Free DORA register →

DORA for payment & e-money institutions

Payment institutions and e-money institutions are financial entities under DORA — so the same ICT-resilience rules that hit banks apply to you, at a scale proportionate to your size. DORA has been in force since 17 January 2025. Here's what's in scope, the five things you have to do, and the deliverable to start with.

In one line: PIs and EMIs must run an ICT risk framework, report incidents, test resilience, govern their ICT providers (with a register of information), and may share threat intel. The register is the first concrete step.

Are you in scope?

Yes, if you're any of these:

Size brings proportionality — a genuine microenterprise (under 10 staff and under €2m) follows a simplified ICT risk framework — but the core obligations, including the register of information, still apply.

The five pillars for a payments firm

1. ICT risk management

A documented framework owned by your management body — identify the systems your payment flows depend on, set controls, keep it current.

2. Incident management & reporting

Detect, classify and report major ICT incidents to your competent authority within DORA's timelines. Payment outages are exactly the kind of incident supervisors watch.

3. Resilience testing

Regular vulnerability assessments and scenario testing, proportionate to your size, to find weaknesses before they find you.

4. Third-party risk & the register

Govern every ICT provider you rely on — payment processors, cloud, card schemes, KYC vendors — and record them in the register of information with criticality and sub-outsourcing.

5. Information sharing

Optional threat-intelligence sharing with other financial entities — a marker of a mature programme.

Start with the register of information

It's the most concrete deliverable and the one authorities collect first — a structured inventory of every ICT contractual arrangement, 60+ fields across interlinked tables, kept current. For a payments firm that depends on a web of processors and platforms, getting this complete and consistent is the bulk of the early work.

Build your DORA register free — no sales call

Start the free register builder →
Guided, structure-checked · free to start

Practical first steps

  1. Confirm scope and your proportionality position (are you a microenterprise?).
  2. Inventory every ICT contract — including the easy-to-forget small ones.
  3. Build the register and get the provider LEIs right.
  4. Stand up a lightweight incident process with reporting thresholds.
  5. Schedule proportionate testing so it actually recurs.
DeadlineIn force — since 17 Jan 2025DORA applies in full to PIs and EMIs; the register has been a required, supervised deliverable since day one.

Common questions

Does DORA apply to payment and e-money institutions?

Yes — PIs, EMIs and AISPs are financial entities under DORA, so its ICT-resilience rules, including the register of information, apply. In force since 17 January 2025.

What's the main deliverable?

The register of information — a structured inventory of all ICT third-party arrangements — alongside an ICT risk framework and incident reporting.

Is there a lighter regime for small firms?

Proportionality applies — a microenterprise follows a simplified framework — but the core obligations, including the register, still apply.

General information, not legal advice. Confirm the current requirement against DORA (Regulation (EU) 2022/2554), the relevant technical standards and your national competent authority before you rely on it.