DORA, NIS2 and PSD2 explained

EU payment compliance: DORA, NIS2 and PSD2

Three major EU regulations now govern how payment businesses handle digital resilience, cybersecurity and customer authentication. PCI Proxy is a dedicated EU PCI DSS Level 1 vault that helps you meet DORA, NIS2 and PSD2 obligations from a single certified platform with 100% EU data residency.

DORA ready NIS2 compliant PSD2 SCA support 100% EU data residency PCI DSS Level 1 ISO 27001 certified
The Three Regulations

EU compliance obligations for payment businesses

DORA, NIS2 and PSD2 each address different aspects of payment security and resilience, but they overlap significantly for payment service providers. Click any regulation to read the full guide.

DORA Compliance

EU Regulation 2022/2554

Digital Operational Resilience Act

Applies to: Banks, PSPs, fintechs, critical ICT providers
Effective: January 2025

DORA requires financial entities to maintain digital operational resilience through ICT risk management, incident reporting, third-party oversight and resilience testing. PCI Proxy operates as a regulated ICT third-party provider with documented SLAs, incident procedures and annual resilience assessments.

ICT risk management framework Major incident reporting 4h / 24h / 72h Third-party provider oversight Annual operational resilience testing Applies from January 2025

NIS2 Compliance

EU Directive 2022/2555

Network and Information Security Directive 2

Applies to: Essential and important entities including payment infrastructure
Effective: October 2024

NIS2 expands the scope of cybersecurity obligations to a broader range of essential and important sectors, including financial market infrastructures and digital infrastructure. Payment service providers processing above the NIS2 size thresholds must implement risk management measures, supply-chain security and incident reporting.

Cybersecurity risk management measures Supply-chain security requirements 24h / 72h incident notification Management accountability Applies from October 2024

PSD2 Compliance

EU Directive 2015/2366

Payment Services Directive 2

Applies to: Payment service providers, merchants accepting card payments in EEA
Effective: In force (SCA fully enforced)

PSD2 mandates Strong Customer Authentication (SCA) for electronic payments in the EEA, requiring two-factor verification combining possession, knowledge and inherence. 3D Secure 2 is the primary card-payment mechanism for SCA compliance. PCI Proxy supports 3DS2 flows from our EU vault without your systems ever touching raw card data.

Strong Customer Authentication (SCA) 3D Secure 2 for card payments Exemptions for low-value and MITs Open banking access requirements EEA-wide scope
How they overlap

DORA, NIS2 and PSD2: key differences

The three regulations are complementary. A payment provider may be subject to all three simultaneously.

Aspect DORA NIS2 PSD2
Primary focusOperational resilienceCybersecurityPayment authentication
Applies toFinancial entitiesEssential / important sectorsPSPs in EEA
Incident reporting4h / 24h / 72h24h / 72hMajor operational incidents
Third-party rulesStrict ICT provider oversightSupply-chain securityPSP liability for TPPs
AuthenticationNot primary focusNot primary focusSCA mandatory (3DS2)
How PCI Proxy helpsDocumented SLAs, resilience testingISO 27001, incident procedures3DS2 without touching PANs
PCI Proxy and compliance

One platform for all three regulations

PCI Proxy is a dedicated EU PCI DSS Level 1 card vault with annual certification, ISO 27001 and ISO 9001, documented DORA-ready third-party contracts, NIS2-aligned cybersecurity procedures and full PSD2 3DS2 support. All card data stays in EU data centres.

PCI DSS Level 1 certified
ISO 27001 and ISO 9001
100% EU data residency

Meet DORA, NIS2 and PSD2 with a single certified platform

PCI Proxy gives payment businesses an EU-hosted, PCI DSS Level 1 certified vault that satisfies digital resilience, cybersecurity and strong authentication requirements in one integration.