Search results for: DORA

On 2 July 2025, there was published in the Official Journal of the EU (OJ), Commission Delegated Regulation (EU) 2025/532 of 24 March 2025 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions.

Our earlier blog on the Delegated Regulation is here.

The Delegated Regulation enters into force on the twentieth day following that of its publication in the OJ (22 July 2025).

On 18 June 2025, there was published in the Official Journal of the EU, Commission Delegated Regulation (EU) 2025/1190 of 13 February 2025 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria used for identifying financial entities required to perform threat-led penetration testing, the requirements and standards governing the use of internal testers, the requirements in relation to the scope, testing methodology and approach for each phase of the testing, results, closure and remediation stages and the type of supervisory and other relevant cooperation needed for the implementation of TLPT and for the facilitation of mutual recognition.

Next steps

The Delegated Regulation will come into force twenty days after its publication in the OJ (8 July 2025).

In the latest episode of our EMEA insights series, Maria Beatrice Gilesi of our Milan office discusses recent communications from the Italian regulators regarding MiCA, DORA, CRD 6 and AI.

Listen to the episode here.

On 15 May 2025, there was published in the Official Journal of the EU a Corrigendum to Commission Delegated Regulation (EU) 2024/1774 of 13 March 2024 supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework. The Corrigendum amends Article 22 (ICT-related incident management policy, first subparagraph, point (d) of Commission Delegated Regulation (EU) 2024/1774).

On 27 March 2025, the European Commission issued a press release stating that it was taking action against several EU Member States that have failed to notify the Commission of measures they have adopted to transpose EU Directives into their national laws.

Among other things the press release notes that the Commission has decided to open infringement procedures by sending a letter of formal notice to 13 Member States (Belgium, Bulgaria, Denmark, Greece, Spain, France, Latvia, Lithuania, Malta, Poland, Portugal, Romania and Slovenia) for failing to fully transpose the DORA Directive.

On 24 March 2025, the European Commission adopted a draft Delegated Regulation supplementing the Regulation on digital operational resilience for the financial sector (DORA) with regard to regulatory technical standards specifying the elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions.

The draft Delegated Regulation further specifies the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions. It:

  • Establishes the rules on proportionality and group application (Articles 1 and 2).
  • Sets out the rules on due diligence and risk assessment regarding the use of subcontractors supporting critical or important functions (Article 3).
  • Establishes the description and the conditions under which ICT services supporting a critical or important function may be subcontracted (Article 4).
  • Contains the rules on material changes to subcontracting arrangements of ICT service supporting critical or important functions, the provisions on the termination of the contractual arrangement, as well as the final provisions on entry into force (Articles 5 to 7).

Next steps

The draft Delegated Regulation enters into force on the twentieth day following its publication in the Official Journal of the EU.

On 24 March 2025, there was published in the Official Journal of the EU (OJ), Commission Delegated Regulation (EU) 2025/420 of 16 December 2024 supplementing the Regulation on digital operational resilience for the financial sector (DORA) with regard to regulatory technical standards to specify the criteria for determining the composition of the joint examination team ensuring a balanced participation of staff members from the European Supervisory Authorities and from the relevant competent authorities, their designation, tasks and working arrangements. The Delegated Regulation enters into force on the twentieth day following publication in the OJ (13 April 2025).

On 18 March 2025, the European Securities and Markets Authority published the official translations of the joint European Supervisory Authority (ESA) guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents under the Regulation on digital operational resilience for the financial sector (DORA).

The joint guidelines apply from 19 May 2025.

Member State competent authorities must notify the respective ESA whether they comply or intend to comply with the joint guidelines, or otherwise with reasons for non-compliance by 19 May 2025. In the absence of any notification by this deadline, Member State competent authorities will be considered by the respective ESA to be non-compliant.

Earlier this year the European Commission (Commission) announced that it was rejecting the draft Delegated Regulation supplementing the Digital Operational Resilience Act (DORA) with regard to regulatory technical standards (RTS) on subcontracting ICT services supporting critical or important functions.

The basis of the rejection was that the requirements introduced by Article 5 of the draft RTS on the “Conditions for subcontracting relating to the chain of ICT subcontractors providing a service supporting a critical or important function by the financial entity” went beyond the empowerment given to the European Supervisory Authorities (ESAs) by Article 30(5) of DORA as introducing requirements not specifically linked to the conditions for subcontracting. The Commission considered that Article 5 of the draft RTS and the related recital 5 should be removed to ensure compliance with the mandate set out in DORA.

On 7 March 2025, the ESAs issued an Opinion acknowledging the assessment performed by the Commission and confirmed that the amendments proposed ensure that the draft RTS is in line with the mandate set out under DORA. For this reason, the ESAs do not recommend further amendments to the draft RTS in addition to the ones proposed by the Commission.

The ESAs encourage the Commission to finalise the adoption of the draft RTS without further delay.

On 20 February 2025, the following was published in the Official Journal of the EU (OJ):

  • Commission Delegated Regulation (EU) 2025/301 of 23 October 2024 supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats.

Both the Commission Delegated Regulation and the Commission Implementing Regulation enter into force on the twentieth day following their publication in the OJ (12 March 2025).