DORA 2025 News Updates

Get the latest news and regulatory updates on the Digital Operational Resilience Act (DORA). This page covers key developments and official announcements from the relevan Authorities as DORA takes effect in 2025.

18/02/2025: Update from the European Supervisory Authorities (ESAs)

The ESAs (EBA, EIOPA, and ESMA) are moving forward with the implementation of the pan-European oversight framework for critical ICT third-party service providers (CTPPs) under DORA. This year, they aim to designate CTPPs and commence oversight engagement.

Key Steps

Collection of Registers of Information: Competent Authorities to submit ICT third-party arrangements by 30 April 2025.
Criticality Assessments: ESAs to notify ICT third-party service providers of their critical status by July 2025, followed by a six-week objection period.
Final Designation: Post-objection period, ESAs will designate CTPPs and begin oversight engagement.

An online workshop with ICT third-party providers is planned for Q2 2025 to clarify the designation process and oversight approach.

12/02/2025: TIBER-EU framework DORA update on threat-led penetration testing (TLPT).

The Eurosystem has just updated its European framework for threat intelligence-based ethical red-teaming (TIBER-EU framework) to align with the regulatory technical standards (RTS) of the Digital Operational Resilience Act (DORA) on threat-led penetration testing (TLPT).

This comprehensive framework provides detailed guidance on how authorities, entities, threat intelligence providers, and red-team testers can collaborate to enhance the cyber resilience of entities through controlled cyberattacks.

Key updates

Alignment of process steps with DORA RTS deliverables, incorporating strict timelines.
Mandatory purple-teaming as prescribed by DORA RTS.
Terminological changes for consistency with DORA, such as renaming "White Team" to "Control Team"
Establishment of TIBER-EU guidance documents to ensure secure and controlled TLPT execution.
Updated guidance for assessing the quality of service providers.
Simplified national implementation guide requirements for authorities.

The updated TIBER-EU framework and corresponding guidance documents are now available, providing a uniform approach across the EU to meet DORA TLPT requirements. This is a significant step forward in improving the cyber resilience of financial entities.

20/01/2025: European Commission rejects key ICT subcontracting conditions under DORA

The European Commission has rejected the proposed subcontracting requirements for ICT services under DORA, specifically Article 5 and Recital 5 in the draft regulatory technical standards (RTS). The Commission argues that the proposed conditions exceed the legal mandate set out in Article 30(5) of DORA, particularly regarding the monitoring of subcontracting chains.

The European Supervisory Authorities (ESAs) have 6 (six) weeks (i.e. till 4th March 2025) to revise the RTS to align with the Commission’s position.

Financial institutions and ICT providers that had already factored these provisions into contracts now face uncertainty as they await the revised RTS. As regulatory discussions continue, DORA in-scope entities should remain prepared for potential adjustments to ICT Outsourcing Agreements.