DORA’s next big deadline – why firms must act now

Krishna Subramanyan is the CEO of Bruc Bond, a licensed major payment institution.

The 17^th  of January 2025 marked the official enforcement of the Digital Operational Resilience Act (DORA), initiating regulatory oversight of critical ICT third-party service providers (CTPPs). But with the next key milestone looming on the 30^th of April, financial entities operating in financial services must act now.

By this date, players in financial services must submit registers of their contractual agreements with all ICT third-party service providers to the European Supervisory Authorities (ESAs). These registers will determine which providers are classified as CTPPs.

Failure to comply doesn’t just risk penalties of up to 2% of annual global turnover, it could also lead to operational disruptions, financial losses, and lasting reputational damage.

High stakes for cross-border payment providers

Just prior to the January deadline, research found that 43% of financial institutions (FI) were not fully compliant with DORA’s requirements. This upcoming deadline is not about new rules, but about meeting essential reporting requirements. With the severity of DORA’s non-compliance penalties, companies must ensure that they are fully prepared in order to avoid consequences.

For businesses handling cross-border payments, the stakes are particularly high. Compliance gaps could lead to processing delays, increased costs and reputational damage – each of which could impact international transactions. 50% of businesses report having experienced some form of cyber security breach or attack in the past year. As cyber threats intensify, firms cannot afford to treat DORA as a simple tick-box exercise. Instead, they must act to mitigate risk to maintain operational resilience.

The B2B cross-border payment market is the cornerstone of dozens of businesses worldwide, reaching $31.6tn in 2024, and expecting to grow a further 58% by 2032. However, failure to comply with DORA could introduce unnecessary roadblocks which could be especially damaging for smaller firms. Beyond financial penalties, non-compliance erodes trust among customers and partners, putting long-term business relationships at risk.

Navigating the DORA teething period

Despite DORA’s significance, many firms are still grappling with its requirements, as previously mentioned, 43% of financial institutions were not DORA compliant by its January deadline. The framework mandates robust ICT risk management and incident reporting, but implementing these measures remains a challenge for many.

Financial institutions often depend on multiple vendors for cloud computing, data analytics and payment processing, creating a web of contractual obligations that must align with regulatory standards. Yet, many firms lack full oversight of each vendor’s third-party risks.

This not only complicates adherence to DORA but also increases the likelihood of operational disruptions and security threats. Without a structured approach to resilience testing and vendor oversight, firms risk falling behind and not meeting compliance standards- which could severely hinder their ability to function across multiple jurisdictions.

Future-proofing cross-border payments

In order to future-proof cross-border payments, firms must go beyond regulatory compliance and embed resilience into their core operations. Proactive risk management is key, not just to meet DORA’s requirements, but to safeguard against cyber threats.

Leveraging technology such as AI-driven anomaly detection and automation, can help firms better identify vulnerabilities. This should cause a knock-on effect, helping to streamline compliance processes and respond to potential threats or incidents faster.

Appointing a trusted partner can help guide financial institutions through these complexities, which in turn can help reduce regulatory bottlenecks and maintain seamless operational efficiency.

Looking ahead

With the 30^th of April fast approaching, financial institutions must be fully prepared for DORA's next phase. By partnering with experts who understand how to navigate multi-jurisdictional regulation, organisations can expect a smooth transition, mitigating risks while saving both time and resources.

Those who take a proactive approach now will not only meet regulatory requirements but also strengthen trust with customers and partners, positioning themselves for long-term resilience in an increasingly regulated landscape.