top of page
Search

DORA Developments - July 2025

Executive Summary


Key developments included the European Supervisory Authorities (ESAs) publishing a comprehensive guide on how the oversight framework for Critical Third-Party Providers (CTPPs) functions. Notably, the Regulatory Technical Standards (RTS) on subcontracting ICT services for critical functions came into force, imposing strict requirements for supply chain oversight. Additionally, the European Central Bank (ECB) finalised its guide on cloud outsourcing, clarifying supervisory expectations in line with DORA. 


At the same time, the European Securities and Markets Authority (ESMA) modified the scope of its existing cloud guidelines to prevent overlap with the Act. Simultaneously, the European Banking Authority (EBA) consulted on updating its wider third-party risk management guidelines to support DORA by emphasising non-ICT arrangements. Lastly, ESMA released a report highlighting the systemic nature of cyber risk, using stress simulations to underline the importance of DORA’s framework.

ree

Section 1: Oversight and Management of Third-Party Risk


The management and oversight of third-party providers (TPPs), encompassing both ICT and non-ICT services, were central themes in July.


1.1. ESA Guide on Oversight of Critical ICT Third-Party Providers (CTPPs)


On 15 July 2025, the ESAs published the "Guide on Oversight Activities" (JC 2025 29). This non-binding guide provides a detailed overview of the DORA framework for overseeing CTPPs, aiming to monitor risks, promote supervisory convergence, and mitigate systemic concentration risks.


Key Points:


  • Governance Structure: The guide details the roles of the Lead Overseer (LO), the Oversight Forum (OF), and Joint Examination Teams (JETs). It emphasises a coordinated approach via the newly established DORA Joint Oversight Venture (JOV).

  • Oversight Cycle and Powers: The framework outlines a cyclical process including CTPP designation, annual risk assessment, and execution of oversight activities, which include Requests for Information (RfI), general investigations, and on-site inspections (including in third countries, subject to conditions).

  • Recommendations and Consequences: Overseers issue non-binding recommendations. CTPPs must provide remediation plans or reasoned explanations for non-compliance. Failure to comply can lead to public disclosure and may prompt Competent Authorities to instruct Financial Entities (FEs) to suspend or terminate services as a last resort.


Implications: CTPPs face significantly increased scrutiny, financial obligations (oversight fees and potential penalties), and the requirement to establish formalised interaction points or subsidiaries within the EU. FEs must enhance their due diligence and maintain robust exit strategies, preparing for potential supervisory action based on CTPP oversight findings.


1.2. RTS on Subcontracting ICT Services Supporting Critical Functions


The Delegated Regulation detailing the RTS on subcontracting ICT services supporting critical functions entered into force on 22 July 2025. This regulation mandates that FEs maintain robust oversight across the entire ICT subcontracting chain.


Key Points:


  • Extended Due Diligence: FEs must assess risks associated with subcontractors, including their operational capabilities, information security, location, and potential concentration risks.

  • Contractual Controls: Contracts must explicitly detail conditions for subcontracting, ensuring monitoring, reporting, and business continuity requirements flow down the chain.

  • Transparency and Audit: FEs must secure rights to access, inspect, and audit subcontractors.

  • Termination Rights: FEs must be notified of material changes to subcontracting arrangements in advance and possess the right to object and terminate contracts if changes exceed their risk tolerance or if unauthorised subcontracting occurs.


Implications: This regulation significantly increases the due diligence burden on FEs, requiring visibility deep into the ICT supply chain (fourth and fifth parties). Extensive contract renegotiation will likely be necessary to incorporate the mandated clauses, audit rights, and termination rights.



1.3. EBA Consultation on Management of Third-Party Risk (Non-ICT)


The EBA released a consultation paper on draft guidelines for the management of third-party risk, updating its 2019 outsourcing guidelines. This update aligns the framework with DORA by clarifying that while DORA covers ICT risks, these guidelines harmonise the management of all other "third-party arrangements."


