On 18 March 2025, the European Securities and Markets Authority published the official translations of the joint European Supervisory Authority (ESA) guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents under the Regulation on digital operational resilience for the financial sector (DORA).

The joint guidelines apply from 19 May 2025.

Member State competent authorities must notify the respective ESA whether they comply or intend to comply with the joint guidelines, or otherwise with reasons for non-compliance by 19 May 2025. In the absence of any notification by this deadline, Member State competent authorities will be considered by the respective ESA to be non-compliant.