DORA-Ready Infrastructure
payware's contractual framework implements Article 30 of the Digital Operational Resilience Act, enabling payment institution partners to meet their DORA obligations with confidence.
What is DORA
Regulation (EU) 2022/2554 on Digital Operational Resilience for the Financial Sector
The Digital Operational Resilience Act (DORA) establishes a comprehensive framework for ICT risk management in the EU financial sector. In force since January 2025, it requires financial entities to ensure their ICT third-party service arrangements meet stringent operational resilience standards.
ICT Risk Management
Financial entities must implement and maintain comprehensive ICT risk management frameworks covering identification, protection, detection, response, and recovery.
Incident Reporting
Mandatory classification and reporting of major ICT-related incidents to competent authorities, with defined timelines and content requirements.
Digital Resilience Testing
Regular testing of ICT systems including vulnerability assessments, penetration testing, and threat-led penetration testing (TLPT) for critical functions.
Third-Party Risk
Article 30 imposes specific contractual requirements on financial entities' arrangements with ICT service providers - including audit rights, incident support, and exit strategies.
payware's Role Under DORA
Supplementary ICT service provider with Article 30-aligned contracts
payware is not itself a financial entity and is not directly subject to DORA obligations. However, payware's transaction information exchange services constitute ICT services under Article 3(21) of DORA. Our contractual framework proactively addresses the Article 30 requirements that flow to us through our payment institution partnerships. payware operates a cloud-native, remote-first infrastructure hosted on third-party cloud platforms, which is why audit and inspection processes default to remote access via documentation, dashboards, and live demonstrations.
Supplementary, Non-Critical Role
payware's services are supplementary to a payment institution's core capabilities. Service discontinuation would not impair a PI's ability to execute payments, authenticate customers, settle funds, or maintain regulatory compliance.
Article 30-Aligned Contracts
Our Payment Institution Partnership Terms include a dedicated Section 8B implementing all key Article 30 requirements - from audit rights to exit strategies.
Proactive Compliance
Rather than waiting for PI partners to impose requirements, payware has built DORA compliance into its standard partnership framework, reducing negotiation overhead and ensuring consistency.
Key Contractual Provisions
Section 8B of the PI Partnership Terms addresses each Article 30 requirement
Audit & Inspection Rights
Documentation-first approach with annual assurance packages (ISO 27001 alignment, cloud provider certifications, pentest reports). Direct audits available annually, conducted remotely via dashboards, logs, and live demonstrations. Pooled audits supported for multiple partners.
Incident Notification & Assistance
Proactive notification of ICT incidents affecting services, within defined SLA response times. Full cooperation and reasonable assistance at no additional cost for Priority 1/2 incidents and any incident requiring regulatory reporting.
Threat-Led Penetration Testing
Cooperation with PI-initiated TLPT when the PI classifies services as supporting critical or important functions under its own risk assessment. 30 business days' notice, agreed testing windows, and remediation plans within 30 business days for material findings. Alternative pooled testing arrangements available where multiple partners require TLPT.
Business Continuity & DR
Documented and annually tested BCDR plans. Shareable test summaries available on request. Priority 1 incidents trigger status updates every 4 hours until resolution.
Exit Strategy & Transition
Minimum 6-month transition period at existing commercial terms. Data export in structured, machine-readable format within 30 business days. Technical exit information (data formats, API specs, architecture) available on request.
Subcontracting Transparency
Notification, objection, and termination mechanism for subcontractor changes affecting services. Extends beyond data protection to cover information security and regulatory compliance grounds.
Register of Information
Maintained information package including service descriptions, data processing locations, subcontractor identities, and SLA commitments - supporting PI partners' regulatory register obligations.
Audit & Transparency
Built for verification, designed for trust
Assurance Documentation
Available annually to PI partners as an alternative to direct audits:
- ISO/IEC 27001 aligned information security management
- Cloud provider certifications (ISO 27001, BSI C5 Type 2)
- Annual third-party penetration test reports
- Infrastructure security summaries
Register of Information
Maintained data supporting PI partners' Article 28(3) obligations:
- Service descriptions and component inventory
- Primary data processing and storage locations (EEA; CDN/DR infrastructure may be outside EEA under GDPR safeguards)
- Subcontractor identities and roles
- Service level commitments and metrics
Operational Resilience
Tested, documented, and ready for scrutiny
Business Continuity
Documented BCDR plans tested annually with defined RTO/RPO targets. Test summaries available to PI partners on request.
Incident Response
Defined incident classification, response procedures, and PI notification mechanisms. No-cost assistance for critical incidents.
Data Resilience
Automated daily backups with hourly incremental, offsite storage, monthly restoration tests, and 30-day retention.
Exit Readiness
Structured data export capability, documented transition procedures, and minimum 6-month service continuity upon termination.
Ready to Partner?
Our DORA-ready contractual framework is built into every payment institution partnership. Talk to us about integrating with confidence.