Applicability of NIS2 guidelines for payment scheme provider Currence Ideal that does not hold or need payment license

1. Introduction

The European Union's regulatory architecture for financial services and cybersecurity has grown through successive, partially overlapping legislative instruments. The Payment Services Directive 2 (PSD2), the Digital Operational Resilience Act (DORA), and the Network and Information Security Directive 2 (NIS2) each address resilience and security, but they were designed with different primary subjects in mind. PSD2 and DORA were built around licensed payment service providers (PSPs) and financial market infrastructures. NIS2 was built around operators of essential services and important entities across a broad range of critical sectors. The intersections between these instruments were not exhaustively mapped at the legislative drafting stage, and the resulting gaps create genuine compliance uncertainty for entities that sit at the intersection of payment infrastructure and critical network services without holding a payment licence.

Currence iDEAL is precisely such an entity. It operates the payment scheme that processes the large majority of Dutch online retail payments. Its technical infrastructure connects consumer banks, merchant acquirers, and ultimately tens of millions of individual transactions. Yet Currence iDEAL is not a PSP. It does not hold payment funds, does not maintain customer accounts, and does not require a licence under PSD2 or any successor regulation. Under DORA, the European Supervisory Authorities (ESAs) have the power to designate entities as critical third-party providers (CTPPs), a designation that attaches a specific and substantial supervisory regime. Currence iDEAL's role in Dutch payment infrastructure makes it a candidate for, and functionally consistent with, that CTPP designation.

This paper addresses the following regulatory determination: given anticipated DORA CTPP status and the absence of a payment licence, NIS2 may independently apply to Currence iDEAL, and the extent to which its obligations survive the interaction between the two frameworks requires careful analysis.

This is not a theoretical exercise. The Dutch transposition of NIS2 (the Cyberbeveiligingswet) entered force and assigned supervisory responsibilities to RDI as the competent authority for entities outside the financial sector and to De Nederlandsche Bank (DNB) for those within it. Whether Currence iDEAL falls under RDI or DNB supervision, or some form of coordinated oversight, depends on resolving its sector classification. That classification determination has direct consequences: different incident reporting timelines, different supervisory contacts, and different supply-chain security obligations attach depending on which regime applies, and whether they apply in parallel or in a lex specialis relationship. Resolving supervisory jurisdiction is therefore one of the central analytical objects of this paper, and cannot be treated as peripheral to the analysis.

The contribution of this paper is threefold. First, it constructs the regulatory classification argument for Currence iDEAL under NIS2 Article 3, applying the functional and systemic criticality test that NIS2 permits member states to use, and examines the competing Annex I and Annex II classification routes and their respective consequences. Second, it maps the interaction between DORA's CTPP regime and NIS2's essential entity obligations, identifying which NIS2 duties survive lex specialis reduction and which are displaced. Third, it identifies the specific operationalisation problem that classification alone does not resolve: because iDEAL's operational dependencies run through participant banks and merchant acquirers rather than direct customer relationships, the residual NIS2 obligations that survive lex specialis reduction require contractual re-allocation down the participant chain before they can be executed at the scheme layer.

The paper proceeds as follows. Section 2 establishes why this analysis is urgent and who bears the commercial and legal risk of deferred resolution. Section 3 positions this analysis against prior work on regulatory harmonisation gaps and governance framework alignment. Section 4 describes the analytical methodology. Section 5 sets out the concrete findings on NIS2 applicability and obligation scope. Section 6 examines the mechanisms behind the findings and addresses the operationalisation problem. Section 7 synthesises the conclusions and identifies the posture Currence iDEAL and its participant banks should adopt.

2. Motivation

The urgency of this analysis derives from three converging pressures: regulatory timelines, systemic risk concentration, and the governance vacuum that persists when two major EU frameworks overlap without a formal deconfliction mechanism.

Regulatory timelines. NIS2 entered application in October 2024. The Dutch Cyberbeveiligingswet brought the directive into national law. Supervisory authorities (RDI for digital infrastructure and DNB for financial sector entities) are conducting entity identification exercises that will result in formal essential or important entity designations. An entity that has not positioned itself within the NIS2 framework before receiving a designation notice faces compressed implementation timelines for risk management measures, incident reporting procedures, and governance accountability structures. DORA's CTPP regime became fully applicable in January 2025. The window for orderly, planned compliance preparation is not indefinite.

