Search results for: DORA

On 20 February 2025, the following was published in the Official Journal of the EU (OJ):

  • Commission Delegated Regulation (EU) 2025/301 of 23 October 2024 supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats.

Both the Commission Delegated Regulation and the Commission Implementing Regulation enter into force on the twentieth day following their publication in the OJ (12 March 2025).

On 18 February 2025, the European Supervisory Authorities (ESAs) issued a roadmap to the designation of critical ICT third-party service providers (CTPPs) under the Digital Operational Resilience Act (DORA).

To designate CTPPs this year, the ESAs will perform the following steps:

  • Collection of the Registers of Information: Member State competent authorities are required to submit to the ESAs, by 30 April 2025, the Registers of Information on ICT third-party arrangements they received from financial entities.
  • Criticality assessments: The ESAs will perform the criticality assessments mandated by DORA and notify ICT third-party service providers of their classification as critical by July 2025. This notification will start a six-week period during which ICT third-party service providers may object to the assessment with a reasoned statement and relevant supporting information.
  • Final Designation: After the six-week period, the ESAs will designate CTPPs and start oversight engagement with them.

On 13 February 2025, there was published in the Official Journal of the EU (OJ), Commission Delegated Regulation (EU) 2025/295 of 24 October 2024 supplementing the Regulation on digital operational resilience for the financial sector with regard to regulatory technical standards on harmonisation of conditions enabling the conduct of the oversight activities. The Delegated Regulation enters into force on the twentieth day following that of its publication in the OJ.

On 13 February 2025, the European Commission adopted a draft Delegated Regulation supplementing the Regulation on digital operational resilience for the financial sector with regard to regulatory technical standards specifying the criteria used for identifying financial entities required to perform threat-led penetration testing, the requirements and standards governing the use of internal testers, the requirements in relation to the scope, testing methodology and approach for each phase of the testing, results, closure and remediation stages and the type of supervisory and other relevant cooperation needed for the implementation of TLPT and for the facilitation of mutual recognition.

The draft Delegated Regulation:

  • Sets out the criteria for the identification of financial entities required to perform threat-led penetration testing (TLPT).
  • Establishes the requirements regarding testing scope, testing methodology and the results of TLPT, including the testing process.
  • Lays down the requirements and standards governing the use of internal testers.
  • Contains the rules on supervisory cooperation and mutual recognition of TLPT.

The draft Delegated Regulation enters into force on the twentieth day following its publication in the Official Journal of the European Union.

On 11 February 2025, the Eurosystem updated its European framework for threat intelligence-based ethical red-teaming (TIBER-EU framework) to align with the regulatory technical standards (RTS) of the Digital Operational Resilience Act (DORA) on threat-led penetration testing (TLPT).

Background

The TIBER-EU framework sets out comprehensive guidance on how authorities, entities, and threat intelligence providers and red-team testers should work together to test and improve the cyber resilience of entities by carrying out controlled cyberattacks. It also contains detailed guidance on how to complete DORA TLPT in a qualitative, controlled and safe manner, applying a uniform approach across the EU. Authorities are encouraged to adopt and implement the TIBER-EU framework.

Updates to align with DORA

The updates made to the TIBER-EU framework to incorporate regulatory requirements and align with other measures set out in DORA include:

  • Aligning the process steps with the deliverables derived from the DORA RTS on TLPT (for which strict timelines have been introduced by the DORA RTS and are now incorporated into the TIBER-EU framework).
  • Specifying purple-teaming as mandatory under TIBER-EU, as prescribed in the DORA RTS.
  • Introducing changes to terminology to ensure consistency with DORA terminology.
  • Establishing TIBER-EU guidance documents to facilitate the implementation of different parts of the framework and to ensure a secure and controlled TLPT execution.
  • Providing advice on how to assess the quality of a provider in the updated Guidance for Service Provider Procurement.
  • Moving away from the requirement for authorities that want to implement TIBER-EU to publish a full national implementation guide; authorities can instead refer to the adoption of the TIBER-EU documentation and publish a short implementation document described in the framework

On 11 February 2025, the European Banking Authority (EBA) issued an updated version of its guidelines on ICT and security risk management measures which were built on the provisions of Article 74 of the Capital Requirements Directive IV and the Payment Services Directive 2. The update to the guidelines is to avoid duplication with the requirements on ICT risk management that were introduced by the Digital Operational Resilience Act (DORA) which applies to financial entities across the banking, securities/markets, insurance and pensions sectors.

The update includes the EBA narrowing down:

  • The entity scope of the guidelines to only those that are covered by DORA, namely credit institutions, payment institutions, account information service providers, exempted payment institutions and exempted e-money institutions.
  • The scope of the guidelines to the requirements on relationship management of the payment service users in relation to the provision of payment services.

Next steps

The updated guidelines apply within two months of the publication of the translated versions.

On 31 January 2025, the European Commission (Commission) published a letter (dated 21 January 2025) it had sent to the Chair of the Joint Committee of the European Supervisory Authorities (ESAs). The letter concerns the draft Delegated Regulation supplementing the Digital Operational Resilience Act (DORA) with regard to regulatory technical standards (RTS) on subcontracting ICT services supporting critical or important functions. The ESAs delivered the draft RTS to the Commission last summer.

In the letter the Commission explains that it is rejecting the draft RTS on the basis that the requirements introduced by Article 5 of the draft RTS on the “Conditions for subcontracting relating to the chain of ICT subcontractors providing a service supporting a critical or important function by the financial entity” go beyond the empowerment given to the ESAs by Article 30(5) of DORA as introducing requirements not specifically linked to the conditions for subcontracting. The Commission therefore considers that Article 5 of the draft RTS and the related recital 5 should be removed to ensure compliance with the mandate set out in DORA.

