DORA National Competent Authorities: Selected Jurisdiction Guides for EU Fintechs
Selected DORA jurisdiction guides for EU fintechs: national competent authorities, in-scope entity types, ICT incident reporting framing and 2026 evidence.
In this article ↓
- Short answer
- NCAs vs the European Supervisory Authorities (ESAs)
- What DORA topics usually involve the NCA
- DORA competent authorities by selected jurisdiction
- How to identify the right DORA authority
- What to verify before a DORA filing
- Entity type map for fintech teams
- How to use these guides
- Common NCA mapping mistakes
- DORA NCA FAQ
- Related DORA reading
- Primary sources
Short answer
A National Competent Authority (NCA) is the financial-sector supervisor designated by an EU Member State to supervise institutions in scope of EU financial regulation — including DORA. NCAs receive major ICT-related incident notifications, the Register of Information for ICT third-party arrangements, and supervisory evidence on ICT risk, resilience testing and operational continuity. The exact authority depends on the Member State and on the entity type (banking, payments, securities, insurance, crypto-asset services).
This hub covers selected CyAdviso priority jurisdictions for fintechs, listed in the table below. It is not a complete directory of every EU Member State.
NCAs vs the European Supervisory Authorities (ESAs)
NCAs are national supervisors. They are the day-to-day point of contact for a regulated financial entity. The European Supervisory Authorities — EBA (banking, payments), ESMA (securities, MiCA / CASPs), EIOPA (insurance) — coordinate convergence across the Union, draft technical standards (RTS / ITS) under DORA, and run the Joint Examination Teams that may engage with critical ICT third-party providers under the DORA oversight framework. Financial entities report to and engage with the NCA; the ESAs set the supervisory rulebook.
What DORA topics usually involve the NCA
- Major ICT-related incident reporting — initial notification, intermediate update and final report (DORA Article 19).
- Register of Information — ICT third-party arrangements (DORA Article 28), with extended content for arrangements supporting critical or important functions.
- ICT third-party risk and outsourcing evidence — Article 30 contractual provisions, concentration analysis, exit strategies.
- Resilience evidence — annual testing programme (Article 25), and threat-led penetration testing every three years for entities identified by the competent authority under Article 26.
- Supervisory reviews and RFIs — ad hoc requests on governance, controls, after-action reports, board oversight.
DORA competent authorities by selected jurisdiction
| Jurisdiction | Primary DORA competent authority | Authority split? | Guide |
|---|---|---|---|
| Cyprus | CBC | Yes | Cyprus guide → |
| Denmark | Finanstilsynet | No | Denmark guide → |
| Estonia | Finantsinspektsioon | No | Estonia guide → |
| France | ACPR | Yes | France guide → |
| Germany | BaFin | No | Germany guide → |
| Ireland | Central Bank of Ireland | No | Ireland guide → |
| Italy | Banca d'Italia | Yes | Italy guide → |
| Latvia | Latvijas Banka | No | Latvia guide → |
| Lithuania | Lietuvos bankas | No | Lithuania guide → |
| Luxembourg | CSSF | Yes | Luxembourg guide → |
| Malta | MFSA | No | Malta guide → |
| Netherlands | DNB | Yes | Netherlands guide → |
| Poland | KNF | No | Poland guide → |
| Spain | Banco de España | Yes | Spain guide → |
| Sweden | Finansinspektionen | No | Sweden guide → |
How to identify the right DORA authority
The right reporting authority is usually the supervisor that already owns the entity's licence. A payment institution normally starts with the payments supervisor. An e-money institution starts with the EMI supervisor. A CASP starts with the authority responsible for MiCA authorisation. An insurer starts with the insurance supervisor. In some Member States this is one integrated authority. In others, supervision is split by licence type.
Do not assume that a group-level parent, outsourcing hub or technology provider decides the filing route. DORA reporting follows the regulated financial entity and the competent authority for that entity. For cross-border fintech groups, each licensed entity should confirm its own NCA route, even when the incident, provider or platform is shared across the group.
What to verify before a DORA filing
Before submitting a major ICT-related incident notification or Register of Information package, check the local authority page for four items. First, confirm whether the authority has published a national reporting portal or interim mailbox. Second, check whether the local authority asks for a specific template, file format or naming convention. Third, confirm whether the filing language is fixed or whether English is accepted. Fourth, keep evidence of the submission route used, because supervisors may later ask how the entity determined that the filing was complete.
The EU technical standards create common structure, but the operating channel is still local. This is why the safest workflow is to keep a short NCA evidence note in the DORA operating model. The note should state the authority, the source URL, the date checked, the reporting channel found, and the person responsible for rechecking it before any live filing.
Entity type map for fintech teams
| Entity type | Typical NCA route | DORA evidence to prepare |
|---|---|---|
| Payment institution or EMI | Payments / banking supervisor | Incident classification, outsourcing register, ICT risk controls |
| CASP authorised under MiCA | MiCA / securities or integrated financial supervisor | ICT risk framework, incident process, critical provider mapping |
| Investment firm | Securities or integrated financial supervisor | Operational resilience testing, third-party risk evidence |
| Insurance undertaking | Insurance supervisor | BCDR evidence, ICT continuity tests, incident escalation records |
| Bank or credit institution | Banking supervisor or integrated financial supervisor | Board oversight, ICT risk appetite, TLPT readiness where applicable |
How to use these guides
Each country page covers the local competent authority structure, in-scope entity types, the safe-wording incident-reporting framing, the Register of Information position, jurisdictional nuances and an evidence checklist tailored for fintech SMBs. Where a Member State splits supervision across more than one authority (for example the Netherlands twin-peaks model, or the Cyprus split between CBC, CySEC and the Superintendent of Insurance), the page identifies the relevant authority by entity type and links to all of them.
Local reporting channels, templates and submission instructions should be verified on the competent authority website before filing. We deliberately do not invent local portal URLs or deadlines.
Common NCA mapping mistakes
- Treating the group headquarters authority as the filing authority for every licensed subsidiary.
- Assuming that a CASP, EMI and investment firm in the same country always use the same reporting route.
- Using an old outsourcing-notification mailbox for DORA incident reporting without checking whether the authority has opened a newer channel.
- Preparing the Register of Information centrally, but failing to reconcile it with the local licence perimeter and authority expectations.
- Saving only the submitted file, not the evidence of where and when the submission route was verified.
DORA NCA FAQ
Does DORA create one EU-wide reporting portal?
No. DORA creates a common EU framework, but financial entities still interact with their competent authority. The local channel, portal, mailbox or interim process should be checked on the authority website before filing.
Can a fintech use the same DORA evidence pack in every country?
The core evidence can be reused, but each licensed entity needs a local wrapper: authority, entity perimeter, reporting route, local language expectations and licence-specific responsibilities.
Who should own the NCA mapping internally?
Compliance usually owns the authority relationship, while security or ICT risk owns the incident facts and technical evidence. The operating model should make the handover explicit before an incident happens.
Related DORA reading
- DORA Incident Reporting — 4-hour / 72-hour / 1-month timeline
- DORA Register of Information — complete guide
- DORA BCDR — Articles 11–12 roadmap for 2026
- DORA requirements — 2026 status check
- Comprehensive DORA guide for fintech SMBs