to your legal team.