Search results for: DORA

Commission adopts DORA RTS specifying the elements that a financial entity has to determine when subcontracting ICT services

By Simon Lovegrove (UK) & Floortje Nagelkerke (NL) on March 24, 2025

On 24 March 2025, the European Commission adopted a draft Delegated Regulation supplementing the Regulation on digital operational resilience for the financial sector (DORA) with regard to regulatory technical standards specifying the elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions.

The draft Delegated Regulation further specifies the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions. It:

Establishes the rules on proportionality and group application (Articles 1 and 2).
Sets out the rules on due diligence and risk assessment regarding the use of subcontractors supporting critical or important functions (Article 3).
Establishes the description and the conditions under which ICT services supporting a critical or important function may be subcontracted (Article 4).
Contains the rules on material changes to subcontracting arrangements of ICT service supporting critical or important functions, the provisions on the termination of the contractual arrangement, as well as the final provisions on entry into force (Articles 5 to 7).

Next steps

The draft Delegated Regulation enters into force on the twentieth day following its publication in the Official Journal of the EU.

Published in OJ – Delegated Regulation on composition of joint examination teams under DORA

By Simon Lovegrove (UK) & Floortje Nagelkerke (NL) on March 24, 2025

On 24 March 2025, there was published in the Official Journal of the EU (OJ), Commission Delegated Regulation (EU) 2025/420 of 16 December 2024 supplementing the Regulation on digital operational resilience for the financial sector (DORA) with regard to regulatory technical standards to specify the criteria for determining the composition of the joint examination team ensuring a balanced participation of staff members from the European Supervisory Authorities and from the relevant competent authorities, their designation, tasks and working arrangements. The Delegated Regulation enters into force on the twentieth day following publication in the OJ (13 April 2025).

Official translations: Joint guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents under DORA

By Simon Lovegrove (UK) on March 19, 2025

On 18 March 2025, the European Securities and Markets Authority published the official translations of the joint European Supervisory Authority (ESA) guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents under the Regulation on digital operational resilience for the financial sector (DORA).

The joint guidelines apply from 19 May 2025.

Member State competent authorities must notify the respective ESA whether they comply or intend to comply with the joint guidelines, or otherwise with reasons for non-compliance by 19 May 2025. In the absence of any notification by this deadline, Member State competent authorities will be considered by the respective ESA to be non-compliant.

ESAs acknowledge Commission’s amendments to the draft RTS on subcontracting under DORA

By Floortje Nagelkerke (NL) & Simon Lovegrove (UK) on March 7, 2025

Earlier this year the European Commission (Commission) announced that it was rejecting the draft Delegated Regulation supplementing the Digital Operational Resilience Act (DORA) with regard to regulatory technical standards (RTS) on subcontracting ICT services supporting critical or important functions.

The basis of the rejection was that the requirements introduced by Article 5 of the draft RTS on the “Conditions for subcontracting relating to the chain of ICT subcontractors providing a service supporting a critical or important function by the financial entity” went beyond the empowerment given to the European Supervisory Authorities (ESAs) by Article 30(5) of DORA as introducing requirements not specifically linked to the conditions for subcontracting. The Commission considered that Article 5 of the draft RTS and the related recital 5 should be removed to ensure compliance with the mandate set out in DORA.

On 7 March 2025, the ESAs issued an Opinion acknowledging the assessment performed by the Commission and confirmed that the amendments proposed ensure that the draft RTS is in line with the mandate set out under DORA. For this reason, the ESAs do not recommend further amendments to the draft RTS in addition to the ones proposed by the Commission.

The ESAs encourage the Commission to finalise the adoption of the draft RTS without further delay.

Further DORA delegated acts published in OJ

By Simon Lovegrove (UK) on February 20, 2025

On 20 February 2025, the following was published in the Official Journal of the EU (OJ):

Commission Delegated Regulation (EU) 2025/301 of 23 October 2024 supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats.

Commission Implementing Regulation (EU) 2025/302 of 23 October 2024 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 with regard to the standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat.

Both the Commission Delegated Regulation and the Commission Implementing Regulation enter into force on the twentieth day following their publication in the OJ (12 March 2025).

ESAs provide a roadmap towards the designation of CTPPs under DORA

By Simon Lovegrove (UK) on February 18, 2025

On 18 February 2025, the European Supervisory Authorities (ESAs) issued a roadmap to the designation of critical ICT third-party service providers (CTPPs) under the Digital Operational Resilience Act (DORA).