Systemic risk concentration. iDEAL processes the dominant share of Dutch online retail payments. A prolonged outage or a security incident affecting the scheme's core infrastructure would not merely inconvenience individual consumers; it would interrupt payroll processing, government benefit transfers, e-commerce settlements, and business-to-business invoice payments across the Dutch economy. This concentration of systemic risk is precisely the functional criterion that NIS2 Article 3 empowers member states to use when designating entities as essential, independent of whether those entities hold a licence. The systemic importance of iDEAL is observable from public data on Dutch payment volumes and requires no licence threshold to establish.

The governance vacuum. The lack of harmonisation between PSD2's technical security requirements and the adjacent frameworks of NIS2, DORA, and GDPR is an evidenced structural problem in the EU regulatory architecture [2]. For licensed PSPs, this harmonisation deficit is inconvenient but manageable: DNB supervision under PSD2 provides a regulatory home, and NIS2's financial sector annex provides a reference point. For Currence iDEAL, the deficit is more acute. The entity does not have a natural supervisory home in the financial sector because it holds no licence. The digital infrastructure sector, where RDI has jurisdiction, was not designed with payment scheme operators in mind. NIS2 guidance material, including ENISA sector-specific guidance, is written primarily for licensed operators. Currence iDEAL falls between these reference points.

Risk allocation. Three groups face material exposure from the current ambiguity. Currence iDEAL itself faces the risk of receiving a designation and supervisory expectation without having implemented the requisite governance structures, triggering supervisory enforcement in a domain where the entity had no prior regulatory relationship. Participant banks, the licensed PSPs that connect to iDEAL's scheme infrastructure, face the risk that iDEAL's NIS2 obligations will be interpreted as flowing through to them via the supply-chain security provisions of NIS2 Article 21, without those obligations being clearly allocated in existing scheme participation contracts. Dutch consumers and merchants face the systemic risk that governance ambiguity delays the implementation of resilience measures that the EU legislature judged necessary for exactly this class of critical infrastructure.

The analysis that follows is addressed primarily to compliance, legal, and regulatory affairs professionals at Currence iDEAL, at participant banks, and at the relevant Dutch supervisory authorities. It proceeds from the position that regulatory clarity will not emerge quickly enough to substitute for a reasoned internal compliance determination.

3. Related Work

The analysis in this paper sits at the intersection of three bodies of literature and regulatory commentary: the harmonisation of PSD2 with adjacent cybersecurity frameworks, the lex specialis relationship between DORA and NIS2, and the multi-framework governance alignment approaches used to operationalise overlapping regulatory mandates.

PSD2 and cybersecurity framework harmonisation. Gounari et al. [2] provide the most directly relevant academic treatment of the harmonisation problem. Their analysis of PSD2's interrelation with NIS2, GDPR, the Cybersecurity Act, ISO 27001, and PCI DSS demonstrates that even the licensed-PSP population faces significant interpretive uncertainty when mapping PSD2 technical security requirements onto these adjacent frameworks. The study identifies specific gaps in requirement alignment and documents the practical consequences for institutions attempting to build a unified compliance posture. The implication for Currence iDEAL is direct: if licensed PSPs experience this interpretive uncertainty, an unlicensed scheme operator faces a wider gap because the guidance material is written for the licensed population. Gounari et al. do not address the position of scheme operators or technical infrastructure providers specifically; that gap motivates the present analysis.

DORA and NIS2 lex specialis relationship. The EU legislature addressed the potential overlap between DORA and NIS2 in DORA's recitals and in NIS2 Article 4, which establishes that sector-specific Union legal acts that impose requirements equivalent to NIS2 obligations operate as lex specialis, displacing the corresponding NIS2 requirements. DORA Recital 16 confirms that DORA should be considered a lex specialis with respect to NIS2 for financial entities within DORA's scope. However, the CTPP regime under DORA (which governs third-party ICT providers to financial entities rather than financial entities themselves) does not straightforwardly displace NIS2 in the same way. CTPPs are not financial entities under DORA; they are the objects of oversight rather than the primary regulated subjects. This structural difference is critical and has not been resolved in published ESA guidance as of the time of writing. The academic and practitioner literature on DORA is concentrated on financial entities' obligations; CTPP-specific analysis, particularly for non-financial-sector CTPPs, remains sparse.

