Skip to main content
DORA Auditor

DORA for Payment & E-Money Institutions

Last updated: 2 authoritative sourcesDORA Auditor Editorial Team

Payment institutions and electronic money institutionsare within DORA's scope under Article 2. Given how ICT-dependent payments are, DORA's incident-reporting and resilience-testing pillars are especially material. DORA has applied since 17 January 2025.

Payments are ICT-critical by nature

For payment and e-money firms, availability and integrity of ICT systemsis the service. That makes the incident-reporting and resilience-testing pillars the sharpest edges of DORA compliance.

Interaction with PSD2 reporting

DORA harmonises major-ICT-incident reporting that previously overlapped with PSD2 operational and security incident reporting, reducing duplicate channels for in-scope events.

Third-party concentration

Payment firms often depend heavily on a few processors and cloud providers, so the register of information and concentration-risk analysis deserve early attention.

Frequently asked questions

Are e-money institutions covered by DORA?
How does DORA affect PSD2 incident reporting?
What should a payment institution prioritise?

Sources

  1. Regulation (EU) 2022/2554 (DORA), EUR-Lex
  2. European Banking Authority, DORA