Key Points:


  • Broader Scope and Responsibility: The guidelines cover a wide range of entities (including under CRD, IFD, PSD2, and MiCAR) and emphasise that the management body retains ultimate responsibility for all third-party risks. They also aim to prevent FEs from becoming 'empty shell' entities.

  • The Register: FEs must maintain a detailed register of all non-ICT third-party arrangements, analogous to the DORA register for ICT services.

  • Critical Functions: Stricter requirements apply to essential functions, including mandatory tested exit strategies, comprehensive risk assessments (including concentration risk), and specific contractual clauses. Stricter conditions also apply when using TPPs in third countries for core activities.


Implications: FEs face a significant operational challenge in inventorying all non-ICT third-party relationships and maintaining the required register. The guidelines intensify the governance burden on management bodies and necessitate a holistic approach to TPRM.


Section 2: Cloud Outsourcing Guidance and Alignment


Supervisory bodies provided clarity on expectations for cloud outsourcing and ensured alignment with the DORA framework.


2.1. ECB Finalises Guide on Outsourcing Cloud Services


The ECB finalised its guide for banks on outsourcing to Cloud Service Providers (CSPs). While non-binding, it clarifies the ECB’s expectations under DORA and addresses risks stemming from market concentration and reliance on proprietary technologies.


Supervisory Expectations:


  • Governance and Risk: FEs retain full responsibility. Mandatory ex-ante risk assessments must cover vendor lock-in, data location, geopolitical risks, and concentration risks.

  • Resilience: Comprehensive business continuity measures are required, including segregated backups. For critical functions, resilient architectures (e.g., multiple active data centres, hybrid cloud, or multi-CSP strategies) are expected.

  • Security: Strong data encryption (in transit, at rest, and where feasible, in use) and robust, unique cryptographic key management are mandated.

  • Oversight and Exit: FEs must independently monitor CSPs (not relying solely on certifications) and ensure comprehensive, granular, and tested exit plans are in place for critical functions before go-live.


Implications: Firms must adopt proactive strategies for managing concentration risk and vendor lock-in. The expectations necessitate investment in specialised cloud expertise within governance and internal audit functions and a rigorous approach to testing exit strategies.


2.2. ESMA Aligns Cloud Outsourcing Guidelines with DORA


On 11 July 2025, ESMA published a final report amending its guidelines on outsourcing to CSPs. The update significantly reduces the scope of the guidelines to avoid duplication with DORA.


Key Points:


  • The guidelines now apply only to entities not covered by DORA, specifically certain depositaries of AIFs and UCITS funds.

  • Entities covered by DORA must now adhere to DORA's requirements for cloud outsourcing instead of the ESMA guidelines.


Implications: This establishes DORA as the primary framework for most FEs. However, CSPs must now navigate a dual regime, ensuring compliance with DORA for most clients and the ESMA guidelines for the specific depositaries still in scope.


Section 3: Systemic Cyber Risk Analysis


3.1. ESMA Report on Operational and Cyber Risks: Measurement and Stress Simulation


On 16 July 2025, ESMA published a report addressing the threat of cyber risk to EU financial stability. It highlights the role of DORA in improving incident visibility through mandatory reporting (effective 17 January 2025) and examines how incidents propagate through shared technologies and third-party providers.

The report included a stress simulation analysis on the EU repo market.


Key Points:


  • Systemic Impact: An operational disruption at any of the 10 largest settlement nodes could lead to an average system-wide liquidity shortage of EUR 35 billion.

  • Contagion Channels: Third-party dependencies and settlement hubs were identified as critical contagion channels, with network interconnectedness amplifying the impact of attacks.


Implications: The report underscores that cyber risk is a fundamental financial stability concern, not merely an IT issue. FEs must meticulously map their interdependencies with TPPs and critical market infrastructures. Furthermore, firms are encouraged to conduct their scenario-based cyber stress tests, focusing on potential liquidity impacts and the resilience of critical economic functions.



 
 
 
bottom of page