On 13 February 2025, the European Commission adopted a draft Delegated Regulation supplementing the Regulation on digital operational resilience for the financial sector with regard to regulatory technical standards specifying the criteria used for identifying financial entities required to perform threat-led penetration testing, the requirements and standards governing the use of internal testers, the requirements
On 6 February 2025, the European Commission published a set of draft guidelines on the definition of ‘artificial intelligence (AI) system’ for the purposes of the EU AI Act, which began to apply on 2 February 2025.
Background
Under the EU AI Act (which aims to promote innovation while ensuring high levels of
On 11 February 2025, the Bank of International Settlements published a speech by Denis Beau, First Deputy Governor of the Bank of France, at the Cercle IA et finance.
In his speech Mr Denis discusses, from a supervisor’s perspective, the opportunities and risks of AI and then the conditions necessary for effective regulation of AI
On 11 February 2025, the European Banking Authority (EBA) issued an updated version of its guidelines on ICT and security risk management measures which were built on the provisions of Article 74 of the Capital Requirements Directive IV and the Payment Services Directive 2. The update to the guidelines is to avoid duplication
On 5 February 2025, the European Banking Authority (EBA) issued its opinion on the European Commission’s (Commission) proposed amendments to the draft regulatory technical standards (RTS) specifying the requirements for policies and procedures on conflicts of interest for issuers of asset-referenced tokens (ARTs) under the Markets in
On 31 January 2025, the European Commission (Commission) published a letter (dated 21 January 2025) it had sent to the Chair of the Joint Committee of the European Supervisory Authorities (ESAs). The letter concerns the draft Delegated Regulation supplementing the Digital Operational Resilience Act (DORA) with regard to regulatory
On 27 January 2025, the European Supervisory Authorities (ESAs) published Terms of Reference for the European Systemic Cyber Incident Coordination Framework (EU-SCICF). The EU-SCICF is set up in accordance with Article 49(1) of the Regulation on digital operational resilience for the financial sector (DORA) and the ESAs Joint Committee
On 22 January 2025, the European Supervisory Authorities (ESAs) published guidance prepared by the European Commission (Commission) on the definition of ICT services under the Digital Operational Resilience Act (DORA). The guidance was eagerly awaited by the European financial services industry subject to DORA’s requirements, seeking clarity on the
On 17 January 2025, the European Supervisory Authorities (ESAs) issued a report on the feasibility of further centralisation in the reporting of major ICT-related incidents by financial entities according to Article 21 of the Digital Operational Resilience Act (DORA).
Article 21 DORA requires that the ESAs prepare a joint report assessing
DORA is now live, without any transitional provision.
A wide range of rules applicable for managing ICT risks, including risks linked to ICT third-party service providers, applies from today. DORA applies to nearly all financial entities in the EU, with very few exemptions for smaller institutions. For the first time, it also covers major unregulated