Search for Q&As

Enquirers can use various factors to search for a Q&A:

  • These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
  • Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

List of Q&A's

Subcontracting

Should a vendor be identified as a "subcontractor" simply because the ICT intra-group service provider to whom it provides services is part of a European financial group, even though the ICT services provided by the vendor are not connected to the ICT services provided by the intra-group service provider to FEs in their group.

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information
  • ID: 2025_7332
  • Topic: Register of information (DORA)
  • Date of submission:
  • Published as Rejected Q&A: 23/09/2025

Definition and Scope of DORA

Does the definition of 3.19 include all service providers - no matter the relevance of their service for the digital resilience of the financial service e.g. providers of an employee survey tool or a recruitment tool, where the absence of their services would no have no impact on the resilience security of network and information systems supporting the business processes of financial entities. If in the affirmative, does this mean that any ICT third-party service provider falls within the scope of DORA ( see Article 2.1(u). As a consequence a service a digital employee exercise app provider will fall within the scope of DORA if they sell their services to a financial service provider? If in the affirmative, is this proportionate with regard to the impact that this has on ICT third-party service providers whose services have no impact on the security of network and information systems supporting the business processes of financial entities. If in the affirmative, do the financial authorities now have competence over all ICT third-party service providers, regardless of what kind of services they provide as long as they are providing services to a financial entity? * financial entity = or any other entity besides an ICT service provider

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2025_7421
  • Topic: ICT third-party risk management
  • Date of submission:
  • Published as Rejected Q&A: 04/09/2025

Annual Report to the Competent Authorities on new Arrangements for the use of ICT services

Pursuant to the provisions of Chapter V, Section I, Article 28, Paragraph 3, of the DORA Regulation, which states “Financial entities shall report at least yearly to the competent authorities on the number of new arrangements on the use of ICT services, the categories of ICT third-party service providers, the type of contractual arrangements and the ICT services and functions which are being provided.,” we kindly request clarification on whether this provision requires a separate and specific communication in addition to the Register of Information, or whether the communication of such data is already fulfilled through the annual submission of the same Register, constituting a single compliance obligation. In the event that a separate communication is required in addition to the annual submission of the Register of Information, we kindly request clarification on the meaning of the term "categories of third-party ICT service providers" as mentioned in Article 28, Paragraph 3 of the DORA Regulation.

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2025_7531
  • Topic: ICT third-party risk management
  • Date of submission:
  • Published as Rejected Q&A: 04/09/2025

ANNUAL REPORT ON NEW ARRANGEMENTS ON THE USE OF ICT SERVICES

Pursuant to the provisions of Chapter V, Section I, Article 28, Paragraph 3, of the DORA Regulation, which states: “Financial entities shall report at least yearly to the competent authorities on the number of new arrangements on the use of ICT services, the categories of ICT third-party service providers, the type of contractual arrangements and the ICT services and functions which are being provided.,” we kindly request clarification on whether this provision requires a separate and specific communication in addition to the Register of Information, or whether the communication of such data is already fulfilled through the annual submission of the same Register, constituting a single compliance obligation. In the event that a separate communication is required in addition to the annual submission of the Register of Information, we kindly request clarification on the meaning of the term "categories of third-party ICT service providers" as mentioned in Chapter V, Section I, Article 28, Paragraph 3 of the DORA Regulation.

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2025_7468
  • Topic: Other DORA topics
  • Date of submission:
  • Published as Rejected Q&A: 04/09/2025

Identificación entidad financiera responsable del reporte DORA - Identification of the financial entity responsible for the DORA reporting

  ¿Si nuestra empresa no dispone de LEI, debemos informarla mediante el código europeo? ¿Qué diferencia existe entre las celdas B_01.01_0010 y B_01.02_0010 ? If our company doesn't have an LEI, should we report it using the European code? What's the difference between cells B_01.01_0010 and B_01.02_0010?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2025_7403
  • Topic: Register of information (DORA)
  • Date of submission:
  • Published as Rejected Q&A: 31/07/2025

Correct classification of services related to the 'reselling' of software provided in SaaS mode

With reference to the correct identification of the type of ICT services, taking into account the types contained in ANNEX III of Regulation (EU) 2024/2956, how should services related to the 'reselling' of software provided in SaaS mode be classified?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information
  • ID: 2025_7367
  • Topic: Register of information (DORA)
  • Date of submission:
  • Published as Rejected Q&A: 23/07/2025

Definition of ICT service

If a supplier must provide an ICT Service to fall under DORA, how should we determine what qualifies? Should we rely on the DORA regulation’s definition of an ICT Service, or should we use the Annex 3 list (S01-S19) from the ITS Register of Information?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information
  • ID: 2025_7415
  • Topic: ICT-related incidents (management / classification / reporting)
  • Date of submission:
  • Published as Rejected Q&A: 09/07/2025