The Commission intends to adopt the draft RTS once its concerns are taken into account, and the necessary modifications are made by the ESAs.

On 22 January 2025, the European Supervisory Authorities (ESAs) published guidance prepared by the European Commission (Commission) on the definition of ICT services under the Digital Operational Resilience Act (DORA). The guidance was eagerly awaited by the European financial services industry subject to DORA’s requirements, seeking clarity on the distinction between ICT services and financial services.

By way of background, DORA defines ICT services as “digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services”. This definition is intentionally broad, as reflected by the types of ICT services listed in Annex III of Commission Implementing Regulation (EU) 2024/2956 on standard templates for registers of information. This broad definition has caused problems for the industry, as in practice numerous financial services have some ICT components, which could prospectively lead to double-regulation.

In the Q&A guidance published, the Commission confirmed that where such regulated financial services entail an ICT component, they should still be considered financial and not ICT services, and regardless whether the services are provided by an EU-regulated financial entity or a third-country one (“In the case that financial entities provide ICT services to other financial entities in connection to their financial services, the receiving financial entities should assess whether i) the services constitute an ICT service under DORA, and ii) whether the providing financial entities and the financial services they provide are regulated under Union law or any national legislation of a Member State or of a third country. In case both tests are positive, then the related ICT service should be considered to predominantly be a financial service and should not be treated as an ICT service within the meaning of DORA Article 3(21).”). This guidance responds to the industry’s concerns and as such is a positive development.

The guidance further states that services provided by regulated financial entities can be ICT services (all other elements of the definition being met) if they are “unrelated or is independent from such regulated financial services”. The Commission also confirmed that the “same rationale applies to ancillary services provided by an entity, depending on whether such ancillary services are regulated financial services or a service inseparable from, indivisible from, preparatory or necessary for the provision of a regulated financial service, and are not provided in a standalone manner.” 

DORA is now live, without any transitional provision.

A wide range of rules applicable for managing ICT risks, including risks linked to ICT third-party service providers, applies from today. DORA applies to nearly all financial entities in the EU, with very few exemptions for smaller institutions. For the first time, it also covers major unregulated ICT third-party service providers; a significant shift in European financial regulation.

One of the immediate and key requirements under DORA is the reporting of ICT-related incidents, which entities must begin doing today. Additionally, in-scope entities will need to submit detailed information registers to regulators in early Q1 2025.

To help those asset managers who may be behind with their DORA implementation we have just published the latest episode in our Let’s talk asset management series covering DORA and its impact on asset managers.

In addition, for those financial entities that are behind with their DORA implementation we continue to run last minute bespoke emergency clinics and training.

For further information please contact Floortje Nagelkerke, Anna Carrier, Sebastien Praicheux, Dorothee Ciolino or your usual Norton Rose Fulbright contact.

Introduction

The Dutch Authority for the Financial Markets (AFM) has submitted its sixth DORA update explaining what to expect in 2025. The AFM stresses that it is important to complete the implementation of DORA’s requirements as soon as possible to be DORA-compliant by this Friday: 17 January 2025.

What to expect in 2025?

Once DORA enters into force, national supervisory authorities will start their supervisory activities. This will include establishing reviews to determine whether financial institutions are complying with the requirements, as well as collecting and verifying information requested by the European Supervisory Authorities (ESAs, meaning EIOPA, ESMA and EBA).

  1. Register of information

The first data request that firms can expect in 2025 concerns the register of information. The deadline for the first submission of registers of information by AFM and DNB to the ESAs is set for 30 April 2025. To ensure timely submission of the registers to the ESAs, soon after DORA enters into force the AFM will send a request for information to all organisations with an AFM licence that are subject to DORA. Firms should therefore already be preparing their register of information to be able to share in a timely manner.

After this initial request, the AFM and DNB will request the register of information from firms each year. The AFM and DNB will then verify that all the fields in the registers of information are complete before forwarding the registers to the ESAs.

Based on the information from the registers, the ESAs will designate ICT third-party service providers that are considered critical for the financial sector. The ESAs will supervise these designated critical ICT third-party service providers.

  1. ICT related incidents

Firms are also obliged to report major ICT-related incidents. When an ICT-related incident has occurred, firms must determine on the basis of criteria whether a major ICT-related incident has occurred. For the classification of ICT-related incidents, see the relevant Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS).

Once a firm determines that a major ICT-related incident has occurred, it must notify the relevant supervisory authority (AFM or DNB) within 4 hours, from the moment the incident is classified as major. In addition, an intermediate report and final report must be submitted to the AFM within 72 hours and 1 month, respectively, of the classification of the incident.

The AFM will assess the completeness of the incident report when analysing these reports. It will also assess whether the incident, and its impact, are adequately described in the report. Where this is not the case, the AFM will seek additional information to determine these facts. In addition to major ICT-related incident reporting, financial undertakings may also, on a voluntary basis, notify cyber threats. Both types of reports will mainly be used to determine whether ICT-related incidents have occurred or there are active cyber threats that impact, or could potentially impact, the financial sector.

  1. TLPT

A number of firms will be identified for threat-led penetration testing (TLPT). Firms only have to comply with these requirements if notified by the supervisory authority by means of a designation letter. Once the RTS for TLPT is approved by the European Commission, the AFM will contact the firms identified for TLPT. The timing of the test will be scheduled in consultation with the relevant firm.

The test managers of the AFM will assist the firm during the preparation and execution phases of the test to ensure that the test complies with the requirements in the Regulation and the RTS. After (successful) completion of the test, the firm receives a certificate, which can be used to demonstrate compliance with the requirements related to TLPT.