Operational Resilience in Payment Transactions: Established Requirements, New Urgency

RegCORE Client Alert | EU Digital Single Market

Outlook

Recent disruptions in payment transactions have made it clear how vulnerable the payment system remains despite state-of-the-art infrastructure. If systems such as those used to detect fraudulent transactions fail, the only option is often to temporarily halt all payments to prevent potential damage. This has immediate consequences for all parties involved: merchants face liquidity shortages and additional administrative burdens, while end customers are left uncertain about possible unauthorised debits.

The European legislator has already recognized this risk and responded with numerous regulations aimed at strengthening the operational resilience of these systems:

• MaRisk / MaRisk ZAG have formed the national framework for banks and payment institutions in Germany and are increasingly addressing ICT risks.
• DORA (Digital Operational Resilience Act) will, starting in January 2025, for the first time establish a uniform, directly applicable legal framework for digital resilience in the financial sector across Europe. The focal points mentioned (risk management, reporting obligations, resilience testing) are accurate.
• PSR (Payment Services Regulation) introduces a significant tightening for payment service providers, particularly through the shift in liability in cases of impersonation fraud. The description of the new liability rules is correct and reflects the current state of discussion.

Key Takeaways

ICT security and resilience are no longer side issues – they are increasingly becoming strategic success factors for the future viability of the entire payments’ ecosystem. Institutions should take this opportunity to critically review their existing structures, identify vulnerabilities, and make targeted investments in prevention and response mechanisms.

Regulatory Framework: MaRisk (ZAG), DORA, PSR

Before DORA set new standards at the European level, Germany already had established regulatory frameworks to strengthen operational resilience. The MaRisk (Minimum Requirements for Risk Management, Sec. 25a KWG) have for years provided the central framework for banks. They regulate not only risk management in traditional areas but increasingly address ICT risks, outsourcing, and contingency management. With the 6th amendment in 2021 at the latest, IT security and cyber risks moved into the supervisory spotlight.

In addition, the MaRisk ZAG apply to payment and e-money institutions. While aligned with the general structure of MaRisk, they set specific priorities: secure IT systems, effective outsourcing management, and robust contingency planning are central requirements here, reflecting the special importance of payment systems for financial stability.

Whereas MaRisk and MaRisk ZAG have shaped the national framework to date, the Digital Operational Resilience Regulation (DORA) has, since January 17, 2025, established for the first time a uniform and directly applicable framework for the financial sector across Europe. This tightens and harmonizes requirements for operational resilience: in addition to prevention, regulatory expectations now focus on the ability to respond quickly, resume operations in an orderly manner, and ensure clear and transparent crisis communication. Organisations that fail to prepare risk not only supervisory sanctions but also long-term losses of trust among customers and business partners.

These developments make it clear that regulatory instruments such as DORA and the PSR will play a key role in strengthening operational resilience in the future.

Legal Framework for ICT Resilience in the Financial Sector: DORA

Since January 17, 2025, the Digital Operational Resilience Act (DORA) has established a uniform legal framework for ICT resilience in the European financial sector. It requires payment service providers, banks, and insurers to implement comprehensive risk management, comply with strict reporting obligations, and conduct regular resilience testing. For further details, please refer to our Client Alerts on DORA.PwC DORA Client AlertShow Footnote

Resilience Requirements Beyond DORA and PSR: NIS2 and CER Directive

In addition to sector-specific regulations such as DORA and PSR, the NIS2 Directive and the CER Directive introduce cross-sector EU requirements aimed at strengthening both digital and physical resilience against systemic risks and threats.

The CER Directive (Critical Entities Resilience Directive) obliges EU Member States to identify operators of essential entities and to take measures to protect them against physical threats such as natural disasters, sabotage, or hybrid threats.

In parallel, the NIS2 Directive establishes harmonized cybersecurity requirements. It obliges affected entities to implement structured risk management, introduce technical and organisational security measures, and comply with mandatory incident reporting obligations.

Payment service providers, banks, and other financial institutions are generally classified as important or essential entities under NIS2, depending on their size, interconnectedness, and relevance to the financial system. As a result, they face specific obligations in the areas of risk management, reporting, and outsourcing.

Increased Pressure from the New Liability Rules under the PSR

In light of the growing number of social engineering attacks – such as phishing, vishing, or bank impersonation (e.g., fraudulent calls from supposed bank employees) – the PSR-E introduces a liability shift in favour of consumers:

Payment service providers (PSPs) must provide full reimbursement in cases of impersonation fraud, provided the incident is reported without delay – even if the transaction appeared to have been authorised by the customer.

