EU DORA Takes Effect: Key Updates for Financial Entities

Nathaniel W. Lalone

Email

+44 0 20 7776 7629

Bio and Articles

Ciara McBrien

Email

44 (0) 20 7770 5231

Bio and Articles

Find Your Next Job !

Litigation Manager - General Liability

Marketing Manager
PLI Practising Law Institute

Trial Attorney - Indiana - (Remote)

Health Law Attorney

Explore More Job Openings

Navigating DORA Compliance: Recent Developments

by: Nathaniel W. Lalone, Ciara McBrien of Katten - Advisories

Wednesday, March 19, 2025

Print Mail Download info_icon_img

/>i

The EU Digital Operational Resilience Act (DORA) took effect on 17 January 2025 after a two-year implementation period. DORA sets out new requirements for financial entities (FEs) and their information technology and communication (ICT) third-party service providers (TPPs). This note highlights recent developments in the EU’s efforts to facilitate in-scope firms’ compliance with DORA and authorities’ attempts to avoid duplication of operational resilience requirements.

Further information regarding DORA developments can be found in our previous articles (available here, here, here and here).

EBA Amends Guidelines on ICT and Security Risk Management

On 11 February 2025, the European Banking Authority (EBA) amended its existing 2019 guidelines on ICT and security risk management measures (Guidelines) to align them with DORA.

The EBA has narrowed the scope of its Guidelines to cover:

only FEs subject to DORA, including credit institutions, payment institutions, account information service providers, exempted payment institutions and exempted e-money institutions; and
relationship management of the payment service users in relation to the provision of payment services.

The EBA’s aim is to simplify the ICT risk management framework and provide legal clarity for the industry, by avoiding duplication of requirements and ensuring consistency across the EU single market.

However, other types of payment service providers (PSPs), such as post-office giro institutions and credit unions, who are not covered by DORA, will still have to comply with the security and operational risk management requirements under the revised Payment Services Directive (PSD2), which has been in force since March 2018. In addition, PSPs that remain subject to the PSD2 security and operational risk management requirements can potentially be subject to additional national requirements.

The Guidelines will apply within two months of the publication of the translated versions.

The Guidelines and accompanying press release are available here and here, respectively.

Commission Adopts Delegated Regulation on Threat-led Penetration Testing under DORA

On 11 February 2025, the European Central Bank (ECB) published an updated version of its framework for threat intelligence-based ethical red teaming (TIBER-EU Framework) that aligns with the DORA regulatory technical standards on threat-led penetration testing (TLPT RTS). This follows the ECB’s publication of a paper considering the TIBER-EU Framework in the context of DORA. Further information on this earlier paper can be found in our previous article (available here).

DORA mandates the European Supervisory Authorities (ESAs), together with the ECB, to develop draft RTS in accordance with the TIBER-EU Framework to specify the following:

the criteria to identify FEs required to perform TLPT;
the requirements regarding test scope, testing methodology and results of TLPT;
the requirements and standards governing the use of internal testers; and
the rules on supervisory and other co-operation needed for the implementation of TLPT and for mutual recognition of testing.

On 13 February 2025, the European Commission (Commission)adopted a delegated regulation (Delegated Regulation), with accompanying annexes 1-8, supplementing DORA in relation to the TLPT RTS. The Delegated Regulation shall enter into force and apply 20 days after its publication in the Official Journal of the European Union.

The Delegated Regulation and updated version of the TIBER-EU Framework are available here and here, respectively.

ESAs Publish Roadmap on the Designation of CTPPs under DORA

On 18 February 2025, the ESAs published a roadmap (Roadmap) for the designation of critical ICT TPPs (CTPPs), which will be subject to direct EU supervision under DORA.

Notably, the Roadmap sets out four steps to designation of CTPPs in 2025:

by 30 April 2025, the ESAs will collect the registers of information on ICT third-party arrangements submitted by FEs to their national competent authorities;
by the end of July 2025, the ESAs will perform the criticality assessments mandated by DORA and notify ICT TPPsif they are classified as critical;
by mid-September 2025, there will be a six-week hearing period where TPPs can object to the assessment, with a reasoned statement and supporting information; and
by the end of 2025, the ESAs will have designated and published a list of CTPPs and commenced oversight engagement.

The accompanying press release notes that TPPs that are not designated as critical can voluntarily request to be designated once the list of CTPPs is published, with details on how to raise such a request to be provided soon.

The ESAs expect to organise an online workshop with TPPs in Q2 2025 to provide further clarity on preparatory activities, the designation process and the ESAs’ oversight approach.

The Roadmap and press release are available here and here, respectively.

Delegated and Implementing Regulations on Major ICT-Related Incidents and Cyber Threats Under DORA Published

On 20 February 2025, Delegated and Implementing Regulations (together, the Regulations) supplementing DORA were published in the Official Journal of the European Union, setting out the detailed requirements and procedures for reporting and notifying ICT-related incidents and cyber threats. The Commission adopted the Regulations in October 2024.

The Delegated Regulation specifies the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents by FEs, and the content of the voluntary notification for significant cyber threats.
The Implementing Regulation sets out the standard forms, templates and procedures for FEs to report a major ICT-related incident and to notify a significant cyber threat.

Both Regulations will enter into force on 12 March 2025.

The Regulations are available here and here, respectively.

ESAs Publish Opinion on Commission’s Rejection of Draft RTS on Sub-contracting ICT Services Supporting Critical or Important Functions

On 7 March 2025, the ESAs published an opinion (Opinion) on the Commission’s rejection of its draft RTS on the elements an FE needs to determine and assess when sub-contracting ICT services supporting critical or important functions.

The Commission notified the ESAs that it had rejected the draft RTS in January 2025 on the basis that certain requirements introduced by the draft RTS went beyond the mandate given to the ESAs under DORA. The Commission noted that Article 5 of the draft RTS, and the related recital 5, should be removed from the draft RTS. The Commission then stated it would adopt the RTS once the ESAs had made the necessary modifications.

In the Opinion, the ESAs acknowledge that the Commission’s amendments will ensure that the draft RTS are fully in line with its mandate under DORA. The ESAs do not recommend changes to the Commission’s proposed amendments. They note that FEs are expected to adhere to the provisions on subcontractors as set out in Article 29(2) of DORA and Article 3(6) of the implementing technical standards on the register of information.

The Opinion is available here.