How SurePay can help you be DORA compliant

The financial sector has become increasingly dependent on technology and supporting ICT service providers. While they can improve operational resilience, it has also made these financial entities vulnerable to cyber-attack. Due to the interconnectedness of the ecosystem, the impact of a breach on a single entity or its service provider could expose many more, and lead to serious disruption. As a result, robust and uniform security defences are required across the ICT risk management chain, with malicious agents continually seeking to explore and exploit any weak link.

EU standard for ICT (third party) risk management

To boost the resilience of the financial sector, on 17 January 2025, the European law, known as DORA (Digital Operational Resilience Act) will come into effect. DORA brings in uniform laws for financial entities regarding IT security, risk management and incident response – including IT risk management of services delivered by third parties. DORA will set an EU-wide technical standard for managing IT security risks and dependence on third parties, ensuring that the European financial sector remains resilient in the event of severe operational disruption.

DORA: a chain responsibility

DORA applies for EU financial entities under financial supervision. While SurePay is not technically in scope of DORA, we use the regulations as standard for our IT security risk management, information security management systems, and incident response procedures. We consider digital operational resilience a chain responsibility: a joint effort where customers can rely on our robust IT security risk and incident response management to meet their own regulatory requirements.

SurePay: reliance on continuity of VoP service

Non-compliance on DORA could lead to non-compliance on other regulatory obligations. For example, as of 9 October 2025, the Instant Payments Regulation will come into effect. With this regulation, the EU emphasises the importance of VoP services, as it will become mandatory for payment service providers to use Verification of Payee (VoP) services as part of the payment process. VoP services help to prevent payment fraud and misdirected payments and are there to make online payments more secure. SurePay is the pioneer of VoP services in the EU and had already been ahead of this development. As any disruption of such services would lead to non-compliance for its customers, SurePay has transitioned its technology and ICT risk management fit for purposes to safeguard reliance for its customers on continuity of delivered VoP services.

How SurePay can help you become DORA compliant

DORA introduces many requirements where, as your service provider, SurePay can help. By keeping your payments process secure, we give clients peace of mind about third party security vulnerabilities. We set DORA-equivalent standards and requirements on sound security risk management, and we expect the same from those we do business with. Our clients can rely on two key-attributes to ensure digital operational resilience is both delivered and maintained:
  1. A robust risk management framework
  2. Cooperation, consultation and transparency
Here’s how we do it.

Robust risk management framework

Our customers should not need to worry about how their data is handled. All they need to know is it is held and processed in a secure, controlled and confidential environment. To achieve this, SurePay has an state-of-the-art Information Security Risk Management (ISMS) in place, which includes:
We also carry out periodic testing of our risk management framework to ensure it remains fit for purpose. This includes:

Cooperation, consultation and transparency

As DORA compliance is a joint effort, we work with our customers to support them in their compliance journey. By employing a proactive, consultative approach we maximise knowledge sharing, efficiency and speed, and can adapt quickly to any future changes. In turn, we leverage our customers’ knowledge on security risk mitigation to adjust our own ICT risk management framework and VoP services.

We also help our customers with their information needs, including passing evidence of implemented IT security standards, or supporting their own auditor’s queries. In the event of a security incident, impacted clients will be notified and kept informed of the root cause, incident analysis, solutions and lessons learned. We expect – and ask for – the same from our business partners.

Our customers tell us that this approach builds the confidence they need to optimise their own processes.

Final steps to support your DORA compliance

There are three final steps for SurePay to take before January 2025 to help ensure our customers will meet DORA requirements.
1. Communication
To prove that SurePay is the VoP service provider of choice, we will:
2. Fine-tuning contracts
Contractual agreements with SurePay clients and relevant subcontractors will be reviewed and fine-tuned to ensure they are ‘DORA-proof’ and include all necessary details to assure our customers and SurePay’s third party risk can be properly managed.
3. Contingency planning of alternative solutions
SurePay will further its investigation into alternative solutions to its important subcontractors, like cloud providers. This includes examining the possibilities for in-house solutions, and clear actions to switch to alternative providers if needed.

While SurePay already has a robust ICT risk management and incident response management framework, this customer-centric approach brings our technology and security risk mitigation processes to a new level of excellence.

As we move into the final stretch of the road to delivering DORA, our customers can rest assured we’re positioned and take our value chain responsibility to not only support, but supercharge your DORA compliance, unlocking the potential to grow your business.

Want to know more?

Discover our Verification of Payee solution
Book a Meeting

The latest developments