Instant Payments Regulation and DORA entering into force

Instant Payment Regulation (Regulation (EU) 2024/886 (OJ EU 19/3/2024) on instant credit transfers in euro)

As of January 9, 2025, all banks in the EU euro countries must be able to receive instant payments for all euro payments in the EU (Art. 1(2) IPR). An instant payment is a credit transfer executed immediately within 10 seconds, at any moment (Article 1(1a) of the IPR) – in practice 365/7/24.

In addition, from January 9, 2025, charges applied by a PSP (Payment Service Provider) for instant credit transfers in euros cannot exceed those for non-urgent credit transfers of the corresponding type (Article 1(2) point 8 IPR).

Also, from January 9, 2025, PSPs offering instant credit transfers must follow a harmonized approach to EU sanctions. They will no longer be required to screen transactions against sanction lists during processing, which will reduce rejection rates. However, they must verify at least once a day whether any of their customers are designated persons or entities subject to EU sanctions related to money laundering and terrorist financing.

The next important milestone will be October 9, 2025, when PSPs must immediately provide identity verification services at no additional charge. This service checks the match between the account number (IBAN) and the payment beneficiary’s name. PSPs must alert the payer of any discrepancies that may suggest fraud or error before the transaction is authorized.
Below, you will find a timetable relating to the Instant Payment Regulation (source: Deutsche Bank).

It appears that there will be significant technical challenges for PSPs to overcome.

DORA (Digital Operational Resilience Act – Regulation No. 2022/2554 of December 14, 2022 on Digital Operational Resilience for the Financial Sector)

The Digital Operational Resilience Act (DORA) officially took full effect on January 17, 2025. This regulation marks a pivotal moment for financial institutions, emphasizing the importance of digital resilience in navigating an increasingly complex digital landscape.
DORA sets IT security standards, particularly in areas of risk management for information and communication technology (ICT), reporting of ICT incidents, and monitoring of risks by third-party ICT service providers. DORA applies not only to financial institutions but also to their ICT third-party providers.
At a minimum, a financial firm’s DORA action plan should include a detailed health check to assess the criticality of its systems and services, including a review of how closely aligned its existing ICT governance frameworks are with DORA’s requirements. An impact assessment must be created, including:

• Identification of important business services that, if disrupted, could cause harm at a client or market level.
• Setting impact tolerances for each important business service and taking actions to remain within them.
• Identifying and mapping the people, processes, technology, facilities, and information (including those of suppliers) that support important business services.
• Development of ICT third-party risk management. Financial institutions must review and update contracts with all critical third-party providers to ensure compliance with DORA’s provisions, including due diligence on suppliers, assessing concentration and operational risks, and ensuring that third parties meet strict security requirements.
• Development of internal and external communication plans in the event of disruption, and incident management and recovery plans in case of major incidents.
• Maintenance of an updated self-assessment document detailing how the firm has assessed its regulatory compliance requirements.

DORA has required a thorough preparation, and several RTS (Regulatory Technical Standards) have been published in the meantime.

DORA should not merely be considered as a compliance exercise.  It goes much further, aiming at cultivating a resilient, adaptive operational mindset. The regulation demands more than documentation – it requires active engagement. Financial institutions must regularly test controls, assess their risk profiles, and ensure that they proactively manage the ICT risks.

Firms that demonstrate strong resilience measures can gain a competitive edge. The benefits of a successful DORA implementation will be improved cybersecurity and risk management, increased operational resilience, streamlined 3rd party risk management, improved incident response and reporting, and a recovery plan in case of disruption. 

In contrast, there are severe consequences for those who fail to adapt. Data breaches can lead to significant reputational damage, eroding client trust and destabilizing operations.

DORA in conjunction with NIS2 (Network and Information Security Directive of December 27, 2022) will have an important impact on financial institutions and corporates. They place a strong emphasis on cybersecurity risk management, requiring also SMEs to reinforce their defenses against cyber threats. Compliance with these standards, not only safeguards the enterprise but also fosters trust among customers, partners, and investors.