Credit: Rokas Tenys / Shutterstock

Fraud was the talk of the town in payments last year, in the UK at least, when the conversation came to security. The importance of cybersecurity and the regulations around it, like the Digital Operational Resilience Act (DORA), cannot be underestimated, however.

The deadline for financial firms to comply with DORA passed last week. Reflecting on recent years and looking ahead, Fadl Mantash, Chief Information Security Officer at paytech company Tribe Payments, discusses the impact of cybersecurity on the payments space and the future direction the EU could take.

Source: Tribe Payments

Payment Expert: Have incidents like the 2024 CrowdStrike outage highlighted the vulnerability of ICT systems to modern businesses?

Fadl Mantash: Absolutely. The 2024 outage at cybersecurity company CrowdStrike, caused by a faulty update to its Falcon Sensor security software, disrupted millions of Microsoft Windows systems globally and reportedly cost businesses billions due to halted operations and recovery efforts.

It was a stark reminder that even the most established providers aren’t immune to disruption. Many businesses rely on external providers for critical services, and when something goes wrong, the ripple effects can be huge – delayed transactions, customer dissatisfaction, and, in some cases, regulatory consequences.

What incidents like this highlight is the importance of shared responsibility. Businesses can’t just assume their providers have everything covered; they need to have their own contingency plans in place. DORA reinforces this by making third-party oversight a core requirement.

It’s not just about trusting your partners but verifying that they have the right safeguards to protect your operations. It’s a wake-up call for payments firms to strengthen their own monitoring and resilience strategies rather than relying solely on vendor guarantees.

What ICT-related risks do payment companies encounter the most, and how can these be addressed?

Service outages, data breaches and outdated systems top the list of ICT risks for payments companies. Even a brief outage can cause failed transactions and erode customer trust, while a single data breach can trigger regulatory fines and reputational damage.

Outdated systems are another risk, prone to failures during upgrades or unable to support modern security measures. Companies also need to monitor for gaps in their internal defences, where vulnerabilities can be exploited before they’re detected.

To tackle these risks, firms should run regular system tests, encrypt sensitive data and use real-time monitoring to spot issues early. Having a clear recovery plan, alongside regular infrastructure reviews, helps ensure they can bounce back quickly if disruptions occur. Updating legacy systems and adopting automated patching tools can prevent many issues before they become major problems.

DORA highlights the need for proactive defence, requiring businesses to strengthen their ICT frameworks and stay resilient against evolving threats.

Do you think the regulation will realistically achieve the EU’s goals around financial cybersecurity?

DORA is a step in the right direction, but whether it fully achieves its goals depends on how firms implement it and how regulators enforce it. The framework is solid; it covers everything from risk management to incident reporting and third-party oversight. But regulation alone doesn’t guarantee success.

The real challenge is whether companies treat DORA as a chance to strengthen their operations and prepare for disruptions or simply as another compliance task. If they take a proactive approach, it could genuinely boost the sector’s cyber defences. But if it’s approached with a ‘just get it done’ mentality, the impact will likely fall short.

Don’t forget, cyber threats evolve quickly. While DORA addresses today’s risks, payments companies will need to stay adaptable to meet future challenges. The regulation provides the blueprint, but it’s up to the industry to build something that lasts.

Could DORA have a knock-on effect on non-EU European financial markets like the UK and Nordics? How should firms in these countries prepare?

Yes, DORA’s impact extends beyond the EU. Many payments firms in the UK and Nordics provide services within the EU or partner with EU-based companies, meaning they’ll need to align with DORA to maintain those connections. Even domestic-only firms may adopt similar standards to stay competitive.

Preparation starts with assessing exposure to the EU market and reviewing whether current risk management and third-party agreements meet DORA’s standards.

For firms in regions like the UK, where resilience regulations are already in place, some work may be done, but adopting DORA-level controls helps avoid barriers to cross-border operations.

Are there any complications for companies active across multiple EU markets, and especially for those active in both EU member and non-EU member European nations?

Operating across EU and non-EU markets adds complexity. While DORA creates consistency within the EU, firms still need to consider local enforcement differences and comply with other jurisdictions’ rules, such as the UK’s Digital Operational Resilience Act.

Another issue is third-party providers based outside the EU who may not meet DORA’s standards for audits and security. Companies need a centralised compliance strategy that ensures consistency across regions, with clear coordination between teams to avoid gaps or inefficiencies.

The Act includes more enhanced oversight of third parties – could this prove troublesome for some stakeholders in EU finance and payments?

Payments companies often depend on external providers for core services like cloud infrastructure, fraud prevention and cybersecurity. DORA’s requirements for stricter oversight – such as audit rights, data access and service continuity guarantees – may cause friction, especially with larger global providers that aren’t used to this level of scrutiny from clients.

For smaller firms, managing multiple third-party relationships while ensuring compliance can also be resource-intensive. The cost and effort of renegotiating contracts and conducting regular reviews may stretch their capacity.

However, this oversight is necessary to ensure that outsourced services don’t create weak links. By being proactive – engaging with providers early and ensuring expectations are clear – firms can avoid delays and build stronger partnerships that meet regulatory demands without unnecessary tension.

How significant could this regulation be in setting the EU apart from financial jurisdictions like the UK, the US, and others?

DORA sets the EU apart by offering a consistent, all-encompassing approach to digital resilience across the financial sector, something other regions tend to address in more piecemeal ways.

While the UK has its own resilience standards and the US favours sector-specific rules, DORA’s unified framework simplifies cross-border collaboration and could make EU-based firms more appealing partners globally.

The real impact will depend on how firms approach it. Those that use it as a chance to enhance their operations and build long-term strength could set a new standard for the industry.

Click HERE to read part one of Fadl Mantash’s conversation with Payment Expert.