DORA & Operational Resilience - August 2025

1. Executive Summary

August 2025 was characterised by a palpable shift in the regulatory landscape for digital operational resilience, moving from high-level principles to granular, technical implementation standards. Developments this month have refined the scope of the Digital Operational Resilience Act (DORA) and solidified expectations for coordinated, cross-border incident response.

A critical clarification from the European Banking Authority (EBA) regarding the ODORAegister of Information now mandates the inclusion of specific non-financial entities (NFEs) involved in the ICT service supply chain. Concurrently, a European Systemic Risk Board (ESRB) report on the Pan-European Systemic Cyber Incident Coordination Framework (EU-SCICF) presages a new regime of harmonised supervisory collaboration. However, it flags material concerns regarding the framework's operational readiness ahead of the January 2025 deadline.

Beyond the EU, guidance from the UK's Financial Conduct Authority (FCA) and a G7 best-practice framework on incident recovery reinforce a global trend towards proactive, evidence-based resilience. A strategic shift is evident, moving towards the holistic management of the entire operational ecosystem—including third-party suppliers and complex intra-group dependencies. The key takeaway for firms is that operational resilience has evolved from a siloed compliance function into a core strategic imperative, demanding deep integration into governance, risk management, and technology architecture.

2. DORA Developments: Scope and Coordination Analysis

2.1 EBA Q&A: Broadened Scope of the DORA Register of Information

The EBA issued a pivotal clarification (Q&A ID 2025_7297) on DORA Article 28(9), resolving a significant ambiguity concerning the Register of Information. This clarification carries direct and immediate implications for data collection and reporting obligations.

Key Finding:

Financial entities are now required to include NFEs from within their corporate structure in the DORA Register of Information if those NFEs are involved in the provision of ICT services. This is not a blanket requirement but is specifically targeted at:

1. NFEs functioning as ICT intra-group service providers.

2. NFEs that are party to contractual arrangements for ICT services on behalf of an in-scope financial entity.

Implications for Firms:

• Broadened Scope of Information Register: Firms must now conduct a comprehensive review of their corporate and contractual structures to identify all entities within scope. The previous assumption that only financial entities were relevant is now invalid.

• Enhanced Cross-Functional Governance: Effective compliance will require formalised collaboration between Legal, Compliance, ICT, Procurement, and Vendor Management functions to map these complex service provision relationships accurately. Granular Data Aggregation and Mapping: Firms must engineer robust data aggregation processes to ensure the accuracy, consistency, and traceability across DORA reporting templates, specifically B_01.02, B_03.01, and B_05.01, reinforcing DORA's holistic oversight model.

2.2 ESRB Report: Pan-European Cyber Incident Coordination Framework (EU-SCICF)

The ESRB's assessment of the EU-SCICF provides critical insight into the future of systemic risk management and supervisory expectations under DORA.

Key Finding: While the conceptual architecture of the EU-SCICF is considered robust, the ESRB expressed material concerns regarding its operationalisation and practical readiness by the January 2025 DORA enforcement date. The report underemphasises the need for substantive source allocation and enhanced engagement from national competent authorities.

Implications for Firms:

• Heightened Supervisory Convergence: The framework will facilitate a more harmonised and coordinated supervisory approach to significant cyber incidents. Firms should anticipate consistent, cross-border information requests and a unified regulatory response during a crisis.

• Mandate for Advanced Resilience Testing: The report's emphasis on stress-testing the framework translates into a supervisory expectation for firms to adopt more sophisticated and rigorous testing regimes (e.g., Threat-Led Penetration Testing) and participate in sector-wide exercises.

• Scrutiny of Resource Allocation: c urs.

Implications for Firms:

• Proactive Framework Development: Firms should not wait for an incident. To occur, they must proactively develop or refine their own reconnection frameworks based on this G7 guidance, incorporating the five-phase model.

• Prepare for Attestation: Firms that have been compromised will be required to provide comprehensive, signed attestations detailing the incident, remediation, and evidence of recovery. Client firms must define their criteria for accepting such attestations.

• Enhance Communication Protocols: Structured, phase-by-phase communication plans are essential for managing expectations with clients, regulators, and sector peers during an incident.

#DORA #OperationalResilience #Cybersecurity #RiskManagement #FinancialServices #Regulation #ThirdPartyRiskManagement #EBA #ESRB #FCA