DORA for payment institutions and e-money issuers: operational resilience for transaction flows, safeguarding accounts, and SCA-protected fraud controls.
Payment institutions (PIs) and electronic money institutions (EMIs) authorised under PSD2 and the E-money Directive are explicitly in scope of DORA (Regulation (EU) 2022/2554) and have been bound by its requirements since 17 January 2025. Because their entire business model runs on always-on digital transaction processing, card scheme connectivity, and real-time fraud screening, ICT availability and integrity are not back-office concerns but the core of the regulated service itself.
DORA replaces the previously fragmented ICT expectations (EBA Guidelines on ICT and security risk management, PSD2 incident reporting, outsourcing guidelines) with a single, directly applicable framework covering ICT risk management, incident reporting, digital operational resilience testing, third-party risk, and information sharing. For PIs and EMIs the practical challenge is mapping these five pillars onto distinctive operational realities: safeguarding of client funds, dependency on BIN sponsors and acquirers, networks of agents and distributors, and strong customer authentication (SCA) infrastructure.
Under Article 2 DORA, authorised payment institutions and electronic money institutions are designated financial entities and fall within scope, including those passporting across the EU; only fully exempt/registered small entities under PSD2 Art. 32 or EMD Art. 9 may sit outside. Article 16 establishes a simplified ICT risk management framework for smaller and non-interconnected entities, but most PIs/EMIs do not automatically qualify because they are interconnected through schemes, acquirers and BIN sponsors. Firms must therefore perform a documented self-assessment against the Art. 16 thresholds rather than assuming the simplified regime applies, and account institutions providing payment accounts are generally expected to apply the full framework.
DORA is lex specialis for ICT risk and overrides the ICT-related provisions of PSD2 and the EBA ICT/security guidelines, while PSD2/PSD3 continue to govern licensing, conduct, SCA (RTS on SCA & CSC under Art. 98 PSD2), and safeguarding of funds. Critically, the PSD2 major operational or security incident reporting regime (Art. 96 PSD2 and the EBA Guidelines EBA/GL/2021/03) has been folded into DORA's incident reporting channel, so a single ICT-related incident report flows to the competent authority instead of two parallel notifications. PIs and EMIs must keep PSD2 fraud-reporting (EBA/GL/2018/05) and SCA obligations live, since DORA governs the resilience of the systems but PSD2/PSD3 still governs the payment conduct and authentication outcomes.
Article 5-15 require a board-approved ICT risk management framework that explicitly maps the end-to-end transaction lifecycle: authorisation, clearing, settlement, and reconciliation. For PIs/EMIs this means inventorying ICT assets that touch card scheme gateways, payment processors, and core ledgers, and assigning protection, detection and recovery controls proportionate to the criticality of payment continuity.
Client funds must be safeguarded under PSD2 Art. 10 / EMD Art. 7, and the ICT systems that calculate, reconcile and protect safeguarded balances qualify as supporting a critical or important function under DORA. Loss of integrity or availability in the safeguarding ledger is a resilience event, so it must be covered by business impact analysis, RTO/RPO targets, and the digital operational resilience testing programme.
Strong customer authentication, 3-D Secure and transaction risk analysis engines are ICT systems whose downtime directly blocks legitimate payments and exposes the firm to fraud. DORA requires these authentication and fraud-monitoring components to be subject to the same protection, monitoring, and resilience-testing controls as core processing, while PSD2 RTS on SCA & CSC continues to dictate the authentication logic itself.
Networks of agents (PSD2 Art. 19) and e-money distributors extend the firm's ICT perimeter to endpoints and onboarding flows it does not fully control. DORA obliges the institution to manage ICT risk arising from these channels, including identity and access management, data protection at the edge, and incident detection covering agent-facing systems, even though the agents themselves are not the regulated entity.
Many PIs/EMIs depend on a BIN sponsor, a single acquirer, or card schemes (Visa, Mastercard) and processors that are de facto unsubstitutable. Article 28-30 require these dependencies to be logged in the Register of Information, assessed for concentration and exit risk, and governed by DORA-compliant contractual terms, with realistic exit and stressed-scenario planning for providers that cannot be quickly replaced.
Articles 24-27 require a risk-based testing programme; for most PIs/EMIs this means vulnerability scans, scenario-based recovery tests of payment and safeguarding systems, and penetration testing, while Threat-Led Penetration Testing (TLPT) applies only to entities identified by authorities as significant for the financial system. Smaller PIs/EMIs should document why TLPT does not apply and still evidence robust functional and recovery testing.
Everything tailored to your sector, ready to use on day one.
Yes, authorised payment institutions and electronic money institutions are expressly listed as financial entities in Article 2 DORA and have been fully bound since 17 January 2025. Only fully exempt or registered small providers under PSD2 Art. 32 or EMD Art. 9 may fall outside; passporting and EU branch operations do not remove you from scope.
Article 16 offers a simplified ICT risk management framework for small and non-interconnected financial entities, but eligibility depends on size, risk profile and interconnectedness, not on being a PI/EMI as such. Because most PIs/EMIs are interconnected through schemes, acquirers and BIN sponsors, many will not qualify and should document a self-assessment against the thresholds rather than assume the lighter regime applies.
The major operational and security incident reporting that used to flow under PSD2 Art. 96 and the EBA Guidelines (EBA/GL/2021/03) is now handled through DORA's harmonised ICT incident reporting channel, so you file once rather than twice. Classification criteria and the 4-hour / 72-hour / one-month timeline come from DORA Art. 19 and its RTS/ITS, while PSD2 fraud reporting under EBA/GL/2018/05 continues separately.
The legal safeguarding obligation stays under PSD2 Art. 10 / EMD Art. 7, but the ICT systems that compute, reconcile and protect safeguarded client balances support a critical or important function and are therefore squarely within DORA. You must include them in your asset inventory, business impact analysis, recovery objectives, and resilience testing, treating a loss of safeguarding-ledger integrity as a reportable resilience risk.
TLPT under Articles 26-27 applies only to financial entities identified by competent authorities as significant for financial stability or based on their role and risk profile; the majority of PIs and EMIs will not be designated. You should still run a full risk-based testing programme (vulnerability assessments, scenario and recovery tests, and penetration testing of payment, SCA and safeguarding systems), and keep documentation explaining why TLPT does or does not apply to you.
DORA Articles 28-30 require you to record these dependencies in the Register of Information, assess concentration and substitutability risk, and ensure contracts include the mandatory provisions on access, audit, sub-outsourcing, exit and incident cooperation. Where a provider is genuinely hard to substitute, you must document a realistic exit strategy and stressed continuity scenarios rather than relying on the assumption that the service will always be available.
Start free: check your DORA scope, run a gap analysis, or estimate implementation cost. Need the full risk view? See the Risk Assessment Toolkits or compare all kits. All prices exclude VAT; an EU VAT invoice is issued at checkout. Professional templates, not legal advice.
Take our free 5-minute assessment and get an instant DORA compliance score with personalised recommendations.