The introduction of the Digital Operational Resilience Act (DORA) marks a significant shift in how financial institutions must manage technology and third-party risk. While organisations subject to PCI DSS have long been required to oversee service providers that impact cardholder data, DORA materially elevates both the depth and enforceability of those obligations.
For entities operating under both frameworks, the intersection is no longer theoretical. DORA is reshaping third-party governance in ways that directly influence how PCI DSS compliance must be approached, evidenced, and sustained.
Historically, PCI DSS has addressed third-party risk through structured oversight requirements, most notably Requirement 12.8. Organisations must maintain a comprehensive inventory of service providers with access to or influence over cardholder data, ensure written agreements clearly define security responsibilities, and monitor each provider’s compliance status. The principle underpinning these requirements is straightforward: outsourcing a function does not transfer accountability. The organisation remains responsible for protecting cardholder data, regardless of who processes or manages it.
DORA moves significantly beyond this model. It establishes a comprehensive ICT third-party risk management regime embedded within a broader operational resilience framework. Financial entities are required to implement formal governance structures covering the entire lifecycle of ICT providers, including cloud platforms, managed service providers, SaaS vendors, payment processors, and other outsourced technology partners. Pre-contract due diligence must assess not only security controls, but also concentration risk, geographic dependencies, substitutability, and the potential systemic impact of provider failure.
Continuous monitoring must extend throughout the contractual relationship, and organisations must maintain documented exit strategies to ensure service continuity under stressed conditions. Vendor management is therefore transformed from a procurement or compliance exercise into a central resilience function.
This expansion has direct implications for PCI DSS environments. Vendors that may not traditionally have been considered within strict PCI scope - such as infrastructure providers, monitoring platforms, or security tooling vendors - may still materially influence cardholder data systems. Under DORA, these dependencies must be formally identified, assessed, and governed. As a result, third-party oversight becomes broader, deeper, and more strategically integrated into enterprise risk management.
Contractual governance is another area where DORA materially raises expectations. Agreements with ICT providers must now explicitly define security requirements, incident reporting obligations, audit and access rights, data processing locations, termination conditions, and cooperation requirements with regulators.
Many contracts previously drafted to satisfy PCI DSS often focused on shared responsibility matrices and proof of compliance, and may lack the precision and enforceability DORA demands. Under this new regime, resilience expectations must be legally embedded rather than implied.
For PCI DSS-regulated organisations, this reinforces the need to clearly articulate control ownership, obtain formal evidence of compliance such as Attestations of Compliance (AOC) or independent assurance reports, secure explicit audit rights, and define breach notification timelines that align with regulatory reporting obligations.
Incident reporting presents another area of convergence and complexity. DORA establishes harmonised timelines for reporting significant ICT-related incidents to competent authorities, requiring structured initial notifications, interim updates, and final reports following root cause analysis. For organisations managing cardholder data, this necessitates tight coordination with third-party providers.
Vendors must be contractually obligated and operationally prepared to notify organisations promptly of incidents affecting PCI-scoped systems, provide timely access to forensic artefacts and logs, and align their response procedures with the organisation’s PCI incident response plan. Without this alignment, organisations may face conflicting pressures between regulatory reporting obligations and PCI forensic investigation requirements, increasing operational and legal risk during high-pressure incidents.
DORA also extends resilience validation beyond the organisational perimeter. Financial entities must conduct regular digital operational resilience testing, including scenario-based exercises and, where applicable, advanced threat-led penetration testing for critical functions. For PCI-scoped environments, this may require direct involvement of third-party providers in disaster recovery simulations, business continuity testing, and interconnected security assessments. Traditional PCI testing activities often focused on internal control effectiveness; DORA requires demonstration that critical services can withstand disruption across the entire ICT supply chain. Where third-party providers underpin payment processing or cardholder data infrastructure, their participation becomes essential to validate end-to-end resilience.
The introduction of “critical” ICT provider designation further reinforces supervisory intensity. Certain providers may become subject to direct EU-level oversight. Where such providers support payment systems or infrastructure connected to PCI environments, organisations may experience heightened scrutiny in demonstrating oversight, assurance mechanisms, and risk mitigation strategies. This underscores the importance of maintaining robust documentation, transparent governance structures, and defensible risk assessments across the third-party ecosystem.
Importantly, DORA does not replace PCI DSS. The two frameworks serve distinct but overlapping objectives. PCI DSS is fundamentally focused on safeguarding cardholder data security, whereas DORA is concerned with the broader operational resilience of financial services. However, where third parties intersect with cardholder data environments, organisations must satisfy both regimes simultaneously. Security and resilience can no longer be treated as separate disciplines.
For organisations subject to DORA, third-party management under PCI DSS can no longer function as a periodic validation exercise. It must evolve into a continuous, risk-based governance programme embedded within enterprise strategy. This means updating vendor risk frameworks to incorporate resilience considerations, strengthening contractual provisions, enhancing ongoing monitoring and assurance processes, integrating third-party incident handling into regulatory reporting structures, and preparing for more intensive supervisory engagement. DORA elevates third-party risk from a compliance obligation to a board-level strategic priority.
Organisations that move early to align PCI DSS governance with DORA’s resilience principles will do more than meet regulatory expectations. They will build stronger oversight structures, improve operational stability, and contribute to a more secure and trustworthy payment ecosystem.
If you would like to get in touch with us to discuss how we can support your cybersecurity needs - please reach out to us: hello@onecybervalley.com
By 1 Cyber Valley | March 27th, 2026 | Sara Higgins