Dora agreements - ICT service supports a CIF

When an ICT Service supports a Critical and Important Function (CIF) within a financial entity, providers must sign DORA agreements with their suppliers if the supplier: a)     Provides an ICT Service (as per the DORA definition). b)     Critically underpins the ICT Service, meaning its disruption could affect security or continuity (based on ITS on Register of Information, Article 3(2)(b)). Is this interpretation correct? Or must DORA agreements be signed with all critical suppliers, even those that do not provide ICT Services?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information
  • ID: 2025_7414
  • Topic: ICT-related incidents (management / classification / reporting)
  • Date of submission:
  • Published as Rejected Q&A: 09/07/2025

Register of ICT Services

Are these listed listed types of ICT-services (e.g., S07, S11, S12) covered under DORA’s definition of ICT Services? If not, can, e.g., facilities or infrastructure that do not include data or digital elements be excluded from this definition?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information
  • ID: 2025_7412
  • Topic: Register of information (DORA)
  • Date of submission:
  • Published as Rejected Q&A: 09/07/2025

Definition of landline services

What are landline services in this context? Could it include fiber optics (e.g., black fiber)?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2025_7410
  • Topic: ICT-related incidents (management / classification / reporting)
  • Date of submission:
  • Published as Rejected Q&A: 09/07/2025

Instructions for completing the register of information-Functions identification-Licenced activity

In the specifications of the DORA Register of Information file, in sheet B0601 for insurance and reinsurance undertakings, the list of values "List of possible values for all data fields with drop-downs (updated 3 March 2025)" appears, which does not include classes 17 ("Legal Expenses Insurance") and 18 ("Assistance"). Please inform us how these activities should be declared in the column "Licensed activity B06_01_0020".

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information
  • ID: 2025_7395
  • Topic: Register of information (DORA)
  • Date of submission:
  • Published as Rejected Q&A: 25/06/2025

Exist a definition of information security standards

In DORA Article 28 (5), reference is made to "appropriate information security standards" and "of the most up-to-date and highest quality information security standards". Is There a definition of which standards are applicable here, or can credit institutions define the desired requirements themselves?"

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2025_7369
  • Topic: ICT third-party risk management
  • Date of submission:
  • Published as Rejected Q&A: 25/06/2025

Definition of financial counterpart

Can you confirm whether our interpretation of the notion of ‘financial counterpart’ is correct?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2025_7366
  • Topic: ICT-related incidents (management / classification / reporting)
  • Date of submission:
  • Published as Rejected Q&A: 25/06/2025

Validation rule v8821_m

The validation rule defines that in the event that column 020 of the template is valorised with the identification code indicating LEI code (eba_qCO:qx2000) then column 030 must be valorised with a LEI code.In reality, column 020 indicates the type of code to identify the third-party ICT service provider indicated in column 010. Consequently, shouldn't the validation rule be correct that the check should be made on column 010 and not 030?  

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2025_7341
  • Topic: ICT-related incidents (management / classification / reporting)
  • Date of submission:
  • Published as Rejected Q&A: 25/06/2025