NIS2 essential entity designation criteria. NIS2 Article 3 establishes size-based thresholds (medium and large enterprises in relevant sectors) as the default designation trigger, supplemented by member state discretion to designate smaller entities where systemic criticality justifies it. The concept of systemic criticality as a designation trigger independent of size or licensing status has precedent in critical infrastructure regulation more broadly. ENISA's work on critical infrastructure sectors documents the use of functional impact assessments rather than licensing or size criteria in several member state designation exercises under NIS1. No published ENISA guidance specifically addresses the designation of payment scheme operators that are not themselves licensed PSPs; this paper constructs the argument from first principles applied to the NIS2 text and Currence iDEAL's documented market position.

Multi-framework governance alignment. Essien et al. [1] address the strategic value of aligning ISO 27001, NIST CSF, and COBIT 2019 as a mechanism for satisfying multiple regulatory mandates simultaneously while reducing control redundancy. Their framework demonstrates that the overlapping control domains of these standards provide a substrate onto which regulatory requirements from different instruments can be mapped, enabling an organisation to demonstrate compliance with NIS2 risk management measures, DORA ICT risk management requirements, and ISO 27001 certification requirements through a single integrated control set. This approach is structurally relevant to Currence iDEAL's position: absent definitive regulatory guidance on the precise scope of NIS2 obligations, an ISO/NIST/COBIT-aligned programme provides a defensible, regulator-recognisable demonstration of cybersecurity maturity. Essien et al. [1] frame this primarily as a cost and efficiency benefit; in Currence iDEAL's context, the more pressing value is that it provides a compliance posture that can withstand supervisory scrutiny from both RDI (applying NIS2 standards) and DNB (applying DORA standards) without the entity having to wait for formal deconfliction guidance.

Analogous non-licensed critical infrastructure. The broader critical infrastructure literature offers partial precedents. SWIFT, as a messaging infrastructure provider to financial entities, operates without a payment licence and has been subject to regulatory expectations from financial sector authorities on the basis of systemic importance. The basis for that oversight is, however, a negotiated cooperative arrangement (the SWIFT Oversight Framework, coordinated by the National Bank of Belgium under a memorandum of understanding among participating central banks) rather than a unilateral systemic-criticality designation by a single authority. Currence iDEAL's NIS2 position is structurally similar in that systemic importance is the operative trigger, but differs in that no equivalent negotiated framework has been established: the designation, if it occurs, will proceed under the unilateral member state discretion of NIS2 Article 3(3) rather than through a multilateral oversight agreement. Card scheme operators (Visa, Mastercard) have similarly been subject to oversight frameworks that originate in their systemic importance rather than in their direct holding of licences, and their experience reinforces the principle that licensing status is not a precondition for regulatory attention at the infrastructure layer.

4. Methodology

This paper applies a regulatory text analysis methodology, structured in four sequential steps: scope determination, lex specialis interaction mapping, obligation disaggregation, and operationalisation gap analysis. Each step is described below, along with the data sources used and the assumptions that bound the analysis.

Step 1: Scope determination under NIS2 Article 3. The first step examined the text of NIS2 Articles 2 and 3 and Annex I and II to determine which sector classification Currence iDEAL falls within. NIS2 Annex I lists digital infrastructure as a sector of high criticality, covering providers of public electronic communications networks and services, internet exchange points, DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery networks, trust service providers, and electronic communications service providers. NIS2 Annex II lists financial market infrastructures and digital providers as important sectors. The analysis examined both annexes as competing classification routes and applied the entity type definitions in Article 6 and the member state discretion provisions of Article 3(3) to construct the classification argument under each route. The Dutch Cyberbeveiligingswet was reviewed to the extent that its published text clarifies how the Netherlands has exercised member state discretion. Where the national transposition text was silent, the analysis relied on the NIS2 Directive text directly as the applicable standard.

Step 2: Lex specialis interaction mapping. The second step examined DORA Articles 1 through 4, DORA Chapter V (on ICT third-party risk management and the CTPP oversight regime), and DORA Recitals 12, 16, and 114, alongside NIS2 Article 4 (lex specialis clause). The analysis distinguished between two separate DORA-NIS2 interactions: (a) the interaction for financial entities directly subject to DORA, where lex specialis displacement is explicit in the legislative text; and (b) the interaction for CTPPs designated under DORA Chapter V, where the displacement argument is less textually clear because CTPPs are not themselves financial entities. The CTPP oversight regime in DORA Articles 31 through 44 was examined for the obligations it imposes and whether those obligations are substantively equivalent to the NIS2 measures that would otherwise apply, applying the equivalence test in NIS2 Article 4(1). This step expressly noted that certain DORA obligations that apply to financial entities (such as DORA Article 11 on business continuity) do not apply directly to CTPPs, and adjusted the equivalence analysis accordingly.

