EU payment compliance: DORA, NIS2 and PSD2
Three major EU regulations now govern how payment businesses handle digital resilience, cybersecurity and customer authentication. PCI Proxy is a dedicated EU PCI DSS Level 1 vault that helps you meet DORA, NIS2 and PSD2 obligations from a single certified platform with 100% EU data residency.
EU compliance obligations for payment businesses
DORA, NIS2 and PSD2 each address different aspects of payment security and resilience, but they overlap significantly for payment service providers. Click any regulation to read the full guide.
DORA Compliance
EU Regulation 2022/2554Digital Operational Resilience Act
DORA requires financial entities to maintain digital operational resilience through ICT risk management, incident reporting, third-party oversight and resilience testing. PCI Proxy operates as a regulated ICT third-party provider with documented SLAs, incident procedures and annual resilience assessments.
NIS2 Compliance
EU Directive 2022/2555Network and Information Security Directive 2
NIS2 expands the scope of cybersecurity obligations to a broader range of essential and important sectors, including financial market infrastructures and digital infrastructure. Payment service providers processing above the NIS2 size thresholds must implement risk management measures, supply-chain security and incident reporting.
PSD2 Compliance
EU Directive 2015/2366Payment Services Directive 2
PSD2 mandates Strong Customer Authentication (SCA) for electronic payments in the EEA, requiring two-factor verification combining possession, knowledge and inherence. 3D Secure 2 is the primary card-payment mechanism for SCA compliance. PCI Proxy supports 3DS2 flows from our EU vault without your systems ever touching raw card data.
DORA, NIS2 and PSD2: key differences
The three regulations are complementary. A payment provider may be subject to all three simultaneously.
| Aspect | DORA | NIS2 | PSD2 |
|---|---|---|---|
| Primary focus | Operational resilience | Cybersecurity | Payment authentication |
| Applies to | Financial entities | Essential / important sectors | PSPs in EEA |
| Incident reporting | 4h / 24h / 72h | 24h / 72h | Major operational incidents |
| Third-party rules | Strict ICT provider oversight | Supply-chain security | PSP liability for TPPs |
| Authentication | Not primary focus | Not primary focus | SCA mandatory (3DS2) |
| How PCI Proxy helps | Documented SLAs, resilience testing | ISO 27001, incident procedures | 3DS2 without touching PANs |
One platform for all three regulations
PCI Proxy is a dedicated EU PCI DSS Level 1 card vault with annual certification, ISO 27001 and ISO 9001, documented DORA-ready third-party contracts, NIS2-aligned cybersecurity procedures and full PSD2 3DS2 support. All card data stays in EU data centres.
Meet DORA, NIS2 and PSD2 with a single certified platform
PCI Proxy gives payment businesses an EU-hosted, PCI DSS Level 1 certified vault that satisfies digital resilience, cybersecurity and strong authentication requirements in one integration.