The European Supervisory Authorities (EBA, EIOPA, and ESMA – the ESAs) publish today the list of designated critical ICT third-party providers (CTPPs) under the Digital Operational Resilience Act (DORA). This designation marks a crucial step in the implementation of the DORA oversight framework.

Conference/Workshop

18/11/2025 - 10:00 - 19/11/2025 - 16:00

14th Annual Research Workshop - Bridging capital and growth - the role of financial structures and intermediaries

Document

17 November 2025

Training Plan 2025

Download document

EBA Management speech 17 NOVEMBER 2025

Introductory statement by the EBA Chairperson José Manuel Campa at the annual hearing of the Committee on Economic and Monetary Affairs (ECON) of the European Parliament

DORA186 - Direct agreements between AIF and ICT service provider

Question ID

DORA186

Receiving ESA

ESMA

URL

https://www.esma.europa.eu/publications-data/questions-answers/2447

Final publishing date

Fri, 11/14/2025 - 15:50

Question

According to Article 2 par 1 of DORA AIFM is in scope of DORA, AIF is not defined as financial entity. There are situations when agreement is concluded directly between AIF and ICT service provider. It is obvious that the agreement in such situation should contain elements listed in Article 30 of DORA and the risk assessment should be performed by AIFM. But shall such agreement also be:
- included in the register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers according to Article 28 par 3 and
- notified to competent authority in a timely manner prior of the conclusion of the agreement if the agreement supports critical or important functions?

Topic

DORA238 - Application of DORA to non-EU AIFM

Question ID

DORA238

Receiving ESA

ESMA

URL

https://www.esma.europa.eu/publications-data/questions-answers/2547

Final publishing date

Fri, 11/14/2025 - 15:46

Question

The regulation applies to managers of alternative investment funds according to Article 2, point (k) of DORA. According to Article 3, (point 44), of DORA a manager of alternative investment funds is defined as “a manager of alternative investment funds as defined in Article 4(1), point (b), of Directive 2011/61/EU”.
According to Article 4(1), point (b), of Directive 2011/61/EU (AIFM Directive) “AIFMs’ means legal persons whose regular business is managing one or more AIFs”. We are of the understanding that Article 4(1), point (b), does not exclude non-EU AIFM. EU AIFM and non-EU AIFM are defined in Article 4(1), point (L) and point (ab). Since DORA only refers to article 4(1), point (b), of the AIFM Directive and not to article 4(1), point (L), we are wondering if DORA applies to both EU and non-EU AIFM as the definition implies.

Topic

DORA138 - Applicability of DORA and TFR Requirements to VASPs Not Classified as CASPs Under MiCAR

Question ID

DORA138

Receiving ESA

ESMA

URL

https://www.esma.europa.eu/publications-data/questions-answers/2364

Final publishing date

Fri, 11/14/2025 - 15:22

Question

Do the requirements of the Digital Operational Resilience Act (DORA) apply to Virtual Asset Service Providers (VASPs) that are not classified as Crypto-Asset Service Providers (CASPs) under the Markets in Crypto-Assets Regulation (MiCAR) as of December 30, 2024 and are benefiting from the MiCAR transition period?"

Topic

Digital operational resilience testing

Subject matter

Applicability of DORA and TFR Requirements to VASPs Not Classified as CASPs Under MiCAR

Document

14 November 2025

Interactive treemap full details

Download document

DORA038 - Meaning of "recovering backed-up data using own systems"

Question ID

DORA038

Receiving ESA

EIOPA

URL

https://www.eiopa.europa.eu/qa-regulation/questions-and-answers-database/dora03…

Final publishing date

Fri, 11/14/2025 - 11:17

Question

When restoring backup data using own systems, financial entities shall use ICT systems that are physically and logically segregated from the source ICT system. What does DORA mean by "recovering backed-up data using own systems"? What does "own systems" mean? What is the source ICT system? The productive system whose data is backed-up or the system where the backed-up data is stored?

Topic

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting

Data

Publications

Media centre

Search

TEST - ONLINE SGAT Meeting

Friday 11 December 2025, 09:30 - 17:30 (virtual event)

Public hearing on revised Guidelines for common procedures and methodologies for the supervisory review and evaluation process (SREP) and supervisory stress testing

Public hearing on Guidelines on supervisory independence of competent authorities

Public Hearing – Draft revised SREP Guidelines

Thursday 4 December 2025, 10:00 - 12:00 CET

Public hearing on consultation for the guidelines on supervisory independence

Wednesday 3 December 2025, 14:30 - 16:00

Workshop on the Pillar 3 Data Hub implementation and go-live for large and other institutions

JM Campa introductory remarks at the ECON hearing November 2025

Opt-in Form

2025 10 31 PMR -2025 Francois-Louis Michaud

List of designated CTPPs

2025 11 15 PMR -2025 Francois-Louis Michaud

The European Supervisory Authorities designate critical ICT third-party providers under the Digital Operational Resilience Act

14th Annual Research Workshop - Bridging capital and growth - the role of financial structures and intermediaries

Training Plan 2025

Introductory statement by the EBA Chairperson José Manuel Campa at the annual hearing of the Committee on Economic and Monetary Affairs (ECON) of the European Parliament

DORA186 - Direct agreements between AIF and ICT service provider

DORA238 - Application of DORA to non-EU AIFM

DORA138 - Applicability of DORA and TFR Requirements to VASPs Not Classified as CASPs Under MiCAR

Interactive treemap full details

DORA038 - Meaning of "recovering backed-up data using own systems"