Step 3: Obligation disaggregation. The third step identified the specific NIS2 obligations in Articles 17 through 25 that would apply to an essential entity in the relevant sector, and assessed each obligation against three criteria: (i) whether DORA's CTPP regime imposes a substantively equivalent requirement; (ii) whether the obligation is technically executable by a scheme-layer operator that holds no customer relationships; and (iii) whether the obligation requires information or cooperation from participant banks or merchant acquirers to execute. This produced a three-category taxonomy: obligations fully displaced by DORA lex specialis, obligations retained but modified for the scheme-layer context, and obligations that require contractual re-allocation to participant banks and acquirers.

Step 4: Operationalisation gap analysis. The fourth step examined the standard Currence iDEAL scheme participation documentation (specifically the publicly available scheme framework documents) to assess whether existing contractual mechanisms between iDEAL and participant banks already carry NIS2-equivalent obligation flows. This step also drew on the multi-framework alignment literature [1] and the harmonisation gap analysis in [2] to assess whether an ISO 27001 / NIST CSF / COBIT 2019 aligned programme would satisfy the substantive requirements of the retained NIS2 obligations.

Assumptions. The analysis assumes that Currence iDEAL has been, or will be, designated as a CTPP under DORA Chapter V. This is an analytical assumption, not a confirmed regulatory fact: no formal ESA designation has been published as of the time of writing. The analysis assumes that the Dutch Cyberbeveiligingswet does not contain explicit provisions excluding payment scheme operators from NIS2 scope, as no such provision has been publicly identified. It does not assume any formal position from RDI or DNB on Currence iDEAL's NIS2 status, because no such position has been published. Where the regulatory text is genuinely ambiguous, the analysis presents the competing interpretations and identifies which interpretation is better supported by the legislative purpose.

5. Results

The analysis produced four concrete findings, summarised in Table 1 and elaborated below.

Table 1: NIS2 Obligation Status for Currence iDEAL under Anticipated DORA CTPP Designation

| Obligation Category | NIS2 Articles | DORA CTPP Equivalent | Status for iDEAL | |---|---|---|---| | ICT risk management framework | Art. 21(1) | Partial (DORA Art. 31, 33) | Retained; DORA-aligned programme satisfies | | Incident reporting to competent authority | Art. 23 | Partial (DORA Art. 32(3) cooperation duty, not equivalent) | Retained; RDI notification required | | Supply-chain security | Art. 21(2)(d) | Partial (DORA Art. 28 to 30) | Retained; requires contractual re-allocation | | Governance accountability | Art. 20 | Partial (DORA Art. 5, 13) | Retained; board-level accountability applies | | Business continuity | Art. 21(2)(c) | No direct CTPP equivalent (DORA Art. 11 applies to financial entities, not CTPPs) | Retained; contested, see Finding 2 | | Vulnerability disclosure | Art. 12 | No CTPP equivalent | Retained | | Registration as essential/important entity | Art. 3, 27 | Not applicable | Required; initiating action recommended |

Finding 1: Currence iDEAL falls within NIS2 scope, most defensibly as a financial market infrastructure or digital provider under Annex II, with a possible but less supportable alternative route through Annex I.

NIS2 Annex I, Section 7 designates digital infrastructure as a sector of high criticality. However, the entity types enumerated in that annex (providers of public electronic communications networks and services, internet exchange points, DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery networks, trust service providers, and electronic communications service providers) do not enumerate payment scheme operators. Classifying Currence iDEAL under Annex I as a digital infrastructure operator is difficult to sustain on the face of the text, because iDEAL does not provide any of those enumerated service types. Forcing that classification would require a purposive stretch that a supervisory authority reviewing the designation could reasonably decline.

The more defensible classification route is NIS2 Annex II, which covers financial market infrastructures and digital providers as important sectors. Currence iDEAL's role as the operator of a payment scheme that is essential to Dutch retail commerce places it within the functional scope of financial market infrastructure at the national level, even in the absence of a licence. This classification has material consequences: entities within Annex II sectors are designated as important entities rather than essential entities under the default thresholds of NIS2 Article 3(1) and (2), and the supervisory regime differs accordingly, with less intensive ex ante supervision and a higher threshold for certain obligations.

