DORA’s New Rules for EU Payments Firms: Here’s what you need to know

The Digital Operational Resilience Act (DORA) is here, ushering in a new era for EU payments firms and reshaping how the financial sector safeguards its digital operations. From ICT risk management to third-party oversight, this regulation is designed to fortify the sector against cyber threats and operational disruptions.

But what does this mean for payments companies, and how can they navigate these changes without losing momentum?

A unified approach to resilience

DORA simplifies the patchwork of regulations that used to govern operational resilience in the EU. For payments firms and fintechs operating across multiple markets, this simplifies compliance and allows for more focused growth strategies. One framework, one set of rules.

But DORA isn’t just about ticking boxes to meet compliance. It’s about being proactive with risk management. Strengthened ICT frameworks and incident response plans reduce downtime during disruptions, fostering trust and positioning companies as dependable partners. Moreover, third-party risk management is a cornerstone of the regulation. Given the reliance on external providers for cloud services, fraud prevention, and cybersecurity, DORA’s stricter oversight ensures secure partnerships that mitigate vulnerabilities.

And when it comes to protecting data, DORA takes things up a notch. Privacy-enhancing technologies like encryption and data tokenisation feature prominently, enabling firms to protect sensitive data while maintaining compliance and reducing risk exposure.

Building on existing standards

DORA doesn’t reinvent the wheel – it builds on existing frameworks like the Second Payments Services Directive (PSD2) and the General Data Protection Regulation (GDPR). For instance, PSD2’s focus on secure transactions complements DORA’s broader mandate of ensuring the infrastructure behind these transactions can withstand disruptions.

Crucially, DORA integrates various aspects of operational resilience under one umbrella. It formalises information-sharing requirements, encouraging collaboration between financial entities to address emerging cyber threats. By addressing supply chain vulnerabilities and ensuring single points of failure are mitigated, DORA represents a significant evolution in EU cybersecurity standards.

Preparing for compliance

DORA entered into force in January 2023, but the real pressure is now, as the regulation becomes enforceable from 17 January 2025. Whether companies are putting the final pieces in place or catching up after the deadline, the focus should be on closing any remaining gaps in their compliance plans, looking at:

1. ICT risk management: Companies need robust testing schedules, incident response plans, and accurate reporting systems. Securing non-production environments is equally vital, as testing systems often hold sensitive data.
2. Third-party oversight: Contracts with external providers must include clear terms around service levels, data access, and audits to ensure compliance.
3. Gap analysis and testing: For firms with certifications like ISO 27001, the groundwork may already be in place. However, DORA demands more frequent resilience testing and stricter third-party oversight.

Those that view DORA as an opportunity to strengthen operations rather than a box-ticking exercise will be better positioned for long-term success, in turn benefitting the end-user, and thus driving customer loyalty. 

Lessons from recent disruptions

High-profile incidents like the 2024 CrowdStrike outage have shown just how important robust ICT frameworks are. The faulty update that disrupted millions of systems globally revealed the risks associated with over-reliance on external providers. It’s a sobering reminder of how quickly things can go wrong when there’s a weak link in your supply chain.

DORA aims to address these vulnerabilities head-on by emphasising shared responsibility. Payments firms can’t just cross their fingers and hope their providers have it all under control. It’s about trust, but also verify – testing, monitoring, and planning for “what if” scenarios.

Beyond the EU: global implications

DORA’s impact extends beyond the EU, particularly for European firms in non-EU regions like the UK and Nordics. Companies providing services within the EU or partnering with EU-based entities must align with DORA to maintain those connections.

Adopting DORA-level controls can also give firms a competitive edge, even in domestic markets. A centralised compliance strategy that bridges regional differences ensures consistency and reduces inefficiencies.

A new standard for digital resilience

DORA positions the EU as a leader in financial cybersecurity, offering a unified framework that simplifies cross-border operations and strengthens partnerships. While regions like the UK and US adopt sector-specific or piecemeal approaches, DORA’s comprehensive model sets a new benchmark.

Ultimately, the regulation’s success hinges on industry adoption. Companies that embrace DORA as a catalyst for operational strength and adaptability will not only meet regulatory requirements but also set themselves apart in an increasingly competitive landscape - enabling them to focus on delivering a much better customer experience.