DORA is in force – A Safer, More Resilient Ecosystem for Investors and Project Owners

With the full implementation of the Digital Operational Resilience Act (DORA) on January 17, 2025, crowdfunding platforms operating under the European Crowdfunding Service Providers Regulation (ECSPR) are now required to adopt stringent cybersecurity and operational resilience measures. This marks a significant step towards enhancing the protection of investors, safeguarding project owners, and securing the broader crowdfunding ecosystem. Let’s explore the key impacts for investors and project owners alike, and what these changes mean for the platforms you trust.

For Investors:

• Improved Security – With DORA’s comprehensive cybersecurity framework now fully in effect, crowdfunding platforms must implement advanced risk management measures to safeguard your personal and financial data. These platforms are legally bound to reduce the risks of data breaches and cyberattacks, ensuring that your information is kept secure and protected from evolving digital threats.
• Faster Incident Response – Should any cybersecurity incident occur, crowdfunding platforms are now legally required to notify you of major disruptions within four hours, and minor incidents within 24 hours. This quick-response requirement ensures that you’re always in the loop, and no threat to your investments goes unnoticed for too long.
• More Transparency – Transparency is a cornerstone of DORA. Platforms are mandated to release detailed incident reports whenever a major security incident takes place, outlining what went wrong, the steps taken to mitigate damage, and the measures implemented to prevent future occurrences. This enables you to stay informed and understand exactly how platforms manage cybersecurity risks.
• Higher Accountability – If a platform fails to meet DORA’s rigorous standards, National Competent Authorities (NCAs) have the power to impose severe penalties. These penalties include administrative fines (up to EUR 5 million or 10% of annual turnover) and other sanctions. As a result, platforms are held to high standards of operational resilience and cybersecurity, ensuring your investments are well-protected.

How Investors Can Identify Safe Platforms Under DORA

As DORA becomes fully applicable to crowdfunding platforms, it’s essential for investors to understand how to verify a platform’s compliance. Here are some ways to ensure the platform you’re using meets the necessary security standards:

• Check for DORA Compliance – Look for platforms that actively disclose their adherence to DORA. Professional platforms will explicitly state that they comply with DORA’s regulations, outlining the cybersecurity measures and risk management frameworks they have in place. Some platforms may even provide a certification of compliance.
• Consult National Competent Authorities (NCAs) – NCAs are the regulatory bodies tasked with enforcing DORA’s requirements. They oversee the compliance of crowdfunding platforms with the law. Investors should consult NCA websites or reports to check the status of specific platforms. NCAs may provide lists or publish reports on platforms that have successfully met DORA’s standards.
• Review Transparency Reports – Platforms subject to DORA must provide transparency reports that detail how they handle cybersecurity risks and how they respond to incidents. These reports will be key for investors to assess a platform’s resilience and readiness to manage cyber disruptions.
• Monitor Platform Communication – Under DORA, crowdfunding platforms must notify users promptly (within 4 hours) of any major cybersecurity incident. Investors should pay attention to how quickly and transparently platforms communicate incidents. A platform that is proactive and clear in its communication is one you can trust.
• Look for Cybersecurity Certifications – Professional crowdfunding platforms may seek external cybersecurity certifications to demonstrate their commitment to DORA compliance. Certifications from recognized bodies can provide additional assurance that a platform meets the highest cybersecurity standards.

Ask Questions – Don’t hesitate to contact platforms directly and inquire about their DORA compliance status. Platforms serious about cybersecurity will be open and willing to share information about their incident response plans, risk management frameworks, and overall security posture.

For Project Owners:

• Increased Investor Confidence – Crowdfunding platforms that comply with DORA’s stringent security and resilience standards offer project owners a competitive edge. Investors will feel more confident knowing their investments are protected by robust cybersecurity measures. This heightened sense of security can lead to more investments in your project.
• Better Protection for Your Data – DORA ensures that platforms will protect your sensitive project data, business plans, and financial details against cybersecurity threats. Your project’s intellectual property is safer than ever, making the crowdfunding process more secure for both you and your investors.
• Resilience in Crisis Situations – One of the key requirements of DORA is mandatory resilience testing and third-party risk management. These measures ensure that platforms are well-prepared to handle any cybersecurity disruption, from major system failures to targeted cyberattacks. With these frameworks in place, your campaign will run smoothly, even if a crisis arises.
• Quicker Incident Resolution – DORA’s incident reporting requirements ensure that both investors and project owners are informed promptly if an issue occurs. In the event of a cybersecurity disruption, platforms are required to act quickly and resolve problems efficiently, minimizing delays or disruptions to your crowdfunding campaign.

The Platform’s Responsibility

Crowdfunding platforms operating under ECSPR are now legally required to adopt comprehensive ICT risk management frameworks. These frameworks must include incident reporting, resilience testing, third-party risk management, and constant threat monitoring. Such measures ensure that crowdfunding campaigns are more secure and resilient, benefiting both investors and project owners.

The Role of National Competent Authorities (NCAs) under DORA

National Competent Authorities (NCAs) are at the forefront of enforcing DORA’s regulations across the EU. Their key responsibilities include:

1. Supervision and Enforcement: NCAs monitor crowdfunding platforms to ensure compliance with DORA’s stringent requirements. They conduct inspections and audits and enforce penalties for non-compliance.
2. Penalties for Non-Compliance: If a platform fails to meet DORA’s standards, NCAs can impose significant penalties, including administrative fines, suspending managerial positions, and even criminal sanctions. This provides investors and project owners with an added layer of protection, as non-compliant platforms face serious consequences.
3. Support for Platforms: NCAs also provide guidance to crowdfunding platforms, helping them understand and implement DORA’s complex requirements. This ensures that platforms can effectively meet DORA’s standards while maintaining operational integrity.
4. Reporting and Transparency: NCAs may release reports detailing the state of cybersecurity resilience within the crowdfunding sector. These reports provide further transparency for investors and project owners.

In Summary:

DORA’s full applicability to crowdfunding platforms marks a significant advancement in the cybersecurity and operational resilience of the industry. For investors, it means enhanced security, quicker incident responses, and greater transparency. For project owners, it offers improved investor confidence and better protection for sensitive data. Platforms now face mandatory cybersecurity frameworks, ensuring a safer and more reliable crowdfunding environment.

Both investors and project owners can feel confident knowing that National Competent Authorities are actively enforcing DORA’s provisions, holding platforms accountable to high cybersecurity standards. By staying informed and ensuring platforms comply with these regulations, you can more safely navigate the crowdfunding ecosystem—whether you’re investing or raising funds.

Make sure to always choose ECSPR licensed crowdfunding platforms to ensure your investments and projects are fully protected under DORA’s new requirements. In some EU member states you still can find grey capital market operators and unlicesensed platforms under obscure national rules that do not offer professional protection offering “crowdinvesting” or similarly named services.