However, NIS2 Article 3(3) allows member states to designate entities as essential, regardless of Annex classification, where those entities are the sole provider of a service essential to the maintenance of critical societal or economic activities. iDEAL's position as the dominant domestic online payment method, with no equivalent substitute, satisfies this criterion. If RDI exercises that discretion, Currence iDEAL would receive an essential entity designation notwithstanding its Annex II classification and its unlicensed status. The supervisory authority for this designation under the structure of the Dutch Cyberbeveiligingswet is, in the first instance, RDI rather than DNB, because Currence iDEAL does not hold a financial sector licence. The jurisdictional question between RDI and DNB is examined further in Section 6.5.

What is not in doubt is that the absence of a payment licence is not a NIS2 scoping exclusion. NIS2 Article 2 references sector and functional criteria, not licensing status. The licence question is relevant to supervisory jurisdiction but not to the threshold question of whether NIS2 applies at all.

Finding 2: DORA's lex specialis effect is partial, not total, for a CTPP; and the business continuity displacement previously assumed is not supportable on the cited textual basis.

NIS2 Article 4(1) establishes that where a sector-specific Union legal act imposes requirements at least equivalent to NIS2, those requirements apply instead of the corresponding NIS2 obligations. DORA Recital 16 explicitly invokes this clause for financial entities subject to DORA. However, Currence iDEAL is a CTPP under DORA, not a financial entity. The CTPP oversight regime in DORA Chapter V imposes obligations on the CTPP (audit rights, information provision, and remediation), but these are framed as obligations owed to the Lead Overseer and to financial entity clients, not as self-standing cybersecurity risk management obligations structurally equivalent to NIS2 Articles 20 to 23.

A specific correction from earlier analysis concerns business continuity. DORA Article 11, the business continuity provision on which a displacement argument might be constructed, applies to financial entities, not to CTPPs. DORA Chapter V (Articles 31 to 44) does not contain a CTPP-specific business continuity requirement equivalent in substance to NIS2 Article 21(2)(c). The business continuity obligation under NIS2 Article 21(2)(c) therefore cannot be displaced by reference to DORA Article 11 for a CTPP. The status of that obligation is reclassified as retained in Table 1, with the qualification that the precise scope of what NIS2 Article 21(2)(c) requires of a scheme-layer operator, as distinct from a licensed operator with direct customer relationships, remains a genuinely open question that sectoral guidance from RDI would clarify.

Consequently, the lex specialis displacement of NIS2 by DORA is partial, and the residual NIS2 obligations that survive are broader than a displacement argument anchored on financial-entity DORA provisions would suggest. The obligations for which no DORA CTPP equivalent exists, namely national incident notification to RDI under NIS2 Article 23, vulnerability disclosure under NIS2 Article 12, and business continuity under NIS2 Article 21(2)(c), remain as independent NIS2 duties.

Finding 3: National incident notification to RDI is the most operationally significant retained NIS2 obligation, and DORA Article 32(3) does not substitute for it.

NIS2 Article 23 requires essential entities to notify their national competent authority of significant incidents within 24 hours of detection (early warning) and within 72 hours with an initial assessment. DORA Article 32(3) requires CTPPs to cooperate with financial supervisors and the Lead Overseer on incident-related information. That cooperation duty is a partial rather than zero obligation; it establishes that Currence iDEAL is not entirely outside the DORA incident-information framework. However, DORA Article 32(3) cooperation is directed at the Lead Overseer and at financial entities, not at national cybersecurity authorities such as RDI. It does not establish the 24/72-hour notification timeline that NIS2 Article 23 requires. It does not route to the national incident-response ecosystem that RDI coordinates. The two obligations serve distinct regulatory purposes: financial stability intelligence versus national cybersecurity situational awareness. One does not satisfy the other.

Accordingly, Currence iDEAL must establish a direct reporting relationship with RDI as its NIS2 competent authority, maintain detection and classification capabilities sufficient to identify NIS2-reportable incidents, and meet the 24/72-hour timelines. This is operationally distinct from DORA incident cooperation and cannot be delegated to participant banks without explicit contractual and procedural arrangements.

Finding 4: Supply-chain security obligations require contractual re-allocation across the full participant chain, including both participant banks and merchant acquirers.