This rule significantly increases the pressure on PSPs: high levels of accountability are coupled with rising expectations for prevention, process quality, and operational resilience. Social engineering fraud can only be effectively addressed through an integrated fraud management approach that combines technical, organisational, and communication layers.

For market participants, this means resilience is not only a regulatory requirement but also a competitive factor. Those who act early reduce risks while also seizing the opportunities arising from new European developments.

Key Consideration

Many institutions are aware of the need to strengthen their operational resilience and have already taken initial steps. However, the dynamic nature of regulatory requirements – from DORA to PSR to NIS2 – makes it clear: resilience is not a one-off project but requires continuous monitoring, adaptation, and investment. External support can make a decisive difference here, helping to avoid compliance risks while at the same time sustainably strengthening the market position.

Against this backdrop, the following key factors emerge for payment service providers, banks, and other financial actors:

• Regulatory Consequences: Since January 2025, DORA has established a uniform European framework for digital resilience in the financial sector. In addition, PSR, NIS2, and CER further tighten the requirements. Insufficient implementation may result in substantial fines, special audits, or restrictions on business activities imposed by supervisory authorities.
• Reputational Risks: Payment transactions are highly trust sensitive. Even a single outage can severely undermine the confidence of merchants and customers, potentially driving them toward competitors.
• Operational Requirements: Resilience demands robust technical infrastructures such as multi-region deployments, automated failover mechanisms, and real-time monitoring. In addition, regular resilience testing (e.g., red-team exercises, table-top scenarios) and clearly defined crisis communication plans are essential.
• Governance & Culture: Resilience is shaped not only by technology but also by organisational factors. Key elements include effective vendor management with clear responsibilities, a strong risk culture, and ongoing awareness training for all employees.
• Ongoing Regulatory Monitoring: Given the volume and dynamic nature of new requirements, it is essential to continuously track legal and supervisory developments and promptly adapt internal processes accordingly.
• Policy Management: Internal policies, manuals, and procedures should be reviewed and updated regularly to ensure continuous alignment with current regulatory standards and to avoid compliance risks.

Operational resilience has long since become more than a compliance obligation - it is evolving into a strategic success factor in payment transactions. Institutions that invest early in architecture, processes, and culture not only ensure regulatory compliance but also build lasting trust in the market. External expertise can help reduce complexity, set priorities, and further develop resilience strategies in a targeted manner.

Please also refer to our latest Client Alerts, where we provide a deeper analysis of current regulatory developments.

Outlook

With DORA, a uniform European legal framework has been established that obliges institutions to systematically integrate digital and operational resilience.

While smaller payment service providers and banks need to make only selective adjustments under the principle of proportionality, larger and systemically important institutions are subject to significantly stricter requirements, particularly regarding resilience testing, the management of ICT service providers, and crisis communication.

At the same time, PSR, NIS2, and CER further tighten regulatory requirements and broaden the scope beyond the financial sector. This will decisively shape supervisory practice in the coming years.

Financial institutions should therefore continuously assess whether their resilience strategy meets regulatory standards and ensure that governance, processes, and documentation withstand supervisory scrutiny. Clear assignment of responsibilities, regular review of the adequacy of structures, and ongoing adaptation of internal policies remain key success factors for avoiding compliance risks and safeguarding long-term trust in the market.

About us

PwC Legal is assisting a number of financial services firms and market participants in forward planning for changes stemming from relevant related developments. We have assembled a multi-disciplinary and multijurisdictional team of sector experts to support clients navigate challenges and seize opportunities as well as to proactively engage with their market stakeholders and regulators.

Moreover, we have developed a number of RegTech and SupTech tools for supervised firms, including PwC Legal’s Rule Scanner tool, backed by a trusted set of managed solutions from PwC Legal Business Solutions, allowing for horizon scanning and risk mapping of all legislative and regulatory developments as well as sanctions and fines from more than 2,500 legislative and regulatory policymakers and other industry voices in over 170 jurisdictions impacting financial services firms and their business.

Equally, in leveraging our Rule Scanner technology, we offer a further solution for clients to digitise financial services firms’ relevant internal policies and procedures, create a comprehensive documentation inventory with an established documentation hierarchy and embedded glossary that has version control over a defined backward plus forward looking timeline to be able to ensure changes in one policy are carried through over to other policy and procedure documents, critical path dependencies are mapped and legislative and regulatory developments are flagged where these may require actions to be taken in such policies and procedures.

The PwC Legal Team behind Rule Scanner are proud recipients of ALM Law.com’s coveted “2024 Disruptive Technology of the Year Award” and the “2025 Regulatory, Governance and Compliance Technology Award in 2025”.  

If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via de_regcore@pwc.com or our website.