To designate CTPPs this year, the ESAs will perform the following steps:

Collection of the Registers of Information: Member State competent authorities are required to submit to the ESAs, by 30 April 2025, the Registers of Information on ICT third-party arrangements they received from financial entities.
Criticality assessments: The ESAs will perform the criticality assessments mandated by DORA and notify ICT third-party service providers of their classification as critical by July 2025. This notification will start a six-week period during which ICT third-party service providers may object to the assessment with a reasoned statement and relevant supporting information.
Final Designation: After the six-week period, the ESAs will designate CTPPs and start oversight engagement with them.

DORA delegated act published in OJ

By Floortje Nagelkerke (NL) & Simon Lovegrove (UK) on February 14, 2025

On 13 February 2025, there was published in the Official Journal of the EU (OJ), Commission Delegated Regulation (EU) 2025/295 of 24 October 2024 supplementing the Regulation on digital operational resilience for the financial sector with regard to regulatory technical standards on harmonisation of conditions enabling the conduct of the oversight activities. The Delegated Regulation enters into force on the twentieth day following that of its publication in the OJ.

DORA Delegated Regulation on TLPT

By Floortje Nagelkerke (NL) & Simon Lovegrove (UK) on February 14, 2025

On 13 February 2025, the European Commission adopted a draft Delegated Regulation supplementing the Regulation on digital operational resilience for the financial sector with regard to regulatory technical standards specifying the criteria used for identifying financial entities required to perform threat-led penetration testing, the requirements and standards governing the use of internal testers, the requirements in relation to the scope, testing methodology and approach for each phase of the testing, results, closure and remediation stages and the type of supervisory and other relevant cooperation needed for the implementation of TLPT and for the facilitation of mutual recognition.

The draft Delegated Regulation:

Sets out the criteria for the identification of financial entities required to perform threat-led penetration testing (TLPT).
Establishes the requirements regarding testing scope, testing methodology and the results of TLPT, including the testing process.
Lays down the requirements and standards governing the use of internal testers.
Contains the rules on supervisory cooperation and mutual recognition of TLPT.

The draft Delegated Regulation enters into force on the twentieth day following its publication in the Official Journal of the European Union.

Eurosystem updates TIBER-EU framework to align with DORA

By Anita Edwards & Simon Lovegrove (UK) on February 13, 2025

On 11 February 2025, the Eurosystem updated its European framework for threat intelligence-based ethical red-teaming (TIBER-EU framework) to align with the regulatory technical standards (RTS) of the Digital Operational Resilience Act (DORA) on threat-led penetration testing (TLPT).

Background

The TIBER-EU framework sets out comprehensive guidance on how authorities, entities, and threat intelligence providers and red-team testers should work together to test and improve the cyber resilience of entities by carrying out controlled cyberattacks. It also contains detailed guidance on how to complete DORA TLPT in a qualitative, controlled and safe manner, applying a uniform approach across the EU. Authorities are encouraged to adopt and implement the TIBER-EU framework.

Updates to align with DORA

The updates made to the TIBER-EU framework to incorporate regulatory requirements and align with other measures set out in DORA include:

Aligning the process steps with the deliverables derived from the DORA RTS on TLPT (for which strict timelines have been introduced by the DORA RTS and are now incorporated into the TIBER-EU framework).

Specifying purple-teaming as mandatory under TIBER-EU, as prescribed in the DORA RTS.

Introducing changes to terminology to ensure consistency with DORA terminology.

Establishing TIBER-EU guidance documents to facilitate the implementation of different parts of the framework and to ensure a secure and controlled TLPT execution.

Providing advice on how to assess the quality of a provider in the updated Guidance for Service Provider Procurement.

Moving away from the requirement for authorities that want to implement TIBER-EU to publish a full national implementation guide; authorities can instead refer to the adoption of the TIBER-EU documentation and publish a short implementation document described in the framework

EBA amends its Guidelines on ICT and security risk management measures in the context of DORA application

By Simon Lovegrove (UK) on February 11, 2025

On 11 February 2025, the European Banking Authority (EBA) issued an updated version of its guidelines on ICT and security risk management measures which were built on the provisions of Article 74 of the Capital Requirements Directive IV and the Payment Services Directive 2. The update to the guidelines is to avoid duplication with the requirements on ICT risk management that were introduced by the Digital Operational Resilience Act (DORA) which applies to financial entities across the banking, securities/markets, insurance and pensions sectors.

The update includes the EBA narrowing down:

The entity scope of the guidelines to only those that are covered by DORA, namely credit institutions, payment institutions, account information service providers, exempted payment institutions and exempted e-money institutions.
The scope of the guidelines to the requirements on relationship management of the payment service users in relation to the provision of payment services.