Search
428 results
Roadmap towards the designation of CTPPs under DORA
DORA187 - 3199 - Register of Information - out-of-scope financial entity
Question ID
DORA187 - 3199
Receiving ESA
EIOPA
Final publishing date
Question
- Is the list of the type of ICT services in Annex III of the draft Implementing Technical Standards on the standard templates for the purposes of the register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers an exhaustive list?
- Can an out-of-scope financial entity – such as a micro or SME insurance intermediary - be considered as an ICT third party provider if they provide ICT services that are described in the Annex III of the ESA ITS on information register, to an in scope financial entity - such as an insurer?
- Can an out-of-scope financial entity – such as a micro or SME insurance intermediary - be considered as an ICT third party provider if they provide ICT services that are NOT described in the Annex III of the ESA ITS on information register, to an in scope financial entity - such as an insurer?
Subject matter
Register of Information - out-of-scope financial entity
DORA038 - Meaning of "recovering backed-up data using own systems"
Question ID
DORA038
Receiving ESA
EIOPA
Final publishing date
Question
When restoring backup data using own systems, financial entities shall use ICT systems that are physically and logically segregated from the source ICT system. What does DORA mean by "recovering backed-up data using own systems"? What does "own systems" mean? What is the source ICT system? The productive system whose data is backed-up or the system where the backed-up data is stored?
Topic
Subject matter
Meaning of "recovering backed-up data using own systems"
DORA plain csv sample reporting package
The ESAs launch first recruitments to set up DORA joint oversight team
The European Supervisory Authorities (EBA, EIOPA and ESMA - ESAs) today published three vacancy notices in the context of the Digital Operational Resilience Act (DORA).
This announcement comes as part of the establishment of a fully integrated team within the 3 ESAs (“joint oversight team”) to carry out the oversight of critical third-party providers (CTPPs) required by DORA. The team will include a Director, Legal Experts and ICT Risk Experts.
Opinion of the ESAs on the rejection of the ITS on RoI under DORA
EBA, EIOPA, and ESMA jointly respond to the European Commission’s rejection of DORA’s draft Implementing Technical Standards on ICT third-party service provider identification, advocating for mandatory LEI use over EUID to ensure operational resilience, supervisory efficiency, and global consistency in financial sector risk management.
Guide on DORA oversight of critical third-party providers activities
European Supervisory Authorities guide on DORA oversight of critical ICT third-party providers – clarifies roles, processes, and compliance for cloud service providers and other key vendors under EU digital operational resilience rules.
Factsheet for 2024 DORA dry run exercise_align
EBA and ESAs outline the 2024 DORA dry run exercise to help financial entities prepare their ICT third-party service provider registers ahead of the 17 January 2025 deadline, offering feedback, data quality checks, and reporting process testing.
Introductory workshop for CAs on DORA 2024 ad hoc data collection exercise
Monday 8 April 2024, 14:00 - 15:30, Virtual event
DORA 121 - ICT risk management (standard vs simplified depending on type of entity)
Question ID
DORA 121
Receiving ESA
ESMA
Final publishing date
Question
Is a small and non-interconnected investment firm (Art. 12 (1) IFR (Regulation (EU) 2019/2033)) that also holds a licence as a crowdfunding service provider according to Art. 12 ECSPR (Regulation (EU) 2020/1503) obligated to apply Art. 5-15 DORA or is it allowed to use the simplified ICT risk management framework of Art. 16 DORA?
Topic
Subject matter
ICT risk management (standard vs simplified depending on type of entity)
DORA RoI reporting FAQ (updated 19 March 2025)
EBA FAQ on DORA’s registers of information reporting clarifies practical aspects of preparing and submitting contractual ICT third-party provider data under Regulation (EU) 2022/2554 and Implementing Regulation (EU) 2024/2956, including 2025 reporting requirements, consolidation rules, and 2024 dry run outcomes.
DORA Dry Run data quality checks - explainer
ESAs published joint final Report on the draft technical standards on subcontracting under DORA
The three European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) today published their joint Final report on the draft Regulatory Technical Standards (RTS) specifying how to determine and assess the conditions for subcontracting information and communication technology (ICT) services that support critical or important functions under the Digital Operational Resilience Act (DORA). These RTS aim at enhancing the digital operational resilience of the EU financial sector by strengthening the financial entities’ ICT risk management over the use of subcontracting.
ESAs Joint Committee Opinion on the rejection of the RTS on subcontracting under DORA
European Supervisory Authorities (ESAs) issue a joint opinion on the European Commission’s rejection of draft Regulatory Technical Standards (RTS) under DORA, addressing subcontracting conditions for ICT services supporting critical or important functions in financial entities, ensuring alignment with Article 30(5) of DORA.
Responses to public consultations on DORA (1st batch)
Responses to public consultations on DORA (2nd batch)
ESAs publish templates and tools for voluntary dry run exercise to support the DORA implementation
The European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) today published templates, technical documents and tools for the dry run exercise on the reporting of registers of information in the context of Digital Operation Resilience Act (DORA) announced in April 2024.
ESAs Joint Committee Technical standards under the Digital Operational Resilience Act (DORA)
The EBA amends its Guidelines on ICT and security risk management measures in the context of DORA application
The European Banking Authority (EBA) narrowed down the scope of its existing Guidelines on ICT and security risk management measures, due to the application of harmonised ICT risk management requirements under the Digital Operational Resilience Act (DORA) from 17 January 2025. These amendments aim at simplifying the ICT risk management framework and providing legal clarity to the market.