DORA compliance: a strategic imperative for banks and their critical ICT providers

Since the adoption of the Digital Operational Resilience Act (DORA), regulated financial entities across Europe are facing heightened expectations regarding operational resilience and cybersecurity. This regulation aims to ensure the continuity of essential financial services in the event of a cyberattack or major operational incident.

In this context, outsourced critical service providers play a central role in banks' compliance and risk management strategies. Banks must now ensure that their ICT service providers (such as those offering Verification of Payee services before each payment, like Qombo) actively contribute to the digital resilience of the entire payment chain.

Banks' expectations towards their critical service providers are multiple:

Rapid incident notification has become a non-negotiable requirement. Institutions expect to be informed without delay of any event that could affect the availability, integrity, or confidentiality of subscribed services. This transparency allows them to take the necessary actions to protect their operations and customers.

Service continuity is also a major concern. Providers must demonstrate that they have robust risk management processes and continuous monitoring capabilities to ensure uninterrupted service availability, even in the event of a crisis or technical incident. The ability to prevent disruptions, respond effectively, and recover quickly is at the heart of DORA's requirements.

Control over downstream subcontractors has become a critical issue. Banks require their providers to carefully select and continuously monitor their own suppliers and technology partners, ensuring that the entire subcontracting chain complies with the same high security and regulatory standards as the primary provider. The protection of sensitive data, must be ensured at every level.

The ability of providers to guarantee complete reversibility is now essential. Banks expect to be able to recover critical data and continue their operations without disruption, including the ability to temporarily or permanently internalize certain functions if necessary.

Within this regulatory framework, all providers offering critical ICT services to financial institutions—especially in the payment domain—must comply with DORA’s reinforced requirements. This includes operators of Verification of Payee (VoP) services, considered essential for securing payments under the new Instant Payments Regulation (IPR).

As a VoP provider holding the Routing & Verification Mechanism (RVM) status certified by the European Payments Council (EPC), Qombo operates as a critical ICT provider. Qombo implements all necessary commitments in cybersecurity, operational resilience, incident management, and reversibility to support financial institutions in meeting their regulatory compliance obligations.