The European Commission first proposed the Digital Operational Resilience Act (DORA) in Autumn 2020. The Council of the European Union and the European Parliament formally adopted the legislation in November 2022. DORA entered into force on January 16th, 2023, and its legal implementation deadline is January 17th, 2025.
DORA isn’t only designed to reduce financial crime. The Act will help regulators to identify and investigate financial crime more effectively. Its legal framework is designed to enhance the operational resilience of all digital service providers, including payment service providers (PSPs), that operate in the European Union (EU). The Act aims to ensure digital services’ continuity, security, and stability, particularly in critical sectors such as finance, by addressing various operational risks, such as cyber threats, system failures, and operational disruptions. This framework will have significant implications for global PSPs with clients in Europe, as it will require PSPs to strengthen their operational resilience capabilities, comply with regulatory requirements, and adapt their business practices to mitigate operational risks effectively.
Scope and Objectives of DORA:
DORA affects a broad range of digital service providers, including PSPs, cloud service providers, online marketplaces, and social networks operating within the EU market. The framework aims to achieve the following objectives:
- Enhance Operational Resilience: DORA requires financial service providers to prevent and respond effectively to various operational risks, including cyber-attacks, system failures, and other disruptions, by implementing robust cybersecurity measures, business continuity plans, and incident response procedures to minimize the impact of disruptions on the provision of digital services.
- Protect Consumer Interests: DORA aims to protect consumer interests. This involves ensuring payment service availability, reliability, and security by preventing disruptions, data breaches, and unauthorized access to sensitive customer information, thereby maintaining trust and confidence in digital service providers.
- Promote Market Stability: DORA seeks to promote market stability by reducing the risk of systemic failures or disruptions that could have widespread implications for the economy, financial system, and society. How? By collaborating with industry stakeholders, regulatory authorities, and other relevant parties to identify and address systemic risks in the digital ecosystem.
DORA’s Main Pillars
Digital services providers, including PSPs, must adhere to ensure compliance with the framework. Some of DORA’s main pillars are:
- Operational Risk Management: DORA requires PSPs to implement robust operational risk management practices to identify, assess, mitigate, and monitor operational risks effectively. This involves conducting regular risk assessments, establishing risk management frameworks, and implementing controls and safeguards to mitigate operational risks.
- Cybersecurity Measures: DORA mandates PSPs to implement robust cybersecurity measures to protect their digital infrastructure, systems, and data from cyber threats and attacks. This includes implementing technical controls, such as firewalls, encryption, and intrusion detection systems, as well as organizational measures, such as employee training, incident response plans, training programs for risk professionals, and security awareness programs. Regular testing of the operational stability and security of critical ICT systems is essential for the seamless functioning of financial businesses. A risk-based testing approach is required to detect and address potential ICT disruptions.
- Business Continuity Planning: DORA requires digital service providers to develop and maintain robust business continuity plans to ensure the continuity of critical services in the event of disruptions or emergencies. This involves identifying critical business functions, establishing recovery objectives and strategies, and regularly testing and updating business continuity plans to ensure their effectiveness.
- Incident Reporting and Response: DORA mandates digital service providers to establish incident reporting and response procedures to promptly detect, report, and respond to security incidents, operational disruptions, and other events that could impact the provision of digital services. This involves establishing incident response teams, implementing incident detection and monitoring mechanisms, and coordinating with relevant stakeholders, including regulatory authorities and law enforcement agencies.
- Contracts: DORA sets rules for contractual standards when outsourcing to critical ICT third-party providers (CTTPs). This will require many contracts to be rewritten or even renegotiated to ensure that security and risk management standards are enumerated and enforced. Existing contracts should be reviewed based on third-party providers’ impact on critical business services. Once third-party provider contracts are assessed, contracts must be modified and procedures implemented, to ensure DORA compliance.
Implications for all PSPs that operate in the EU Market:
Payment Services Providers that operate in the EU will be significantly impacted by the implementation of DORA.
Key implications of DORA for PSPs that operate in the EU include:
- Compliance Requirements: PSPs will need to ensure compliance with the regulatory requirements set forth in DORA, including operational risk management, cybersecurity measures, business continuity planning, and incident reporting and response procedures. This may involve implementing new policies, procedures, and controls to meet DORA’s requirements and undergoing regulatory assessments and audits to demonstrate compliance.
- Investment in Operational Resilience: PSPs will need to invest in enhancing their operational resilience capabilities to mitigate operational risks effectively and ensure the continuity and security of their payment services. This may involve investing in cybersecurity technologies, upgrading infrastructure and systems, enhancing incident response capabilities, and strengthening business continuity planning processes.
