• Award-Winning Solution
  • Extensive Coverage Worldwide
  • Banking Security Standards
Book a demo

How SurePay can help you be DORA compliant

The financial sector has become increasingly dependent on technology and supporting ICT service providers. While they can improve operational resilience, it has also made these financial entities vulnerable to cyber-attack. Due to the interconnectedness of the ecosystem, the impact of a breach on a single entity or its service provider could expose many more, and lead to serious disruption. As a result, robust and uniform security defences are required across the ICT risk management chain, with malicious agents continually seeking to explore and exploit any weak link.

EU standard for ICT (third party) risk management

To boost the resilience of the financial sector, on 17 January 2025, the European law, known as DORA (Digital Operational Resilience Act) came into effect. DORA brought in uniform laws for financial entities regarding IT security, risk management and incident response – including IT risk management of services delivered by third parties. DORA sets an EU-wide technical standard for managing IT security risks and dependence on third parties, ensuring that the European financial sector remains resilient in the event of severe operational disruption.

DORA: a chain responsibility

DORA applies for EU financial entities under financial supervision. While SurePay is not technically in scope of DORA, we use the regulations as standard for our IT security risk management, information security management systems, and incident response procedures. We consider digital operational resilience a chain responsibility: a joint effort where customers can rely on our robust IT security risk and incident response management to meet their own regulatory requirements.

SurePay: reliance on continuity of VOP service

Non-compliance on DORA could lead to non-compliance on other regulatory obligations. For example, as of 9 October 2025, the Instant Payments Regulation came into effect. With this regulation, the EU emphasises the importance of VOP services, as it has become mandatory for payment service providers to use Verification Of Payee (VOP) services as part of the payment process. VOP services help to prevent payment fraud and misdirected payments and are there to make online payments more secure. SurePay is the pioneer of VOP services in the EU and had already been ahead of this development. As any disruption of such services would lead to non-compliance for its customers, SurePay has transitioned its technology and ICT risk management fit for purposes to safeguard reliance for its customers on continuity of delivered VOP services.

How SurePay can help you become DORA compliant

DORA introduced many requirements where, as your service provider, SurePay can help. By keeping your payments process secure, we give clients peace of mind about third party security vulnerabilities. We set DORA-equivalent standards and requirements on sound security risk management, and we expect the same from those we do business with.
Our clients can rely on two key-attributes to ensure digital operational resilience is both delivered and maintained:

  1. A robust risk management framework
  2. Cooperation, consultation and transparency
Here’s how we do it.

Robust risk management framework

Our customers should not need to worry about how their data is handled. All they need to know is it is held and processed in a secure, controlled and confidential environment. To achieve this, SurePay has an state-of-the-art Information Security Risk Management (ISMS) in place, which includes:
  • Standards, procedures and measurements in place to identify, mitigate, monitor, report and remediate on security risks – which are appropriately documented and implemented in line with the ISO 27001 standard
  • An robust security incident management system
  • A ‘battle-tested’ disaster recovery plan
We also carry out periodic testing of our risk management framework to ensure it remains fit for purpose. This includes:
  • Performing regular testing of recovery plans for all services/products offered to its customers. These plans address timely recovery of products/services offered to the customer in accordance with agreed contractual requirements. SurePay has implemented redundancies for critical information systems, software, and facilities to meet agreed availability requirements.
  • Keeping track of our third party’s ICT risk management. We perform due dilligence with subcontractors and vendors, or request evidence of security audit results (e.g. ISO 27001, ISAE 3000, SOC or any equivalent) demonstrating IT security standards are being met.
  • Obtaining the ISAE 3000 type II attestation every year since our inception, confirming our robust standards and the effectiveness from our ISMS by the (external) auditor. This ISAE 3000 attestation is a standard that is underlined by the auditors who rely on it during the annual account audits.

Cooperation, consultation and transparency

As DORA compliance is a joint effort, we work with our customers to support them in their compliance journey. By employing a proactive, consultative approach we maximise knowledge sharing, efficiency and speed, and can adapt quickly to any future changes. In turn, we leverage our customers’ knowledge on security risk mitigation to adjust our own ICT risk management framework and VOP services.

We also help our customers with their information needs, including passing evidence of implemented IT security standards, or supporting their own auditor’s queries. In the event of a security incident, impacted clients will be notified and kept informed of the root cause, incident analysis, solutions and lessons learned. We expect – and ask for – the same from our business partners.

Our customers tell us that this approach builds the confidence they need to optimise their own processes.

Final steps to support your DORA compliance

SurePay would take these final three steps to ensure that our customers meet the DORA requirements.

1. Communication
To prove that SurePay is the VOP service provider of choice, we will:
  • Provide evidence of the appropriate ICT framework in place, in line with ISO standards, and by means of the ISAE 3000 type 2 attestation This verifies our effectiveness in monitoring, identifying, responding, treating and reporting on information security risks;
  • Maintain transparency on both our policies and procedures to keep clients’ data secure, and any incidents related to their services to ensure minimal impact
  • Respond to any information request within a reasonable timeframe.
2. Fine-tuning contracts
Contractual agreements with SurePay clients and relevant subcontractors will be reviewed and fine-tuned to ensure they are ‘DORA-proof’ and include all necessary details to assure our customers and SurePay’s third party risk can be properly managed.
3. Contingency planning of alternative solutions

SurePay will further its investigation into alternative solutions to its important subcontractors, like cloud providers. This includes examining the possibilities for in-house solutions, and clear actions to switch to alternative providers if needed.

While SurePay already has a robust ICT risk management and incident response management framework, this customer-centric approach brings our technology and security risk mitigation processes to a new level of excellence.

As we move into the final stretch of the road to delivering DORA, our customers can rest assured we’re positioned and take our value chain responsibility to not only support, but supercharge your DORA compliance, unlocking the potential to grow your business.

Want to know more?

Discover our Verification Of Payee solution

Our solution   →

Book a Meeting

Schedule meeting  

The latest developments

How Fraud detection in the “Wild West” era was superior

Read more →

How Bank Account Verification is the key to compliant & safe Instant Payments

Read more →

Understanding IBAN-Name Check: What It Is and Why It Matters

Read more →

Verification Of Payee in the EU: What it is, how it works, and how to prepare

Read more →

What is SurePay and How Does It Work?

Read more →

Understanding the EU Instant Payments Regulation (IPR): What banks need to know

Read more →