DORA National Competent Authorities: Selected Jurisdiction Guides for EU Fintechs
Selected jurisdiction guides for DORA reporting and evidence at national competent authorities (NCAs): authority structure, scope and verification links.
Short answer
A National Competent Authority (NCA) is the financial-sector supervisor designated by an EU Member State to supervise institutions in scope of EU financial regulation — including DORA. NCAs receive major ICT-related incident notifications, the Register of Information for ICT third-party arrangements, and supervisory evidence on ICT risk, resilience testing and operational continuity. The exact authority depends on the Member State and on the entity type (banking, payments, securities, insurance, crypto-asset services).
This hub currently covers selected CyAdviso priority jurisdictions for fintechs: Cyprus, Denmark, Estonia, Germany, Ireland, Latvia, Lithuania, Luxembourg, Malta, the Netherlands and Sweden. It is not a complete directory of every EU Member State.
NCAs vs the European Supervisory Authorities (ESAs)
NCAs are national supervisors. They are the day-to-day point of contact for a regulated financial entity. The European Supervisory Authorities — EBA (banking, payments), ESMA (securities, MiCA / CASPs), EIOPA (insurance) — coordinate convergence across the Union, draft technical standards (RTS / ITS) under DORA, and run the Joint Examination Teams that may engage with critical ICT third-party providers under the DORA oversight framework. Financial entities report to and engage with the NCA; the ESAs set the supervisory rulebook.
What DORA topics usually involve the NCA
- Major ICT-related incident reporting — initial notification, intermediate update and final report (DORA Article 19).
- Register of Information — ICT third-party arrangements (DORA Article 28), with extended content for arrangements supporting critical or important functions.
- ICT third-party risk and outsourcing evidence — Article 30 contractual provisions, concentration analysis, exit strategies.
- Resilience evidence — annual testing programme (Article 25), and threat-led penetration testing every three years for entities identified by the competent authority under Article 26.
- Supervisory reviews and RFIs — ad hoc requests on governance, controls, after-action reports, board oversight.
DORA competent authorities by selected jurisdiction
| Jurisdiction | Primary DORA competent authority | Authority split? | Guide |
|---|---|---|---|
| Cyprus | CBC | Yes | Cyprus guide → |
| Denmark | Finanstilsynet | No | Denmark guide → |
| Estonia | Finantsinspektsioon | No | Estonia guide → |
| Germany | BaFin | No | Germany guide → |
| Ireland | Central Bank of Ireland | No | Ireland guide → |
| Latvia | Latvijas Banka | No | Latvia guide → |
| Lithuania | Lietuvos bankas | No | Lithuania guide → |
| Luxembourg | CSSF | Yes | Luxembourg guide → |
| Malta | MFSA | No | Malta guide → |
| Netherlands | DNB | Yes | Netherlands guide → |
| Sweden | Finansinspektionen | No | Sweden guide → |
How to use these guides
Each country page covers the local competent authority structure, in-scope entity types, the safe-wording incident-reporting framing, the Register of Information position, jurisdictional nuances and an evidence checklist tailored for fintech SMBs. Where a Member State splits supervision across more than one authority (for example the Netherlands twin-peaks model, or the Cyprus split between CBC, CySEC and the Superintendent of Insurance), the page identifies the relevant authority by entity type and links to all of them.
Local reporting channels, templates and submission instructions should be verified on the competent authority website before filing. We deliberately do not invent local portal URLs or deadlines.
Related DORA reading
- DORA Incident Reporting — 4-hour / 72-hour / 1-month timeline
- DORA Register of Information — complete guide
- DORA BCDR — Articles 11–12 roadmap for 2026
- DORA requirements — 2026 status check
- Comprehensive DORA guide for fintech SMBs