EU Regulation

DORA Compliance for Payment Service Providers

The Digital Operational Resilience Act imposes new ICT risk management obligations on all PSPs operating in the EU. PCI Proxy provides a DORA-aligned card data vault so you meet requirements without expanding your scope.

PCI DSS Level 1 100% EU data residency DORA-aligned ICT risk SLA incident notification Penetration testing ISO 27001 certified
The Regulation

What is DORA?

DORA (EU Regulation 2022/2554) creates a binding legal framework for ICT risk management in the European financial sector. It entered into force in January 2025 and covers financial entities, including payment institutions, and their critical ICT third-party providers.

ICT Risk Management

Financial entities must maintain comprehensive ICT risk management frameworks covering identification, protection, detection, response, and recovery. Every critical ICT vendor must meet equivalent standards.

Resilience Testing

DORA mandates regular digital operational resilience testing, including threat-led penetration testing for significant entities. Results must be shared with competent authorities on request.

Incident Reporting

Major ICT-related incidents must be reported to the competent authority within strict timeframes. PSPs must maintain detailed incident logs, root-cause analyses, and remediation records.

FAQ

DORA Compliance Questions Answered

01 What is DORA and who does it apply to?

DORA (EU Regulation 2022/2554) entered into force in January 2025. It applies to financial entities such as PSPs, credit institutions, and insurance companies, as well as critical ICT third-party service providers that serve them.

02 How does DORA affect payment service providers?

PSPs must establish ICT risk management frameworks, conduct digital operational resilience testing, manage ICT third-party risks, and report major ICT-related incidents to the competent authority. Every critical ICT vendor must also satisfy DORA resilience requirements.

03 Is PCI Proxy DORA-compliant?

Yes. PCI Proxy operates as a DORA-aligned ICT third-party service provider. Our EU-based PCI DSS Level 1 vault maintains documented ICT risk policies, continuous availability monitoring, incident-response runbooks, and regular penetration testing.

04 How does tokenization support DORA compliance?

By outsourcing card data storage to a DORA-aligned vault, you reduce the ICT attack surface you must defend and test. Fewer systems holding sensitive data means a smaller scope for resilience testing. PCI Proxy tokenization removes raw card data entirely from your infrastructure.

05 Does PCI Proxy support DORA incident reporting?

Yes. PCI Proxy provides contractual SLAs, incident notification obligations, and detailed technical logs that feed directly into your DORA reporting requirements. Our dedicated security team is available to support root-cause analysis and regulatory communication.

Meet DORA Without Expanding Your ICT Footprint

We map your card data flows against DORA requirements and show how PCI Proxy reduces your resilience obligations.