top of page
Search

2025: A Pivotal Year for DORA Implementation in the EU Financial Sector - A Round up of Developments in July 

The European Banking Authority (EBA) has unveiled its 2025 supervisory priorities, emphasising the significance of the Digital Operational Resilience Act (DORA) for financial institutions. In parallel, the European Supervisory Authorities (ESAs) have released a series of reports and guidelines to harmonise and strengthen the implementation of DORA across the EU.


ree

Key DORA Developments:


  • Economic and Digital Resilience: The EBA highlights the need for institutions to prepare for economic uncertainties, implement robust ICT risk management frameworks, and comply with DORA requirements. This includes enhancing stress testing capabilities, ensuring board-level digital competencies, and transitioning to Basel III standards.

  • ICT Subcontracting: The ESAs have released draft regulatory technical standards (RTS) outlining rules for financial entities when allowing ICT third-party service providers to subcontract. These rules focus on risk assessment, implementation, monitoring, and oversight to ensure the security of critical functions.

  • Incident Reporting: The ESAs have finalised RTS and Implementing Technical Standards (ITS) on ICT incident reporting, introducing changes to reporting timelines, weekend reporting requirements, and the reporting template itself.

  • Joint Examination Teams: The ESAs have developed a draft RTS to establish criteria for joint examination teams responsible for overseeing critical ICT third-party service providers (CTPPs). This framework ensures efficient and effective oversight through cooperation between ESAs and competent authorities.

  • Oversight Cooperation: The ESAs have issued guidelines on cooperation between ESAs and competent authorities to ensure consistent supervisory approaches and avoid duplication in the oversight of CTPPs.

  • Systemic Cyber Incident Coordination: The ESAs are establishing the EU Systemic Cyber Incident Coordination Framework (EU-SCICF) to enhance the financial sector's response to cyber incidents threatening financial stability.


Implications for Financial Institutions:


These developments highlight the increasing importance of DORA compliance for financial institutions in the EU. Firms must:


  • Enhance their risk management frameworks, particularly concerning ICT risks.

  • Conduct thorough due diligence on ICT third-party service providers, including their subcontracting arrangements.

  • Establish robust incident reporting processes and procedures.

  • Prepare for increased scrutiny and oversight of critical ICT functions.

  • Participate in the EU-SCICF to strengthen their cyber resilience and contribute to the overall stability of the financial sector.


The year 2025 marks a crucial turning point in DORA implementation. Financial institutions that proactively adapt to these evolving regulatory requirements will be well-positioned to thrive in the digital age, while those that fall behind risk significant operational disruptions and reputational damage.



 
 

Sign up to be notified about the latest updates of what we think

The posts listed on the 'What we think' webpages are our interpretation of regulatory developments we have been reading about. They should not be considered legal, regulatory or other advice. Contact us if you want to understand the impact of public policy, regulation and governance changes for you.

bottom of page