- Collaboration with Stakeholders: To address operational risks and promote market stability effectively, PSPs will need to collaborate with industry stakeholders, regulatory authorities, and other relevant parties. This may involve sharing threat intelligence, best practices, and lessons learned, participating in industry working groups and forums, and engaging in dialogue with regulators and policymakers to shape the development and implementation of DORA.
- Enhanced Consumer Protection: Compliance with DORA will contribute to enhanced consumer protection by safeguarding the continuity, security, and integrity of payment services provided by global PSPs to their clients in Europe. This will help maintain trust and confidence in digital service providers and ensure that consumers can access reliable and secure payment services without disruption.
Immediate Recommended Steps to Meet DORA Compliance:
PSPs must map and identify critical business services. They must identify those services that are most vulnerable to cyber-attacks and data breaches to protect consumers, merchants, and the financial markets in which their PSP operates. This implies three lines of defense: business, risk, and compliance, which will guarantee a perfect alignment between a PSP’s operational resilience capabilities, risk, and audit functions.
- Perform a gap analysis: Assess your organization’s current maturity level in terms of governance, risk management, and compliance with existing policies and standards.
- Develop a roadmap: Identify the priorities and efforts required to meet DORA requirements and create a robust strategy for the operational resilience of digital systems.
- Align governance and practices: Ensure that the institution’s governance and operational practices align with the pillars of resilience outlined in DORA.
- Monitor regulatory updates: Keep abreast of new regulatory technical standards (RTS) and implement technical standards (ITS) that may be established by regulators during the implementation period.
Non-Compliance with DORA
Failure to comply with the Digital Operational Resilience Framework (DORA) after January 2025 can pose significant risks for PSPs operating in the European Union (EU). These risks can have legal, financial, reputational, and operational consequences for the PSP. Some of the key risks include:
- Regulatory Sanctions and Penalties: Non-compliance with DORA may result in regulatory sanctions and penalties imposed by EU supervisory authorities, such as fines, enforcement actions, and sanctions. The severity of penalties can vary depending on the nature, scale, and impact of the non-compliance and may be imposed on both the PSP and its senior management.
- Disruption of Operations: Failure to comply with DORA can lead to disruptions in the PSP’s operations, including service outages, system failures, and cyber incidents. These can impact the availability, reliability, and security of payment services provided to European customers, resulting in financial losses, reputational damage, and loss of customer trust and confidence.
- Legal Liability and Litigation: Non-compliance with DORA may expose the PSP to legal liability and litigation from affected customers, business partners, and other stakeholders who may suffer damages because of operational disruptions, data breaches, or other incidents attributable to the PSP’s non-compliance. This can result in costly legal proceedings, settlements, and damages awards.
- Reputational Damage: Non-compliance with DORA can damage the PSP’s reputation and credibility among customers, regulators, investors, and other stakeholders, leading to loss of business and negative publicity. Reputational damage can have long-term consequences for the PSP’s market position, customer relationships, and competitive advantage.
- Loss of Market Access: Non-compliance with DORA may lead to loss of market access and business opportunities in the EU, as regulators, business partners, and customers may prefer to engage with compliant PSPs that demonstrate a commitment to operational resilience, cybersecurity, and consumer protection. This can result in decreased market share, revenue losses, and diminished growth prospects for the PSP.
- Market Exclusion and Loss of Clients: Non-compliance with DORA may result in market exclusion and loss of clients, particularly high-risk merchants who require PSPs to demonstrate robust operational resilience and compliance with regulatory requirements. High-risk merchants operate in industries such as online gaming, adult entertainment, and cryptocurrency, where regulatory scrutiny is high, and any association with non-compliant PSPs may lead to reputational damage and regulatory scrutiny. Persistent non-compliance with DORA may ultimately lead to exclusion from the EU market, as regulators may revoke the PSP’s authorization to operate in the EU or impose other restrictive measures to protect consumers and maintain market stability. This can have serious consequences for the PSP’s ability to conduct business in the EU and may require costly remediation efforts to regain market access.
Therefore, it is imperative for PSPs to proactively invest in enhancing their operational resilience capabilities, complying with regulatory requirements, and mitigating the risks associated with non-compliance with DORA to safeguard their business operations and reputation in the EU.
Anticipate DORA and Improve Your Competitive Advantage
Global PSPs that proactively invest in enhancing their operational resilience capabilities prior to January will gain a competitive advantage by demonstrating their commitment to cybersecurity, operational excellence, and consumer protection. This helps differentiate them from competitors and attract clients who prioritize security, reliability, and trustworthiness in their choice of payment service providers. By proactively investing in operational resilience, enhancing cybersecurity measures, and prioritizing consumer protection, global PSPs can effectively navigate the challenges posed by DORA and build trust amongst their clients.
This article has been written by @SandeCopywriter on behalf of Segpay Europe.
If you have any questions related to DORA, please do not hesitate to contact our experts via [email protected]