New regulations, new obligations – with NIS2 and DORA, the requirements for payment service providers under IT supervision law have increased. To help you maintain an overview and stay up to date, we have updated our blog post to reflect all recent developments and summarised the key provisions for you in a visual chart.
Digital Resilience: New EU Rules for Critical Infrastructure
Over the past three years, the European Union has adopted several legal acts aimed at strengthening the protection of critical infrastructure.
The Directive on the resilience of critical entities (CER Directive) obliges EU Member States to identify organisations and entities that are essential to the functioning of society and to take measures to protect them from threats. In the field of digital resilience, the Directive on measures for a high common level of cybersecurity across the Union (NIS2) defines baseline requirements for risk management and reporting obligations.
Germany will implement the directives through the NIS2 Implementation Act (NIS2UmsuCG) and the forthcoming KRITIS umbrella law. Amendments to the BSIG and the repeal of the BSI-KritisV have already been announced.
DORA: ICT Risk Management Requirements in the Financial Sector
The legal foundation for strengthening digital operational resilience in the European financial sector is DORA – the Digital Operational Resilience Act of the European Union. DORA is intended to protect the financial sector against cyber threats and ICT-related risks.
Under DORA, payment service providers are required, among other things, to report ICT-related incidents to authorities, maintain a detailed register of all contracts with ICT third-party service providers, and implement a risk-based, proportionate testing programme. This includes gap analyses, scenario-based tests, or penetration tests.
The DORA Regulation (EU) 2022/2554 has been directly applicable in Germany since 17 January 2025.
Implementing Standards, Guidelines and Guidance Notes
Financial service providers must consider not only the European base legislation and national law: the European Commission has adopted numerous delegated legal acts in the form of Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS), which define binding requirements for digital resilience.
In addition, payment service providers should be aware of the guidelines, communications and guidance notes from the European supervisory authorities and BaFin, which offer practical support in interpreting and applying the law.
Stay on Top – with Our Visual Overview
To help you maintain an overview, we have compiled the most important legal sources and interpretation aids in an interactive chart available for download. It provides a clear overview of all relevant regulations in IT supervision law – with direct links to the original texts. This way, you always have the key requirements at hand.
For a full picture, we have also created visual guides to the legal sources that payment service providers should keep in mind in the areas of anti-money laundering law and payment services supervision.
This article was last updated on 15 July 2025.
