top of page
Search

Digital Operational Resilience Act (DORA): H1 2025 Implementation Report

Executive Summary


The first half of 2025 marked a critical phase in the operationalisation of the Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554. Following the regulation's entry into application, the European Supervisory Authorities (ESAs) and the European Commission prioritised the finalisation of the Level 2 legislative framework. This period saw the formal adoption of key Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS), the establishment of the oversight framework for Critical Third-Party Providers (CTPPs), and the initiation of infringement procedures against Member States for delayed transposition of the accompanying Directive (EU) 2022/2556.

ree

I. Finalisation of Regulatory and Implementing Technical Standards


The primary objective for regulatory bodies in H1 2025 was the codification of granular technical standards to provide legal certainty and facilitate harmonised compliance by financial entities.


  • Sub-contracting of ICT Services: A pivotal development was the finalisation of the RTS governing the sub-contracting of ICT services that support critical or essential functions. The legislative process involved a formal rejection of the initial draft RTS by the European Commission, which was subsequently addressed by a formal opinion from the Joint Committee of the ESAs. The European Commission's ultimate adoption of the final RTS delineates the specific due diligence protocols and risk assessment methodologies that financial entities are mandated to perform when their ICT third-party providers engage in further subcontracting.

  • Incident Reporting and Classification: The legal framework for the classification and reporting of major ICT-related incidents was solidified through the publication of two key legal acts:

    • Commission Delegated Regulation (EU) 2025/301 (RTS): This regulation specifies the criteria for classifying ICT-related incidents as "major," defines thresholds for determining significant cyber threats, and establishes the detailed content and deadlines for incident notification and reporting to competent authorities.

    • Commission Implementing Regulation (EU) 2025/302 (ITS): This regulation complements the RTS by establishing the standardised templates, forms, and procedures that financial entities must use for reporting, ensuring consistency and comparability of data across the Union.

  • Threat-Led Penetration Testing (TLPT): The requirements for advanced security testing for designated financial entities were formally detailed in a Delegated Regulation on RTS for threat-led penetration testing, which was published in the Official Journal of the European Union. Concurrently, the European Central Bank (ECB) updated its TIBER-EU framework, ensuring its methodologies and procedures for intelligence-led red team testing are fully congruent with the DORA TLPT requirements.

  • Oversight Activities and Risk Management: The Commission further supplemented the DORA framework by adopting Delegated Regulation (EU) 2025/295, which contains RTS specifying the conditions for the conduct of oversight activities by the Lead Overseers. Additionally, a corrigendum to the Commission Delegated Regulation on RTS for the ICT risk management framework was published, rectifying a technical error in the previous legal text.


II. Establishment of the Oversight and Collaborative Frameworks


A central pillar of DORA is the creation of a direct, pan-European oversight framework for CTPPs and the enhancement of cooperation mechanisms among national and European authorities.


  • Roadmap for CTPP Designation: The ESAs published a formal roadmap detailing the methodology and timeline for the designation of CTPPs. This document outlines the multi-stage process, which includes the collection of information registers from financial entities via competent authorities, the execution of criticality assessments based on the criteria in Article 31, and the formal designation of the inaugural cohort of CTPPs.

  • EU-SCICF Forum: To bolster crisis management and coordination for major cross-border cyber incidents, the ESAs officially approved the terms of reference for the new EU Systemic Cyber Incident Coordination Framework (EU-SCICF) Forum. This forum provides a structured platform for information sharing and coordinated response actions among financial supervisors and other relevant public authorities.

  • Joint Examination Teams: The legal basis for cross-authority collaboration in the oversight of CTPPs was further specified with the publication of a Delegated Regulation detailing the criteria for the composition of joint examination teams. This regulation ensures a balanced representation of expertise from the ESAs and relevant competent authorities in the conduct of joint oversight activities.


III. Guidance, Harmonisation, and Enforcement


In parallel with the development of new legal acts, authorities focused on issuing guidance to promote consistent application and initiated enforcement measures to ensure timely implementation.


  • EBA Guidelines on Risk Management: The European Banking Authority (EBA) amended its final guidelines on ICT and security risk management. This revision was undertaken to align the existing policies with the DORA regulation, thereby preventing regulatory arbitrage and ensuring a single, harmonised rulebook for ICT risk management.

  • Estimation of Incident Costs and Losses: To foster a uniform methodology for quantifying the financial impact of incidents, official translations of the ESA guidelines on the analysis of aggregated annual costs and losses caused by major ICT-related incidents were disseminated.

  • Infringement Procedures for Non-Transposition: The European Commission initiated formal infringement proceedings by sending letters of formal notice to several Member States. These actions were taken in response to the failure of these states to meet the statutory deadline for transposing the DORA Amending Directive (EU) 2022/2556 into their national legal systems.


IV. Conclusion


The regulatory and supervisory activities undertaken in the first half of 2025 represent a substantial advancement in the operationalisation of the DORA framework. The finalisation of key technical standards has provided essential legal clarity for the financial industry. Concurrently, the establishment of the CTPP oversight architecture and collaborative forums has laid the institutional foundation for a more resilient European monetary system. The regulatory focus will now transition towards active supervision, the execution of the first CTPP designation cycle, and the rigorous monitoring of compliance across the Union.



 
 
 

Comments

bottom of page