The deadline for EU finance companies to abide by the Digital Operational Resilience Act (DORA) falls today (17 January), but the regulations are ‘about more than compliance’, says Fadl Mantash.
As European fintech contends with yet another major regulatory deadline, Tribe Payments’ Chief Information Security Officer shares his views on what DORA means for payments firms and what companies can do to comply without negatively impacting operations.

Payment Expert: What key benefits does DORA pose for EU fintechs and payments companies?
Fadl Mantash: The main benefit of DORA is that it provides a unified regulatory framework across the EU. Fintechs and payments companies no longer have to deal with a maze of different rules; it’s one clear set of guidelines.
For firms working across multiple markets, it cuts down on compliance headaches and lets them focus on growing their business. DORA also drives improvements in ICT risk management and incident response plans.
While it may require some upfront effort, strengthening these areas means fewer disruptions and a faster return to normal when issues arise. In finance, staying up and running during a crisis builds trust, and it’s something that can really help your company stand out from the crowd.
Another key area is third-party risk management. Payments companies and fintechs often rely on external providers for critical services like cloud platforms and security. DORA ensures that these partnerships are secure and well-structured, which could help prevent vulnerabilities from weak links causing wider issues.
Privacy-enhancing technologies (PETs) such as encryption, data masking and tokenisation also play a role here, enabling firms to securely share sensitive data without compromising compliance or increasing exposure to risk.
At its core, DORA is about more than compliance, it’s an opportunity for fintechs and payments companies to build resilience and show they’re prepared for whatever challenges come their way.
How does this build on and complement pre-existing EU cybersecurity regulations in the finance space?
DORA doesn’t reinvent the wheel – it builds on frameworks that payments firms are already familiar with, like PSD2 and the General Data Protection Regulation (GDPR). For example, PSD2 introduced mandatory incident reporting and strong customer authentication, which laid the groundwork for some of DORA’s requirements.
Just as GDPR shifted the global conversation around data privacy, DORA is doing the same for resilience. What DORA adds is a more joined-up approach. Instead of separate regulations addressing different aspects of security, DORA integrates everything under one umbrella.
While PSD2 focuses on secure transactions, DORA goes further by requiring that the infrastructure behind those transactions can withstand disruptions. It is about strengthening against supply chain disruptions, ensuring single points of failure are mitigated.
By formalising information-sharing requirements, the regulation encourages financial entities to exchange insights on cyber threats and best practices – something not covered as extensively in earlier regulations.
In many ways, DORA represents the next step forward. It builds on what’s already in place but pushes firms to create a more interconnected and transparent approach to managing risks.
How should EU payments firms prepare for DORA? What are the key compliance considerations to factor in?
DORA entered into force in January 2023, but the real pressure is now, as the regulation becomes enforceable from 17 January 2025. Whether companies are putting the final pieces in place or catching up after the deadline, the focus should be on closing any remaining gaps in their compliance plans.
A key priority is ICT risk management – payments firms need thorough testing schedules, clear incident response procedures and accurate reporting systems to avoid penalties. DORA doesn’t just focus on live systems; it also requires companies to secure non-production environments. This is important because testing systems and AI models often hold vast amounts of sensitive data.
Another major focus is contract readiness. For those that rely on external providers for core services, contracts should be reviewed to include clear terms around service levels, data access and audits. This step helps ensure that these providers are also held accountable and meet DORA’s expectations.
For companies with ISO 27001 certification, which covers key areas like risk assessments and incident management, many of the essentials will already be in place, but DORA takes it further with more frequent resilience testing, stricter third-party oversight and faster incident reporting.
Gap analysis tools can simplify this process, helping companies prioritise the biggest compliance gaps. Those who treat this as a chance to strengthen operations rather than just tick a compliance box will be better prepared for what’s ahead.
Given DORA’s wide scope and strict 2025 deadline, there are concerns some firms may not be completely prepared. Can we expect these firms to come under immediate scrutiny, or will regulators take a more lenient approach to enforcement?
While it’s hard to predict how strict enforcement will be from day one, regulators are unlikely to turn a blind eye. They’ll expect firms to show they’ve made serious efforts to comply, even if every detail isn’t perfect yet. Firms that can demonstrate clear progress – like updated incident response plans, documented third-party reviews and thorough testing – are more likely to be treated fairly.
That said, firms that haven’t addressed the basics or lack transparency may face penalties sooner rather than later. For organisations, fines can amount to 2% of their total annual global revenue.
Individuals may face penalties of up to €1m, while third-party providers could be fined as much as €5m. But it’s not just about avoiding fines; it’s about building credibility with both regulators and customers.
Being proactive, even after the deadline, can make a big difference in how firms are assessed.
Part two of Fadl Mantash’s conversation with Payment Expert will be published on Monday – keep an eye on the site so you don’t miss it.