2024 is the year of DORA. With less than twelve months before the Digital Operational Resilience Act starts to apply, payments firms in the EU will need to accelerate their plans for implementation.
First, the good news…
Payment institutions and e-money institutions do not have a standing start when it comes to DORA. Several aspects of DORA are familiar thanks to existing rules that apply to payment service providers as a result of PSD2. For example:
- DORA’s incident reporting regime is inspired by the corresponding rules under PSD2.
- PSD2 requires payments firms to have security controls and policies which cover the software and IT systems they use. These can be leveraged for DORA.
- Implementing the European Banking Authority's outsourcing guidelines was painful but payments firms can draw on that experience when tackling the contractual requirements under DORA, many of which overlap with the EBA’s guidelines.
- Firms with authorised payment service providers in both the UK and EU may be able to leverage some of the work they have done to implement the FCA's operational resilience regime.
On the other hand…
Payments firms should not be lulled into a false sense of security. For example:
- Payments firms will need to switch up their incident reporting. All operational or security payment-related incidents (whether or not they relate to ICT) will need to be reported under DORA’s reworked regime.
- DORA focuses on ICT risk management practices and controls. Existing policies might be a helpful place to start but will likely need to be revised to reflect DORA’s remit.
- DORA goes further than existing expectations for outsourcing. Payments firms must develop a register with information about all their contractual arrangements for ICT services. Firms may also need to amend these contractual arrangements to make sure they comply with DORA, such as its requirements on subcontracting of ICT services.
This is just the tip of the iceberg. As well as repapering some contracts, DORA compliance requires a lot of potentially new internal documentation to be drawn up and packaged into an ICT risk management framework which is available to regulators on request.
Many payments firms have a good story to tell when it comes to bouncing back from operational disruption. The challenge will be presenting this in a way which meets DORA’s new, higher and more prescriptive standards.
Date for the diary: 17 January 2025 – DORA starts to apply.
This is the first in a series of five blogposts looking at the outlook for payments regulation in the EU and UK. Read the Fintech and Payments section of our Financial Regulation Legal Outlook 2024 for more.