Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions

Article 23 addresses the intersection between DORA and the existing Payment Services Directive (PSD2), which already imposes incident reporting obligations on payment service providers. Without this alignment, credit institutions and payment institutions would face duplicative reporting requirements — reporting essentially the same incident under two different frameworks with different formats and timelines.

The article resolves this overlap by integrating payment-related incident reporting into the DORA framework while maintaining the substance of PSD2 requirements. For entities subject to both regulations, DORA reporting replaces PSD2 incident reporting, creating a single, comprehensive obligation rather than two parallel ones.

The scope covers "operational or security payment-related incidents" — disruptions that affect payment services specifically, whether caused by ICT failures, cyber attacks, or operational errors. These incidents are classified and reported using the same DORA framework (Articles 17-20), but with consideration for the specific characteristics and impacts of payment service disruptions.

This alignment reflects DORA's broader ambition to consolidate and harmonize the patchwork of ICT-related regulatory requirements that had accumulated across different EU financial directives. By bringing payment incident reporting under the DORA umbrella, the regulation reduces complexity for entities while improving the quality and comparability of incident data available to supervisors.