Register of Information Taxonomy reporting vs ITS on Register of Information

In the industry workshop of 18 of December 2024, which was a summary of Dry Run, it was stated that the reporting taxonomy provided shall be used for the reporting , while the current DORA 4.0 validation rules does not follow the instructions provided in the ROI ITS. We kindly ask you to confirm if the reporting shall follow the DORA 4.0 validation rules despite the mismatch with the ROI ITS. Differences between the law and the taxonomy: Requirement in Law Requirement in Taxonomy Additional question   B_01_01_0010 stated as non-nullable, but is mentioned as nullable in "LEI - EUID checks VR-2"     B_01_02_0010 stated as non-nullable, but is mentioned as nullable in "LEI - EUID checks VR-12"   B_02.03 does not include an extra column c0030 b_02.03 has a column c0030, that is required to be filled out What is the extra column used for? B_03.01 does not include an extra column c0030 b_03.01 has a column c0030, that is required to be filled out What is the extra column used for? B_03.03 does not include an extra column c0031 b_03.03 has a column c0031, that is required to be filled out What is the extra column used for? B_04.01 clarifies that column c0040 is only mandatory if the financial entity making use of the ICT service(s) is a branch of a financial entity (B_04.01.0030) B_04.01 column c0040 is mandatory. Which also requires at least 1 branch in B_01.03. What should be reported if a reporting entity does not have any branches? Should both B_01.03 and B_04.01 be empty. Or? B_05.01 c0030 & c0040 is optional B_05.01 c0030 & c0040 is required when c0070 = Legal person, excluding individual acting in a business capacity   B_05.01 c0110 is mandatory if the ICT-third party service provider is not the ultimate parent undertaking B_05_01_0110 is mandatory all the time according to the DPM   B_05.02 column c0060 & c0070 is mandatory, but not applicable for rank 1. An empty value should be reported if rank = 1  B_05.02 column c0060 & c0070 is always required. What should be reported in c0060 & c0070 if the rank = 1? B_01_01_0050 is mandatory in case of reporting B_01_01_0050 is always mandatory   B_01_01_0060 is mandatory in case of reporting B_01_01_0060 is always mandatory   B_01_02_0060 is mandatory B_01_02_0060 is optional in DPM   B_02_01_0030 is mandatory B_02_01_0030 is optional in DPM   B_02_02_0040 is mandatory B_02_02_0040 is optional in DPM   B_02_02_0130 is mandatory if the ICT service is supporting a critical or important function B_02_02_0130 is optional in DPM   B_02_02_0140 is mandatory if the ICT service is supporting a critical or important function B_02_02_0140 is optional in DPM   B_02.02.0150 is mandatory if Yes is reported in c0140 B_02.02.0150 is mandatory in DPM   B_02.02.0160 is mandatory if the ICT service is based on or foresees data processing B_02.02.0160 is mandatory in DPM   Additional to the question above: If changes will be made to the Taxonomy, when will these be made available? Do you foresee to apply changes to solve the aforementioned mismatch? If so, can you please share when this is expected to be done? If the current Taxonomy, DORA 4.0, must be followed for reporting, can we expect that all local authorities are required to accept the Register of Informations in the format aligned with the Taxonomy? We have experienced differences while doing a mock exercise to submit the reports to local authorities from the reporting technical package. To our knowledge, these discrepancies shall not exist and the national authorities to which entities have to report to are required to accept files that follow the reporting technical package. In this scenario, what actions can we expect to be taken?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information
  • ID: 2025_7362
  • Topic: ICT third-party risk management
  • Date of submission:
  • Published as Rejected Q&A: 05/05/2025

Financial entities subject to supervisory mechanisms as ICT third-party service providers.

Should financial entities providing ICT services to other financial entities (even if these ICT services are ancillary to regulated financial services)  be considered as ICT third-party service providers under the Regulation (EU) 2022/2554 and, consequently, should their contractual arrangements for the use of relevant ICT services include the key contractual provisions set out in Article 30 of the DORA Regulation; or otherwise, does the fact that these entities are already authorised/licenced/registered mean that they should not be considered as ICT providers and, therefore, that their contractual arrangements do not need to contain the requirements set out in Article 30?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2024_7273
  • Topic: Other DORA topics
  • Date of submission:
  • Published as Rejected Q&A: 05/05/2025

Regulatory technical standards - subcontracting ICT services supporting critical or important functions

Where and when was the Comission Delegated Regulation (EU) supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards to specify the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions as mandated by Article 30(5) of Regulation (EU) 2022/2554 oficially published? 

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2025_7310
  • Topic: Other DORA topics
  • Date of submission:
  • Published as Rejected Q&A: 17/03/2025

Applicability of Regulation (EU) 2022/2554 (DORA) to ICT services provided by financial entities.

Clarification is needed on whether financial institutions providing ICT services to other financial institutions – regardless of whether these services are ancillary to regulated financial activities – can be qualified as ICT third-party service providers under Regulation (EU) 2022/2554. If they are, must their contractual relationships comply with the mandatory provisions outlined in Article 30 of the mentioned Regulation or are these requirements inapplicable since such entities are already authorised/licenced/registered? 

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2024_7288
  • Topic: Other DORA topics
  • Date of submission:
  • Published as Rejected Q&A: 17/03/2025

Are trust services under the scope of DORA, whatever the nature of the services

Financial institutions (EEFFs) subject to the DORA Regulation understand that Trust services, whatever they are, are “ICT services” and therefore their providers (Trust Service Providers / TSPs) are included in the scope of the DORA Regulation. However, these Trust services do not always constitute or are part of an essential or important function for the operation of such entities, but serve for auxiliary or internal functions of the entities.  Let's take the case of an electronic signature certificate used by a representative to sign contracts with suppliers or internal legal documents: is it essential for the continued operation of a bank, and would the suspension of the service significantly affect the authorized activity of the entity?  Another example: could the use of a platform that allows the remote management of electronic notifications sent to EEFFs by public administrations thanks to connectors that allow the entity to be identified with electronic certificates be considered essential for the EEFFs' operations? It is really a tool that facilitates the administrative procedures of the entity and is not part of the services it provides to its customers.    

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2024_7200
  • Topic: ICT third-party risk management
  • Date of submission:
  • Published as Rejected Q&A: 19/02/2025

Lex Specialis NIS2 Directive

Are financial entities in scope of DORA required to submit incident reports under the NIS2 Directive ahead of DORA coming into effect in January 2025?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2024_7060
  • Topic: ICT-related incidents (management / classification / reporting)
  • Date of submission:
  • Published as Rejected Q&A: 18/02/2025