Join
1
0 Comments

Resilience Is a Feature. Why the Best Dev Teams Are Building for Compliance from Day One.

by Daan Hoekstra

I used to think compliance was something you bolted on later. Ship fast, validate the idea, figure out the legal stuff when enterprise starts knocking.

That mental model is expensive. I know because I watched it cost a friend's fintech startup six months and a mid-five-figure legal bill to untangle, right before a Series A. The product was good. The architecture was a mess from a compliance standpoint. And the investors saw it immediately.

The teams I respect most now treat resilience the same way they treat security: not as a layer you add, but as something you design into the system before you write the first route handler.

Here is why that shift matters more than ever, and what it actually looks like in practice.

The Regulation That Changed the Calculation

If you are building anything in fintech or selling tools to financial companies in Europe, you have probably heard of DORA by now. The Digital Operational Resilience Act came into full effect on January 17, 2025 and it is the most significant shift in how the EU thinks about ICT risk in a generation.

The short version: every financial entity operating in the EU, plus every ICT provider supplying them, must now demonstrate that their systems can withstand cyberattacks, outages, and disruptions. Not just say they can. Demonstrate it, document it, and report on it.

The penalty for getting it wrong is not a slap on the wrist. Non-compliance fines can reach 2% of total global annual turnover or EUR 10 million, whichever is higher. Critical third-party ICT providers face daily fines of up to 1% of average daily worldwide turnover for up to six months. Senior managers can face personal fines of up to EUR 1 million.

For Dutch businesses specifically, the picture is even more layered. DNB and AFM are both active supervisors under DORA, and the obligations cascade down from financial entities to their software vendors. What DORA means for Dutch financial institutions and their ICT providers is not a theoretical question anymore. It is an operational one, with real audit trails, real incident reporting timelines, and real board-level accountability.

The part most indie builders miss: DORA applies even if you are not a financial company yourself. If you offer digital infrastructure or applications to financial firms in the EU, you are likely in scope, even if your business is based outside the EU. A SaaS tool serving a Dutch payment processor. A monitoring platform used by a German bank. A data pipeline that feeds into a French insurer's reporting layer. All of these can drag you into DORA's third-party vendor obligations.

And by late 2025, the first list of designated Critical Third-Party Providers was published. AWS, Google Cloud, Microsoft, Oracle, SAP. The list will be updated annually, and providers not currently named could appear on future lists as their customer base grows. If you are building something that financial institutions depend on, this is your competitive landscape.

Why "Bolt It On Later" Fails Every Time

The "we will fix compliance when we need to" approach has the same flaw as the "we will add tests later" approach. The longer you wait, the more it costs.

IBM's Systems Sciences Institute research, cited across decades of software engineering literature, found that the cost to fix a defect after release is four to five times more expensive than fixing it during design, and the cost compounds at every stage of the development lifecycle. Compliance debt works the same way. Every route you build without an audit log, every data flow you create without a documented third-party dependency, every incident you handle without a runbook is technical debt with a regulatory interest rate attached.

Integrating compliance checks into early stages of the SDLC reduces remediation costs by up to 60% compared to retrofitting them later. That number tracks with what engineers who have lived through compliance retrofits will tell you. Rewriting your logging layer after the fact touches every service. Documenting your vendor dependencies after you have fifteen of them is a month-long archaeology project. Adding proper incident classification to an existing pipeline requires rethinking your observability stack from the ground up.

In 2025, most fintech founders say that complex paperwork and compliance checks, not competitors, are the biggest reasons their product launches get delayed. That delay almost always traces back to the same root cause: compliance was treated as a phase, not a property.

What "Compliance from Day One" Actually Looks Like

This is not about becoming a lawyer or drowning in frameworks. It is about four concrete engineering practices that future-proof your architecture without slowing down your shipping speed.

1. Audit Trails as Default, Not Add-On

Every meaningful action in your system should produce a structured log entry. Who did what, to what, when, from where, and what the system state was before and after. This is not just good engineering. Under DORA and most financial compliance frameworks, it is mandatory.

The trap is treating logging as a debugging tool and audit trails as a compliance deliverable. They are the same thing if you set it up right from the start. A structured log that includes user ID, entity ID, action type, timestamp, and diff is useful for debugging, for customer support, for incident investigation, and for a regulatory audit. Build it once.

Tools like structured logging with a consistent schema (Datadog, CloudWatch, Loki) and immutable append-only stores for sensitive operations give you this essentially for free if you wire them in from the beginning. Retrofit them into an existing system and you are looking at weeks of work and probably a few subtle regressions.

2. Incident Response as a Product Requirement

DORA enforces incident reporting obligations on financial entities and their ICT providers, requiring timely and standardized reporting of ICT-related incidents. The timelines are strict: initial notification within four hours of classifying an incident as major, intermediate reports within 72 hours, final reports within a month.

What that means in practice: you need a runbook before you need an incident. You need to know, before something breaks at 2am, who gets paged, what the classification criteria are, what gets reported to the customer, and what gets reported to regulators. That is not something you can write in the middle of an outage.

