DORA for Payment & E-Money Institutions
Payment institutions and electronic money institutionsare within DORA's scope under Article 2. Given how ICT-dependent payments are, DORA's incident-reporting and resilience-testing pillars are especially material. DORA has applied since 17 January 2025.
Payments are ICT-critical by nature
For payment and e-money firms, availability and integrity of ICT systemsis the service. That makes the incident-reporting and resilience-testing pillars the sharpest edges of DORA compliance.
Interaction with PSD2 reporting
DORA harmonises major-ICT-incident reporting that previously overlapped with PSD2 operational and security incident reporting, reducing duplicate channels for in-scope events.
Third-party concentration
Payment firms often depend heavily on a few processors and cloud providers, so the register of information and concentration-risk analysis deserve early attention.
Frequently asked questions
Are e-money institutions covered by DORA?
Yes. Both payment institutions and electronic money institutions are listed financial entities under Article 2.
How does DORA affect PSD2 incident reporting?
DORA provides a harmonised major-ICT-incident reporting regime that streamlines the overlap with PSD2 operational and security incident reporting.
What should a payment institution prioritise?
Incident detection and classification, a tested continuity plan, and a complete register of ICT third-party arrangements.