Operational resilience rules will start to be enforced in the EU and UK this year. Payments firms can anticipate more scrutiny about their readiness to withstand disruption.
More work to be done on DORA
The Digital Operational Resilience Act prescribes how EU firms, including banks, e-money issuers and payment institutions, should manage technology risks. DORA applies from 17 January 2025 but work on compliance will continue after this date.
In the coming months payments firms will continue to:
- engage with their service providers to update their contracts to DORA standards
- ensure they have the governance documentation required by DORA
- add data about third party ICT services to their DORA registers so they are ready to be shared with regulators in the spring
Firms will also need to respond to last minute changes to the DORA rulebook. For example, the EU authorities are still finalising rules on subcontracting and threat-led penetration testing.
New operational resilience rules for UK firms
The UK’s operational resilience regime applies to e-money and payments firms. From 31 March 2025 firms will need to remain within their impact tolerance for severe but plausible disruptions to their important business services. Ahead of this deadline firms are reviewing their impact tolerances and work done to date on mapping and scenario testing.
The FCA is also consulting on a new incident reporting regime. Under the proposals, payment service providers would notify the FCA as soon as practicable after operational incidents and provide subsequent updates and a final report. These rules will sit alongside existing incident reporting requirements under payment services legislation.
The FCA also seeks more information about firms’ arrangements with third parties. Under draft rules firms will report details of their material non-outsourcing arrangements, such as those with cloud and other technology service providers. Similar to DORA, firms will need to collate this information on a register and submit it to the regulator annually.
Critical third parties
Regulators in the EU and UK will use new powers to designate some technology providers as being critical to the financial industry. We may see the first designation announcements under DORA and the UK’s critical third party regime in the second half of the year.
Date for the diary: 13 March 2025 – deadline for responding to the FCA consultation on operational incident and third party reporting
This is the first in a series of five blogposts looking at the outlook for payments regulation in the EU and UK. Read our Payments Outlook 2025 for more.
/Passle/5c4b4157989b6f1634166cf2/MediaLibrary/Images/2024-12-03-17-41-45-233-674f42d9376ff9ba249c9a53.jpg)
/Passle/5c4b4157989b6f1634166cf2/MediaLibrary/Images/2025-01-10-12-32-18-339-67811352c56c15e6837cad30.jpg)
/Passle/5c4b4157989b6f1634166cf2/SearchServiceImages/2024-12-31-10-22-12-958-6773c5d44870b7bd25746328.jpg)
/Passle/5c4b4157989b6f1634166cf2/MediaLibrary/Images/2024-12-19-17-07-58-044-676452ee3e67bad811f74533.jpg)