How SurePay can help you be DORA compliant
EU standard for ICT (third party) risk management
DORA: a chain responsibility
SurePay: reliance on continuity of VoP service
Non-compliance on DORA could lead to non-compliance on other regulatory obligations. For example, as of 9 October 2025, the Instant Payments Regulation will come into effect. With this regulation, the EU emphasises the importance of VoP services, as it will become mandatory for payment service providers to use Verification of Payee (VoP) services as part of the payment process. VoP services help to prevent payment fraud and misdirected payments and are there to make online payments more secure. SurePay is the pioneer of VoP services in the EU and had already been ahead of this development. As any disruption of such services would lead to non-compliance for its customers, SurePay has transitioned its technology and ICT risk management fit for purposes to safeguard reliance for its customers on continuity of delivered VoP services.
How SurePay can help you become DORA compliant
- A robust risk management framework
- Cooperation, consultation and transparency
Robust risk management framework
- Standards, procedures and measurements in place to identify, mitigate, monitor, report and remediate on security risks – which are appropriately documented and implemented in line with the ISO 27001 standard
- An robust security incident management system
- A ‘battle-tested’ disaster recovery plan
- Performing regular testing of recovery plans for all services/products offered to its customers. These plans address timely recovery of products/services offered to the customer in accordance with agreed contractual requirements. SurePay has implemented redundancies for critical information systems, software, and facilities to meet agreed availability requirements.
- Keeping track of our third party’s ICT risk management. We perform due dilligence with subcontractors and vendors, or request evidence of security audit results (e.g. ISO 27001, ISAE 3000, SOC or any equivalent) demonstrating IT security standards are being met.
- Obtaining the ISAE 3000 type II attestation every year since our inception, confirming our robust standards and the effectiveness from our ISMS by the (external) auditor. This ISAE 3000 attestation is a standard that is underlined by the auditors who rely on it during the annual account audits.
Cooperation, consultation and transparency
We also help our customers with their information needs, including passing evidence of implemented IT security standards, or supporting their own auditor’s queries. In the event of a security incident, impacted clients will be notified and kept informed of the root cause, incident analysis, solutions and lessons learned. We expect – and ask for – the same from our business partners.
Our customers tell us that this approach builds the confidence they need to optimise their own processes.
Final steps to support your DORA compliance
1. Communication
- Provide evidence of the appropriate ICT framework in place, in line with ISO standards, and by means of the ISAE 3000 type 2 attestation This verifies our effectiveness in monitoring, identifying, responding, treating and reporting on information security risks;
- Maintain transparency on both our policies and procedures to keep clients’ data secure, and any incidents related to their services to ensure minimal impact
- Respond to any information request within a reasonable timeframe.
2. Fine-tuning contracts
3. Contingency planning of alternative solutions
While SurePay already has a robust ICT risk management and incident response management framework, this customer-centric approach brings our technology and security risk mitigation processes to a new level of excellence.
As we move into the final stretch of the road to delivering DORA, our customers can rest assured we’re positioned and take our value chain responsibility to not only support, but supercharge your DORA compliance, unlocking the potential to grow your business.