Search
95 results
Memorandum of Understanding on DORA oversight of critical ICT third-party service providers in EU and UK
EU and UK financial authorities establish cooperation under DORA and UK FSMA to oversee critical ICT third-party service providers, enabling information exchange, joint oversight activities, and coordination on cross-border supervision and risk monitoring.
ESAs targeted equivalence assessment of DORA confidentiality and professional secrecy regimes
European Supervisory Authorities (ESAs) assess the equivalence of UK confidentiality and professional secrecy regimes under DORA Article 55, evaluating compliance with data protection, disclosure restrictions, and sanctions for breaches in financial services.
The European Supervisory Authorities and UK financial regulators sign Memorandum of Understanding on oversight of critical ICT third-party service providers under DORA
The European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) have today signed a Memorandum of Understanding (MoU) with the Bank of England (BoE), the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA). This agreement enhances the cooperation between the authorities to oversee critical ICT third-party service providers (CTPPs) as required by the Digital Operational Resilience Act (DORA) .
Joint ESAs Report on Consultation pursuant to Article 58 of DORA
Joint ESAs report assessing whether statutory auditors and audit firms should be included in DORA’s scope, analyzing regulatory implications, market impact, and supervisory challenges, concluding no extension is warranted at this stage.
Opt-in Form
List of designated CTPPs
European Banking Authority publishes the official list of critical ICT third-party service providers designated under the Digital Operational Resilience Act (DORA), including major cloud, data, and technology firms supporting financial institutions.
Public hearing on Guidelines on the sound management of third-party risk
Guide on DORA oversight of critical third-party providers activities
European Supervisory Authorities guide on DORA oversight of critical ICT third-party providers – clarifies roles, processes, and compliance for cloud service providers and other key vendors under EU digital operational resilience rules.
The EBA launches consultation on its draft Guidelines on third-party risk management with regard to non-ICT related services
The European Banking Authority (EBA) today launched a public consultation on the draft Guidelines on the sound management of third-party risk. The draft Guidelines focus on third-party arrangements in relation to non-ICT related services provided by third-party service providers and their subcontractors with a particular focus on the provision of critical or important functions. These Guidelines revise and update the previous EBA Guidelines on outsourcing, published in 2019, in line with the Digital Operational Resilience Act (DORA). The consultation runs until 8 October 2025.
Consultation on draft Guidelines on the sound management of third-party risk
ESAs Joint Committee Opinion on the rejection of the RTS on subcontracting under DORA
European Supervisory Authorities (ESAs) issue a joint opinion on the European Commission’s rejection of draft Regulatory Technical Standards (RTS) under DORA, addressing subcontracting conditions for ICT services supporting critical or important functions in financial entities, ensuring alignment with Article 30(5) of DORA.
The ESAs acknowledge the European Commission's amendments to the technical standard on subcontracting under the Digital Operational Resilience Act
The European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) today issued an Opinion on the European Commission’s (EC) rejection of the draft Regulatory Technical Standard (RTS) on subcontracting.
Roadmap towards the designation of CTPPs under DORA
The ESAs provide a roadmap towards the designation of CTPPs under DORA
The European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) are advancing in the implementation of the pan-European oversight framework of critical ICT third-party service providers (CTPPs) with the objective to designate the CTPPs and to start the oversight engagement this year.
Final report on amending Guidelines on ICT risk and security management
EBA final report amending ICT and security risk management guidelines to align with DORA, clarifying scope for payment service providers not covered by DORA while harmonizing ICT risk frameworks under PSD2 and CRD.
The EBA amends its Guidelines on ICT and security risk management measures in the context of DORA application
The European Banking Authority (EBA) narrowed down the scope of its existing Guidelines on ICT and security risk management measures, due to the application of harmonised ICT risk management requirements under the Digital Operational Resilience Act (DORA) from 17 January 2025. These amendments aim at simplifying the ICT risk management framework and providing legal clarity to the market.
ESAs Decision on reporting of information for CTPP designation (corrigendum consolidated)
EBA, ESMA, and EIOPA joint decision establishing annual reporting requirements for EU competent authorities to provide data on ICT third-party service providers, supporting designation of critical providers under DORA (Regulation (EU) 2022/2554) and Delegated Regulation (EU) 2024/1502, with first submission due by 30 April 2025.
ESAs Decision on reporting of information for CTPP designation (corrigendum)
European Supervisory Authorities (EBA, ESMA, EIOPA) correct reporting requirements for competent authorities to designate critical ICT third-party service providers under DORA (Regulation (EU) 2022/2554), aligning data points with Commission Implementing Regulation (EU) 2024/2956.
Joint Report on the feasibility for further Centralisation of reporting of major ICT incidents
EBA and joint committee assess the feasibility of centralising major ICT incident reporting under DORA (Regulation (EU) 2022/2554), analysing current frameworks, stakeholder input, and potential options for streamlined EU-level reporting.