NIS2 Article 21(2)(d) requires essential entities to implement security measures addressing the security of supply chains, including the security-related aspects of relationships with direct suppliers and service providers. Before addressing the substance of that obligation, a structural point requires clarification: the introduction to this paper identified merchant acquirers as a distinct category of iDEAL participants alongside consumer banks. In iDEAL's operational architecture, merchant acquirers are licensed PSPs that connect merchants to the scheme and process the acquiring side of transactions; they connect to iDEAL's central infrastructure through the same technical interfaces as issuing banks and are bound by the same scheme participation framework. For the purposes of NIS2 supply-chain security analysis, acquirers are treated as a category of participant that sits within the same contractual and technical perimeter as issuing participant banks. The supply-chain obligations described below apply equally to both.

Currence iDEAL's supply chain, from the NIS2 perspective, runs in two directions: upstream to its own ICT service providers, and downstream to participant banks and acquirers as the entities through which the scheme's services reach end users. The upstream supply chain is within iDEAL's direct contractual control and does not present a structural barrier to NIS2 compliance. The downstream dimension is more complex: participant banks and acquirers are not suppliers to iDEAL in the conventional sense; they are participants whose systems connect to iDEAL's infrastructure and through whose systems iDEAL's incidents would propagate to consumers and merchants. NIS2 Article 21(2)(d), read in the context of systemic incident propagation, requires iDEAL to have security standards for those connection points.

Existing scheme participation contracts may not contain security requirements at the standard NIS2 Article 21 mandates. This gap requires explicit contractual remediation through scheme rule amendments or bilateral security addenda, covering both issuing participants and acquiring participants.

6. Discussion

6.1 The mechanism behind partial lex specialis displacement

The partial nature of DORA's lex specialis effect on Currence iDEAL's NIS2 obligations reflects a structural choice in how the EU legislature designed the CTPP oversight regime, and is not a drafting accident. DORA Chapter V was designed to protect financial entities from ICT concentration risk originating in their third-party providers. The obligations in that chapter flow primarily toward financial entities and toward the Lead Overseer appointed by the ESAs. They do not replicate the full NIS2 security-governance model because they were not designed to. A CTPP's obligation under DORA is principally to be auditable, transparent, and responsive to the Lead Overseer, with no requirement to maintain an independent security governance framework equivalent to what a financial entity maintains.

This means that the NIS2 obligations that survive lex specialis reduction are precisely those that serve a different regulatory purpose than DORA serves: national-level visibility into incidents (RDI notification), national vulnerability intelligence (Article 12 disclosure), business continuity planning at the scheme layer (Article 21(2)(c)), and the integration of the scheme operator into the Dutch national cybersecurity incident ecosystem that RDI coordinates. DORA does not serve these purposes because it is a single-market financial stability instrument, not a national security instrument. The two frameworks are structurally complementary rather than duplicative for a CTPP, even though their surface-level subject matter overlaps.

6.2 The systemic criticality designation argument

The argument that Currence iDEAL is likely to be designated as an essential entity on functional grounds rather than size or licensing grounds is well-supported by the structure of NIS2 Article 3 but should be understood as a prediction rather than a certainty. NIS2 Article 3(3) gives member states discretion, not a mandate, to designate entities on systemic criticality grounds. The Dutch Cyberbeveiligingswet's exercise of that discretion in respect of payment scheme operators has not been published in sufficient detail to confirm this outcome.

What can be stated is that RDI, in conducting its entity identification exercise, would be acting consistently with both the letter and purpose of NIS2 if it designated Currence iDEAL as essential. A regulatory authority that declined to designate the operator of the dominant domestic payment scheme would need to explain why the public record of iDEAL's payment volumes does not establish the systemic criticality that NIS2 Article 3(3) requires, a position the available evidence makes difficult to sustain. The functional grounds for designation are present; whether Dutch authorities will act on them within the timelines that matter for compliance planning is the operative uncertainty.

6.3 The operationalisation problem and why designation does not resolve it

The most practically significant finding is that NIS2 designation resolves the classification question but does not resolve the operationalisation problem. An essential entity designation triggers specific obligations, including risk management frameworks, incident detection and reporting, governance accountability, and supply-chain security. For a licensed PSP, these obligations are discharged through the entity's own operations: it detects its own incidents, reports to its own supervisor, and maintains its own continuity plans. For Currence iDEAL, the scheme layer and the execution layer are separated. Currence iDEAL maintains the scheme rules, the central infrastructure, and the technical standards. The execution of individual payment transactions occurs within participant banks' and acquirers' systems. An incident that originates in iDEAL's infrastructure propagates through those participants. An incident that originates in a participant bank or acquirer may affect iDEAL's scheme-level metrics but not its own systems directly.

