Search for Q&As

Enquirers can use various factors to search for a Q&A:

  • These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
  • Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

List of Q&A's

Register of Information Taxonomy reporting vs ITS on Register of Information

In the industry workshop of 18 of December 2024, which was a summary of Dry Run, it was stated that the reporting taxonomy provided shall be used for the reporting , while the current DORA 4.0 validation rules does not follow the instructions provided in the ROI ITS. We kindly ask you to confirm if the reporting shall follow the DORA 4.0 validation rules despite the mismatch with the ROI ITS. Differences between the law and the taxonomy: Requirement in Law Requirement in Taxonomy Additional question   B_01_01_0010 stated as non-nullable, but is mentioned as nullable in "LEI - EUID checks VR-2"     B_01_02_0010 stated as non-nullable, but is mentioned as nullable in "LEI - EUID checks VR-12"   B_02.03 does not include an extra column c0030 b_02.03 has a column c0030, that is required to be filled out What is the extra column used for? B_03.01 does not include an extra column c0030 b_03.01 has a column c0030, that is required to be filled out What is the extra column used for? B_03.03 does not include an extra column c0031 b_03.03 has a column c0031, that is required to be filled out What is the extra column used for? B_04.01 clarifies that column c0040 is only mandatory if the financial entity making use of the ICT service(s) is a branch of a financial entity (B_04.01.0030) B_04.01 column c0040 is mandatory. Which also requires at least 1 branch in B_01.03. What should be reported if a reporting entity does not have any branches? Should both B_01.03 and B_04.01 be empty. Or? B_05.01 c0030 & c0040 is optional B_05.01 c0030 & c0040 is required when c0070 = Legal person, excluding individual acting in a business capacity   B_05.01 c0110 is mandatory if the ICT-third party service provider is not the ultimate parent undertaking B_05_01_0110 is mandatory all the time according to the DPM   B_05.02 column c0060 & c0070 is mandatory, but not applicable for rank 1. An empty value should be reported if rank = 1  B_05.02 column c0060 & c0070 is always required. What should be reported in c0060 & c0070 if the rank = 1? B_01_01_0050 is mandatory in case of reporting B_01_01_0050 is always mandatory   B_01_01_0060 is mandatory in case of reporting B_01_01_0060 is always mandatory   B_01_02_0060 is mandatory B_01_02_0060 is optional in DPM   B_02_01_0030 is mandatory B_02_01_0030 is optional in DPM   B_02_02_0040 is mandatory B_02_02_0040 is optional in DPM   B_02_02_0130 is mandatory if the ICT service is supporting a critical or important function B_02_02_0130 is optional in DPM   B_02_02_0140 is mandatory if the ICT service is supporting a critical or important function B_02_02_0140 is optional in DPM   B_02.02.0150 is mandatory if Yes is reported in c0140 B_02.02.0150 is mandatory in DPM   B_02.02.0160 is mandatory if the ICT service is based on or foresees data processing B_02.02.0160 is mandatory in DPM   Additional to the question above: If changes will be made to the Taxonomy, when will these be made available? Do you foresee to apply changes to solve the aforementioned mismatch? If so, can you please share when this is expected to be done? If the current Taxonomy, DORA 4.0, must be followed for reporting, can we expect that all local authorities are required to accept the Register of Informations in the format aligned with the Taxonomy? We have experienced differences while doing a mock exercise to submit the reports to local authorities from the reporting technical package. To our knowledge, these discrepancies shall not exist and the national authorities to which entities have to report to are required to accept files that follow the reporting technical package. In this scenario, what actions can we expect to be taken?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information
  • ID: 2025_7362
  • Topic: ICT third-party risk management
  • Date of submission:
  • Published as Rejected Q&A: 05/05/2025

Financial entities subject to supervisory mechanisms as ICT third-party service providers.

Should financial entities providing ICT services to other financial entities (even if these ICT services are ancillary to regulated financial services)  be considered as ICT third-party service providers under the Regulation (EU) 2022/2554 and, consequently, should their contractual arrangements for the use of relevant ICT services include the key contractual provisions set out in Article 30 of the DORA Regulation; or otherwise, does the fact that these entities are already authorised/licenced/registered mean that they should not be considered as ICT providers and, therefore, that their contractual arrangements do not need to contain the requirements set out in Article 30?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2024_7273
  • Topic: Other DORA topics
  • Date of submission:
  • Published as Rejected Q&A: 05/05/2025

Regulatory technical standards - subcontracting ICT services supporting critical or important functions

Where and when was the Comission Delegated Regulation (EU) supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards to specify the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions as mandated by Article 30(5) of Regulation (EU) 2022/2554 oficially published? 

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2025_7310
  • Topic: Other DORA topics
  • Date of submission:
  • Published as Rejected Q&A: 17/03/2025

Applicability of Regulation (EU) 2022/2554 (DORA) to ICT services provided by financial entities.

Clarification is needed on whether financial institutions providing ICT services to other financial institutions – regardless of whether these services are ancillary to regulated financial activities – can be qualified as ICT third-party service providers under Regulation (EU) 2022/2554. If they are, must their contractual relationships comply with the mandatory provisions outlined in Article 30 of the mentioned Regulation or are these requirements inapplicable since such entities are already authorised/licenced/registered? 

