Payments in 2026 #4 – Operational resilience

This year regulators will start using new powers to make sure that the payments sector is ready to withstand disruption.

Putting DORA into practice

EU firms have spent the last few years getting ready for the Digital Operational Resilience Act. Now that DORA applies, attention turns to how regulators will supervise and enforce the regime. This includes scrutinising reports of incidents and reviewing contracts with tech providers. Meanwhile, the European Banking Authority will update its outsourcing guidelines. The EBA has suggested that they should apply to all third-party arrangements other than those covered by DORA.

The UK regulators are looking to add to their operational resilience regime. Under proposed new rules, firms will need to assess operational incidents against certain thresholds and submit regulatory reports within a set timetable (in addition to incident reporting under payment services legislation). Firms would also need to keep a register of information about their material third party arrangements.

Regulators will use their operational resilience policy to keep an eye on how firms are managing all kinds of technology risks, including those relating to AI, cyber and quantum computing. The EU and UK will supplement these rules with updates to their cybersecurity laws and through regulator-led initiatives.

Date for the diary: Q2 2026 – Bank of England and Prudential Regulation Authority to consult on ICT and cyber risk management and resilience.

This is the fourth in a series of blogposts looking at the outlook for payments regulation in the UK and EU. Read our Payments Outlook 2026 for more.