Search for Q&As

Enquirers can use various factors to search for a Q&A:

  • These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
  • Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

List of Q&A's

US Hard test: adequacy of considering US charge-off rates corresponding to loss rates for exposures secured by residential property or commercial immovable property situated within the territory of the US

May institutions in accordance with Article 199 (4a) of Regulation (EU) No 575/2013 (CRR) apply the derogations  from point (b) of paragraph 2 of Article 199 CRR, as referred to in paragraphs 3 and 4 of Article 199 CRR, for residential / commercial immovable property situated within the territory of the US, based on (adjusted) US charge-off rates as published by the Board of Governors of the Federal Reserve System (US), retrieved from FRED, Federal Reserve Bank of St. Louis? 

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2026_7688
  • Topic: Credit risk
  • Date of submission:
  • Published as final Q&A: 27/02/2026

Classification of phishing-attacks as a reportable major ICT-related incident

Can individual phishing incidents that target the customers of a financial entity in their “private sphere” be subsumed under “compromises the security of the network and information systems” pursuant to Article 3 No. 8 of Regulation (EU) 2022/2554 and can they therefore constitute a major ICT-related incident that must be reported pursuant to Article 19 (1) of Regulation (EU) 2022/2554? 

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/1772 - RTS on the classification of ICT-related incidents and cyber threats
  • ID: 2025_7613
  • Topic: ICT-related incidents (management / classification / reporting)
  • Date of submission:
  • Published as final Q&A: 06/02/2026

Types of "telephone services" included under the definition of "ICT services"

Which types of telephone services fall within the scope of the definition of "ICT services"? 

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2025_7539
  • Topic: ICT-related incidents (management / classification / reporting)
  • Date of submission:
  • Published as final Q&A: 06/02/2026

Public Authorities Exemption

Is the exemption for public authorities as quoted in recital 63 sentence 3 last half-sentence meant to be a general exemption for all public authorities as defined under art. 3 no. 65 DORA when providing ICT related services in the context of fulfilling State functions, or is the exemption limited to payment services and payment-related solutions?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2025_7466
  • Topic: Other DORA topics
  • Date of submission:
  • Published as final Q&A: 06/02/2026