Supervisory actions, technical standards, ESA guidance, and enforcement developments — everything that matters for your compliance programme.
From publication to active enforcement and beyond.
Key regulatory actions and guidance — most recent first.
National competent authorities across multiple EU member states completed the first wave of formal DORA supervisory reviews. Initial findings highlighted systemic gaps in ICT third-party registers and incident classification procedures. Entities with incomplete registers received formal supervisory letters requiring remediation within 60 days.
The EBA, ESMA, and EIOPA Joint Committee released their third Q&A package on DORA implementation, clarifying scope application to crypto-asset service providers (CASPs), the treatment of intragroup ICT arrangements, and how entities should document TLPT mutual recognition when tests cross jurisdictions.
The European Central Bank updated the TIBER-EU implementation framework to align with DORA RTS on TLPT. Key changes include mandatory purple teaming elements in the remediation phase, revised red team provider qualification criteria, and updated threat intelligence sourcing standards. Entities conducting TIBER-XX tests may use these as DORA TLPT fulfilment.
The first submission of ICT third-party service provider registers to national competent authorities was due in many member states. Several supervisors reported that a significant portion of entities submitted incomplete registers, particularly missing sub-contracting chain information and geographic data residency fields. Supervisors have issued informal guidance on acceptable remediation timelines.
Clarifications on which entities meet the "significant" threshold triggering mandatory TLPT under DORA Article 26. EBA confirmed that the significance assessment is made by the competent authority, not self-assessed by entities, and that cross-border market presence is a relevant factor. Smaller entities below thresholds should still maintain advanced testing capability documentation.
ESMA published supervisory expectations regarding ICT major incident reporting under DORA Article 19. The notice highlights that several investment firms submitted initial notifications outside the 4-business-hour window and that intermediary reports lacked sufficient root cause analysis. ESMA warned of escalating supervisory measures for repeated non-compliance.
EIOPA published sector-specific supervisory expectations for insurance and reinsurance undertakings under DORA. The statement covers proportionality application for smaller insurers, specific considerations for the Lloyd's and specialty market, and guidance on how ICT risk management should integrate with Solvency II operational risk frameworks.
The Joint Regulatory Technical Standards specifying requirements for Threat-Led Penetration Testing under DORA Article 26(11) were formally published in the EU Official Journal. The RTS establishes requirements for tester independence and qualifications, threat intelligence sourcing, scope definition methodology, and the mutual recognition framework for cross-border tests.
EBA published comprehensive guidelines on ICT and security risk management that replace its earlier 2019 guidelines. The new guidelines align with DORA Chapter II requirements and provide specific guidance on asset management, access controls, encryption standards, and the integration of ICT risk into the overall ICAAP/ILAAP process.
The Digital Operational Resilience Act (Regulation EU 2022/2554) became fully applicable on 17 January 2025. All in-scope financial entities were required to comply from this date. The accompanying batch of RTS and ITS instruments, covering topics including incident classification, third-party risk management, and TLPT, entered into force simultaneously.
Who regulates whom under DORA.
Credit institutions, investment firms, payment institutions, e-money institutions
CCPs, trade repositories, investment firms, credit rating agencies, data reporting services
Insurance undertakings, reinsurance undertakings, occupational pension funds
National Competent Authorities (NCAs) are the primary supervisory contact for individual entities. The Joint Committee coordinates cross-sectoral consistency.
Run a free readiness assessment to identify your current gaps before supervisory reviews reach your organisation.