Search

EU and UK financial authorities establish cooperation under DORA and UK FSMA to oversee critical ICT third-party service providers, enabling information exchange, joint oversight activities, and coordination on cross-border supervision and risk monitoring.

European Supervisory Authorities (ESAs) assess the equivalence of UK confidentiality and professional secrecy regimes under DORA Article 55, evaluating compliance with data protection, disclosure restrictions, and sanctions for breaches in financial services.

Joint ESAs report assessing whether statutory auditors and audit firms should be included in DORA’s scope, analyzing regulatory implications, market impact, and supervisory challenges, concluding no extension is warranted at this stage.

European Banking Authority publishes the official list of critical ICT third-party service providers designated under the Digital Operational Resilience Act (DORA), including major cloud, data, and technology firms supporting financial institutions.

European Supervisory Authorities guide on DORA oversight of critical ICT third-party providers – clarifies roles, processes, and compliance for cloud service providers and other key vendors under EU digital operational resilience rules.

European Supervisory Authorities (ESAs) issue a joint opinion on the European Commission’s rejection of draft Regulatory Technical Standards (RTS) under DORA, addressing subcontracting conditions for ICT services supporting critical or important functions in financial entities, ensuring alignment with Article 30(5) of DORA.

EBA final report amending ICT and security risk management guidelines to align with DORA, clarifying scope for payment service providers not covered by DORA while harmonizing ICT risk frameworks under PSD2 and CRD.

EBA, ESMA, and EIOPA joint decision establishing annual reporting requirements for EU competent authorities to provide data on ICT third-party service providers, supporting designation of critical providers under DORA (Regulation (EU) 2022/2554) and Delegated Regulation (EU) 2024/1502, with first submission due by 30 April 2025.

European Supervisory Authorities (EBA, ESMA, EIOPA) correct reporting requirements for competent authorities to designate critical ICT third-party service providers under DORA (Regulation (EU) 2022/2554), aligning data points with Commission Implementing Regulation (EU) 2024/2956.

EBA and joint committee assess the feasibility of centralising major ICT incident reporting under DORA (Regulation (EU) 2022/2554), analysing current frameworks, stakeholder input, and potential options for streamlined EU-level reporting.

EBA and ESAs report on the 2024 DORA Dry Run exercise, summarizing key findings on financial entities' registers of ICT third-party service provider contracts, data quality checks, and recommendations for compliance with Digital Operational Resilience Act requirements.

European Supervisory Authorities (ESAs) urge financial entities and ICT third-party providers to finalize preparations for the Digital Operational Resilience Act (DORA) ahead of its 17 January 2025 application, emphasizing timely compliance with ICT risk management, incident reporting, and third-party provider registration requirements.

EBA, EIOPA, and ESMA joint decision outlining annual reporting requirements for competent authorities to provide data on ICT third-party service providers, enabling designation of critical providers under DORA (Regulation (EU) 2022/2554) by April 2025.

EBA, EIOPA, and ESMA jointly respond to the European Commission’s rejection of DORA’s draft Implementing Technical Standards on ICT third-party service provider identification, advocating for mandatory LEI use over EUID to ensure operational resilience, supervisory efficiency, and global consistency in financial sector risk management.