Search for Q&As

Enquirers can use various factors to search for a Q&A:

  • These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
  • Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

List of Q&A's

Template specific instructions - field B_01.02.0060 (LEI of the direct parent undertaking of the financial entity)

What should be reported in case the financial entity does not have a direct parent undertaking (for example, is the parent undertaking itself) or reports the register on an individual basis?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information
  • ID: 2024_7278
  • Topic: Register of information (DORA)
  • Date of submission:
  • Published as final Q&A: 28/03/2025

Template specific instructions – field B_01.02.0050 (Hierarchy of the financial entity within the group)

What does ‘where applicable’ mean in the title of data field B_02.01.0050?  What should be reported in this field in case the entity that is being reported in this template is not a financial entity (i.e., option 22, 23, or 24 was selected in field B_01.02.0040 for the entity type)?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information
  • ID: 2024_7277
  • Topic: Register of information (DORA)
  • Date of submission:
  • Published as final Q&A: 28/03/2025

Duplicate ICT Incident Reporting

Is duplicate incident reporting via the ECB SSM Cyber Incident Reporting Framework required, alongside DORA incident reporting under Article 19?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2024_7050
  • Topic: ICT-related incidents (management / classification / reporting)
  • Date of submission:
  • Published as final Q&A: 11/12/2024

Exemption for Non-EU ICT Intra-group Service Providers

Is it accurate to interpret that an ICT intra-group service provider established outside the EU (non-EU country), providing critical services to an EU-based financial institution (parent undertaking), falls within the exemption outlined in Article 31(8) of DORA, thereby exempting the need for establishing a subsidiary within the EU?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2024_7096
  • Topic: Oversight framework of CTPPs
  • Date of submission:
  • Published as final Q&A: 11/12/2024

Critical Services Affected

Article 6 of the Delegated Act on the Classification of Major Incidents states that: "For the purpose of determining the criticality of the services affected as referred to in Article 18(1), point (e), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident:(a) affects or has affected ICT services or network and information systems that support critical or important functions of the financial entity;(b) affects or has affected financial services provided by the financial entity that require authorisation, registration or that are supervised by competent authorities;(c) constitutes or has constituted a successful, malicious and unauthorised access to the network and information systems of the financial entity." Can you confirm please that ALL three of the components are cumulatively required to trigger the criteria on Critical Services Affected?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2024_7047
  • Topic: ICT-related incidents (management / classification / reporting)
  • Date of submission:
  • Published as final Q&A: 11/12/2024