The teams that handle incidents well are not necessarily the teams with the most sophisticated tooling. They are the teams that decided upfront what a P1 looks like versus a P2, what the communication protocol is, and who owns what. Write that down now. It is a one-day investment that pays off the first time something breaks.

3. Third-Party Dependency Documentation

DORA requires financial entities to maintain a register of all their ICT third-party arrangements. If your product sits in that supply chain, your customers will ask you for information that feeds into their register. Contracts, SLAs, subprocessors, data flows, geographic locations of data processing.

The best time to document your third-party dependencies is when you add them. A simple internal document that tracks every external service you use, what data it touches, what your contractual relationship is, and what your exit plan would be if they disappeared takes fifteen minutes per dependency when you add it and half a year to reconstruct when an enterprise customer's procurement team asks for it.

Institutional clients will naturally prefer partners that already offer vendor-risk mapping, audit trails, and DORA-style incident reporting by default. That preference is becoming a contract requirement. Being the vendor who already has this documentation ready is a sales advantage, not just a compliance one.

4. Resilience Testing Built Into CI/CD

DORA requires regular digital resilience testing, including threat-led penetration testing for significant entities. But even before you get to that level, the basics matter: chaos engineering, load testing, failover testing, backup restoration testing.

McKinsey reports that companies using DevSecOps have ramped up from quarterly to weekly or even daily releases without raising their risk profile. The mechanism is integrating security and resilience checks into the pipeline itself, not running them as a separate quarterly event.

A pipeline that automatically checks for dependency vulnerabilities, runs security linting, and validates that your disaster recovery backup actually restores is a pipeline that builds institutional confidence. Over 60% of services with more than 300 dependencies have at least one critical vulnerability. The question is whether you find it in CI or in a regulatory audit.

The Business Case Nobody Talks About

Here is the thing that compliance-as-a-chore framing misses entirely: this stuff is a sales asset.

A robust compliance function signals maturity, resilience, and being built for scale. Enterprise and institutional customers do their due diligence before signing contracts. They ask about your uptime history, your incident response process, your subprocessors, your data residency, your vendor risk documentation. The vendor who answers all of that in one clean document wins deals faster than the vendor who has to go away and compile it.

Financial institutions won't touch vendors who can't demonstrate rock-solid data protection. Your compliance posture directly impacts your ability to land enterprise deals and expand internationally. That is not a compliance team talking. That is a sales outcome.

During fundraising, the same dynamic plays out. A well-organized compliance function reduces red flags in due diligence. Investors who have seen deals fall apart over regulatory gaps in the data room recognize the signal when a team has its documentation in order.

Industry surveys at the end of 2025 showed that only around 50% of financial institutions considered themselves fully compliant with DORA's requirements. Gaps were particularly common in resilience testing, third-party contract remediation, and incident classification. If you are in that supply chain as a vendor, half of your potential customers are actively trying to plug those gaps. The vendor who is already DORA-ready is the vendor who closes.

Where to Actually Start

The biggest mistake is treating this as a project with a start and end date. It is not. It is a set of defaults you decide on early so that every feature you ship inherits them.

In practical terms:

Start with logging. Before you ship anything else, decide on your log schema and make it immutable. Every action gets a structured entry. Route it somewhere searchable and durable from day one.

Write your first runbook this week. It does not need to be perfect. It needs to exist. Who gets called when the database goes down? What is the customer communication template? Where is the incident log? That document gets better over time. Without it, every incident is improvisation.

Audit your third-party dependencies today. Open a spreadsheet, list every external service your product touches, note what data it sees, what your contract is, and what your plan is if they go offline. Block an afternoon and do it once. Keep it updated as you add services.

Make resilience testing part of your definition of done. Before a feature ships, ask whether there is an audit trail for it, whether there is a failure mode that has been thought through, and whether it introduces new external dependencies that need to be documented.

None of this requires a compliance team. It requires a decision, made early, that resilience is a property of the system and not a checklist item at the end.

The teams building products that survive the enterprise sales process, the regulatory audit, and the 2am outage are not necessarily the teams with the best features. They are the teams that decided early that resilience was part of the product.

That decision is available to anyone. The question is whether you make it before or after something expensive happens.

Avatar for Daan Hoekstra Daan Hoekstra
posted to Icon for group Developers
Developers
 on May 25, 2026
Say something nice to daanhoekstra…
Post Comment
Trending on Indie Hackers
30 days ago I posted here with $0 revenue. Here's what actually happened next. User Avatar 148 comments I used $30,983 of AI tokens last month in Claude code on $200/mo plan User Avatar 90 comments my reddit post got 600K+ views. here's exactly what i did User Avatar 58 comments How to spot high-intent customers in 5 minutes, for free. User Avatar 44 comments Fixing broken scrapers instead of working on my actual product. So I made it my problem. User Avatar 37 comments I Built a Habit Tracker SaaS Alone in 6 Weeks (No CS Degree, No Team). Here's Exactly How User Avatar 37 comments