This separation means that Currence iDEAL cannot, acting alone, discharge the full scope of its NIS2 supply-chain security obligations. It requires participant banks and acquirers to:

• Report security incidents that affect scheme-level infrastructure to iDEAL promptly enough for iDEAL to meet its 24/72-hour RDI notification timelines;
• Maintain minimum security standards at the connection points between participant systems and iDEAL's central infrastructure;
• Participate in iDEAL-level incident response exercises that NIS2 Article 21(2)(c) business continuity requirements imply.

Existing scheme participation agreements were not designed with NIS2 Article 21 in mind. The harmonisation gap documented in [2] for PSD2 and adjacent frameworks is directly applicable here: even where PSD2-required security measures are in place, they were specified against a different regulatory standard and may not satisfy NIS2's supply-chain security requirements in substance or in documentation form.

6.4 The role of multi-framework alignment in bridging the gap

In the absence of specific NIS2 sector guidance for payment scheme operators, the practical path to a defensible compliance posture runs through the multi-framework alignment approach described by Essien et al. [1]. An ISO 27001 / NIST CSF / COBIT 2019 aligned programme produces a control set that covers the risk management, governance accountability, and business continuity requirements of NIS2 Articles 20 and 21 with reasonable fidelity. Critically, such a programme also produces documentation (control registers, risk assessments, and audit evidence) that a competent authority examining NIS2 compliance can assess against a recognised international standard rather than against undefined sector-specific guidance.

The value of this approach for Currence iDEAL is primarily supervisory defensibility rather than cost efficiency (the benefit Essien et al. [1] emphasise for their target organisations). The value is supervisory defensibility during the period, which may be extended, in which RDI has not issued specific NIS2 implementation guidance for payment scheme operators. An ISO 27001 certified programme, mapped explicitly to NIS2 Article 21 controls, provides a concrete response to a supervisory enquiry that a bare assertion of DORA compliance does not.

6.5 The RDI/DNB jurisdictional boundary

The analysis of supervisory jurisdiction between RDI and DNB over Currence iDEAL was identified in the introduction as a central analytical object of this paper. The findings warrant a detailed treatment.

DNB supervises financial sector entities under DORA and PSD2. RDI supervises digital infrastructure entities under NIS2. Currence iDEAL is operationally embedded in the financial sector but is not a financial entity under the regulatory instruments that DNB administers. The risk is that each authority considers the other to have primary jurisdiction, producing a gap in active supervision rather than duplicated oversight. NIS2 Article 29 requires member states to ensure that competent authorities exercise their supervisory powers; where jurisdiction is ambiguous, member states are expected to resolve it through coordination mechanisms.

The Annex II classification identified in Finding 1 as the more defensible route places Currence iDEAL within the financial market infrastructure sector. DNB holds supervisory competence over financial sector NIS2 entities under the Cyberbeveiligingswet's sectoral allocation. If Currence iDEAL is classified under Annex II as a financial market infrastructure, DNB may have primary NIS2 supervisory competence rather than RDI, notwithstanding the absence of a licence. This is a material jurisdictional consequence that flows directly from the classification decision examined in Finding 1. If, alternatively, Currence iDEAL is treated as a digital provider under Annex II, RDI's competence is more clearly engaged.

There is no publicly available evidence that RDI and DNB have established a formal coordination mechanism for Currence iDEAL specifically, and no published guidance from either authority resolves the classification question in a way that settles jurisdiction. The practical consequence is that Currence iDEAL must engage proactively with both authorities, presenting its own reasoned classification analysis and requesting a formal joint or coordinated supervisory determination, rather than waiting for the authorities to resolve the question unilaterally. The cost of inaction is not symmetric: an entity that has not established a supervisory relationship by the time a formal designation is issued has less leverage over the terms of that designation than one that has already engaged.

7. Conclusion

This paper set out to determine whether NIS2 applies to Currence iDEAL in its capacity as an anticipated DORA-designated critical third-party provider that holds no payment licence, and to identify the practical consequences of that determination. The analysis has produced a clear answer on the classification question and a more demanding answer on the operationalisation question.

