Summarizing NextGen Nordics: Upcoming challenges on the Payments market and possible solutions

DORA is not just about being compliant

The Digital Operational Resilience Act (DORA), now in effect across the EU, requires financial stakeholders to manage ICT risks and ensure operational resilience. While many elements of DORA aren’t new, they are now being harmonized at the EU level.

One of the main topics at NextGen Nordics was clarifying the value of DORA for those affected. Today, the approach towards it varies from country to country in the Nordics. For instance, Norway sees DORA as an important strategic move and reports low concerns about vendor contracts. In Sweden, stakeholders have taken a compliance-first approach, with less urgency surrounding the regulation, likely due to competing national priorities such as Bankgirot’s SEK Credit Transfer transformation.

We firmly believe that the implementation with DORA should not be treated as a mere checkbox exercise to meet minimum requirements. But as a long-term effort to improve risk management. Organizations that do not take the requirements seriously risk becoming more vulnerable to cyberattacks, as perpetrators also adapt to ongoing developments and trends on the market.

Lessons from P27 & Planning for Success

The P27 initiative was a Nordic project to create a unified payment infrastructure for the Nordic countries, simplifying and modernizing payments across borders. However, it continues to offer lessons as the region sets the stage for EU-driven changes like the Instant Payments Regulation (IPR) and Payment Services Regulation (PSR). Some reasons for P27’s demise in 2023 were the ever-increasing scope and complexity. Now, as new deadlines are getting closer, such as the mandatory Verification of Payee implementation, discussions focus on how to avoid past mistakes.

We see three clear takeaways:

1. The importance of a master plan
   P27’s ever-expanding scope, coupled with unclear priorities, ultimately became unsustainable. Future projects in the EU or just Nordic-wide implementation must be driven by a stable, well-defined master plan, mandated by regulation rather than by ad-hoc market pressures.
2. Consistent governance throughout
   P27 struggled with unclear governance and eventually lost track of its core objectives. Any large-scale rollout or pan-European scheme requires robust, consistent governance so all stakeholders remain aligned on the initial goals and avoid shifting targets.
3. Harmonized implementation
   All stakeholders must progress together. Looking at the fraud topic and IPR as an example, those who lag become prime targets for fraud. Data from the Netherlands shows criminals moved rapidly to banks without VoP protections before shifting across borders. Initiatives should be modular and phased, so that a narrower scope (for example, Sweden’s SEK Credit Transfer upgrade under Bankgirot) can succeed quickly and serve as a template for wider rollout.

While P27 is no longer active, its legacy remains a cautionary tale, emphasizing that even well-intentioned innovation can falter without strong coordination.

Changing customer behavior and gaining trust

A key theme from the event was the growing gap between consumer expectations and business realities. Younger generations expect instant, seamless payments, rarely considering the complexity or risks behind the scenes. For businesses, however, user experience must be balanced with security, regulation, and operational resilience.

This is especially true for Verification of Payee (VoP), which becomes mandatory under the Instant Payments Regulation (IPR). In theory, it is a simple safeguard: confirming that the account name matches before sending funds. But implementing it, especially for bulk payments, can introduce friction if not done right. VoP must balance user experience with risk management. As learned from the UK’s Confirmation of Payee (CoP), corporates have raised concerns about friction, where mismatched confirmations can delay important transactions and increase customer concerns. As for the normal consumer, the friction of this safeguard is not as welcomed unless a clear value is presented. Educating consumers and explaining the real benefits, like safer payments, will be crucial in offsetting any perceived friction.

The same mindset applies to Open Finance. Sharing personal data once raised privacy concerns, but as with location sharing in apps like Uber, users now embrace it because the value is immediate and tangible. The same is happening with financial data. Consumers don’t ask “Who has my data?”, they ask, “What do I get in return?”.

Open Finance has the potential to offer benefits like personalized financial services, real-time fraud detection, and smarter credit decisions. Where implemented, there have been zero reported data breaches—a critical proof point that trust and security can go hand in hand with innovation. Banks must reframe Open Finance not as a compliance burden, but as an opportunity to differentiate. Like with VoP, user education and design will make or break adoption.

For further discussion: Does regulation push or limit innovation?

Regulations are constantly connecting different stakeholders, from banks to FinTech companies. While some view regulation as a constraint, it can also be the starting point for collaboration and innovation. Banks bring deep knowledge of compliance and market needs, while FinTech contributes with innovative power and technical know-how. The real question is no longer whether regulation hinders innovation, but how it can be leveraged to help us succeed in the world of Payments. Regulations push stakeholders to solutions, so they don’t lag behind, protecting their customers and businesses. But old solutions can’t fix new challenges, so we must work together to find the best way forward.

We would like to thank FinExtra and NextGen Nordics for yet another great event!