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2024_7288
  • Topic: Other DORA topics
  • Date of submission:
  • Published as Rejected Q&A: 17/03/2025

Are trust services under the scope of DORA, whatever the nature of the services

Financial institutions (EEFFs) subject to the DORA Regulation understand that Trust services, whatever they are, are “ICT services” and therefore their providers (Trust Service Providers / TSPs) are included in the scope of the DORA Regulation. However, these Trust services do not always constitute or are part of an essential or important function for the operation of such entities, but serve for auxiliary or internal functions of the entities.  Let's take the case of an electronic signature certificate used by a representative to sign contracts with suppliers or internal legal documents: is it essential for the continued operation of a bank, and would the suspension of the service significantly affect the authorized activity of the entity?  Another example: could the use of a platform that allows the remote management of electronic notifications sent to EEFFs by public administrations thanks to connectors that allow the entity to be identified with electronic certificates be considered essential for the EEFFs' operations? It is really a tool that facilitates the administrative procedures of the entity and is not part of the services it provides to its customers.    

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2024_7200
  • Topic: ICT third-party risk management
  • Date of submission:
  • Published as Rejected Q&A: 19/02/2025

Lex Specialis NIS2 Directive

Are financial entities in scope of DORA required to submit incident reports under the NIS2 Directive ahead of DORA coming into effect in January 2025?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2024_7060
  • Topic: ICT-related incidents (management / classification / reporting)
  • Date of submission:
  • Published as Rejected Q&A: 18/02/2025

Application of DORA Regulation to sub-threshold AIFMs which have chosen to opt-in to the application of the AIFMD (Art. 3(4)), if the thresholds regarding AuM referred to under Article 3(2) of AIFMD are not exceeded

Are sub-threshold alternative investment fund managers (AIFMs) as referred to in Article 3(2) of Directive 2011/61/EU (“AIFMD”), which have chosen to opt-in to the application of the AIFMD according to Article 3(4) of that Directive, captured within the scope of application of Regulation (EU) 2022/2554 (“DORA”) under Articles 2(1)(k) and 2(3)(a) of DORA, if the thresholds regarding assets under management (“AuM”) referred to under Article 3(2) of AIFMD are not exceeded by such AIFM?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2024_7260
  • Topic: Other DORA topics
  • Date of submission:
  • Published as Rejected Q&A: 18/02/2025

DORA Regulation & Applicability to Third-Country Branches

Is Regulation (EU) 2022/2554 (DORA) applicable to third-country branches that are licensed in our country (EU country) as Credit Institutions?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2023_6876
  • Topic: Other DORA topics
  • Date of submission:
  • Published as Rejected Q&A: 18/02/2025

Scope for dependent financial intermediaries

The dependent financial intermediaries (agents), who acting on behalf of credit institutions, are covered by the DORA Regulation?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2024_7142
  • Topic: Other DORA topics
  • Date of submission:
  • Published as Rejected Q&A: 15/11/2024

Grace period for existing contractual arrangements in the register of information

As stated in Regulation (EU) No 2022/2554 (DORA) Article 28, paragraph 3 - As part of their ICT risk management framework, financial entities shall maintain and update at entity level, and at sub-consolidated and consolidated levels, a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers. Is there a grace period for the existing contractual arrangements, or does all the information have to be collected and recorded in the register of information before the regulatory deadline in January 2025? 

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2024_6991
  • Topic: ICT third-party risk management
  • Date of submission:
  • Published as Rejected Q&A: 05/11/2024

Services of credit registers under DORA

Should public Credit Registers be regarded as providers of ICT services under Article 3(19) of DORA?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2024_6997
  • Topic: Other DORA topics
  • Date of submission:
  • Published as Rejected Q&A: 19/07/2024

Request for Clarification on Article 28(3) of Regulation (EU) 2022/2554

I am reaching out for clarification regarding a specific provision in the Digital Operational Resilience Act (DORA) – particularly the third paragraph of Article 28. The provision in question stipulates: "As part of their ICT risk management framework, financial entities shall maintain, and keep updated at entity level as well as at sub-consolidated and consolidated levels, a register of information related to all contractual arrangements on the use of ICT services provided by third-party ICT service providers." Similarly, DORA provides in its article 28(2): "The strategy on ICT third-party risk shall include a policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers and shall apply on an individual basis and, where relevant, on a sub-consolidated and consolidated basis". Overall, how should we understand the phrases “where relevant” and “where applicable” in DORA and its policy products when addressing different levels of entities? we seek your confirmation on whether our client is really obligated to maintain both for its specific entity and at the group level:  The register of information related to all contractual arrangements on the use of ICT services provided by third-party ICT service providers. The strategy on ICT third-party risk and (or?) the policy on the use of ICT services supporting critical or important functions.  Could you also confirm that whenever the phrases "where relevant" and "where applicable" appear in the presence of corporate group, the latter must each time implement the requirement at the level of the entity, at the sub-consolidated level and at the consolidated level? 

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2023_6950
  • Topic: ICT risk management
  • Date of submission:
  • Published as Rejected Q&A: 19/07/2024