On classification: Currence iDEAL is in all likelihood within NIS2 scope. The most defensible classification places it under NIS2 Annex II as a financial market infrastructure or digital provider rather than under Annex I as a digital infrastructure operator, because the entity types enumerated in Annex I do not include payment scheme operators. That Annex II classification carries a default important entity designation under NIS2 Article 3(1) and (2), which entails a less intensive supervisory regime than essential entity status. However, NIS2 Article 3(3) gives Dutch authorities the specific power to upgrade that designation to essential on functional grounds, and the grounds are present: iDEAL operates the dominant domestic online payment method without an equivalent substitute. Whether Dutch authorities will exercise that discretion, and within what timeline, is the operative uncertainty. The absence of a payment licence does not constitute a basis for excluding Currence iDEAL from NIS2 scope; licensing status is not a scoping criterion under NIS2 Article 2.

On supervisory jurisdiction: the Annex II classification has a direct consequence for which authority holds primary NIS2 supervisory competence. If Currence iDEAL is classified as a financial market infrastructure under Annex II, DNB's competence under the Cyberbeveiligingswet's sectoral allocation is engaged, notwithstanding the absence of a licence. If it is classified as a digital provider, RDI's competence is more clearly primary. Both outcomes require active engagement with the respective authority; the risk of inaction is that the designation and its supervisory expectations arrive without Currence iDEAL having shaped the terms through prior engagement.

On the DORA interaction: lex specialis displacement is partial, and the scope of what is displaced is narrower than a financial-entity-centred reading of DORA would suggest. DORA Article 11 on business continuity applies to financial entities, not to CTPPs; it does not displace NIS2 Article 21(2)(c) for Currence iDEAL. DORA Article 32(3) establishes a cooperation duty for CTPPs with financial supervisors and the Lead Overseer on incident-related information, but that duty does not route to RDI, does not operate on NIS2's 24/72-hour timelines, and does not serve the national cybersecurity situational awareness purpose that NIS2 Article 23 addresses. The residual NIS2 obligations that survive lex specialis reduction, namely national incident notification to the competent authority, vulnerability disclosure, business continuity planning at the scheme layer, and the full scope of supply-chain security obligations, remain as independent duties that Currence iDEAL must discharge.

On operationalisation: this is where the analysis identifies the most consequential practical gap. The incident notification duty requires Currence iDEAL to build and maintain a direct reporting channel to its NIS2 competent authority, with detection and classification capabilities that can identify NIS2-reportable incidents within timeframes sufficient to meet the 24-hour early warning and 72-hour assessment obligations. Those timelines are independent of DORA's incident-information cooperation chain and cannot be served by relying on participant banks to surface incident information through DORA channels. The supply-chain security duty requires Currence iDEAL to establish minimum security standards at the interface between participant bank and acquirer systems and scheme infrastructure, and to obtain participant cooperation in incident escalation at the speed iDEAL's own reporting obligations demand. The business continuity duty requires iDEAL to maintain scheme-layer continuity plans that account for the distributed nature of the execution layer across participants. None of these capabilities is automatically present as a consequence of DORA CTPP designation.

The practical path forward involves three concurrent work streams. First, proactive engagement with RDI and DNB to establish formal clarity on supervisory jurisdiction, to present Currence iDEAL's own reasoned classification analysis, and to initiate the NIS2 entity registration process under Article 27. Second, revision of scheme rules and participation contracts to incorporate NIS2-equivalent security, incident escalation, and connection-point security obligations for participant banks and acquirers, specifically the obligations that iDEAL requires from participants in order to discharge its own RDI notification and supply-chain security duties. Third, construction or alignment of an ISO 27001 / NIST CSF / COBIT 2019 integrated governance programme that maps explicitly to the retained NIS2 obligations and produces audit-quality documentation that the competent supervisory authority will require.

The governance ambiguity that currently characterises Currence iDEAL's NIS2 position is not a stable resting point. Supervisory engagement with the Dutch critical infrastructure population has begun. An entity that has not resolved its NIS2 compliance posture before receiving a formal designation notice faces compressed implementation timelines and a reactive relationship with its supervisory authority, whereas one that has already engaged retains the ability to influence designation terms, clarify jurisdictional allocation, and sequence remediation at a pace that reflects operational constraints rather than supervisory deadlines. The analysis in this paper provides the foundation for that transition, grounded in the regulatory texts as they exist rather than contingent on formal authority guidance that has yet to materialise.