DORA consultancy - helping financial institutes across the UK and Europe.

MART PRODUCTION, Blue Green


Latest news


ICT subcontracting RTS was finally approved. While the final version presents certain simplifications compared to the draft suggestion, it still requires a significantly detailed risk assessment and ongoing management of IT third-party suppliers. Be prepared to identify the full chain of subcontractors, continuously monitor and assess the associated risks, and conduct an audit.

The audit, by the way, is not a check-box exercise, as the liability still lies with you.

Veeam published the results of a survey stating obvious that "96% of EMEA financial services organizations still feel their current level of data resilience falls short."
Without going into other unclear statements, any vendor-related surveys are usually biased. Which is OK, everyone should jump on the bandwagon.


The ESAs provided a roadmap towards the designation of CTPPs under DORA.
  • Collection of the Registers of Information: Competent Authorities must submit to the ESAs, by 30 April 2025, the Registers of Information on ICT third-party arrangements they received from financial entities.
  • Criticality assessments: The ESAs will perform the criticality assessments mandated by DORA and notify ICT third-party service providers of their classification as critical by July 2025. This notification will start a six-week period during which ICT third-party service providers may object to the assessment with a reasoned statement and relevant supporting information.
  • Final Designation: After six weeks, the ESAs will designate CTPPs and initiate oversight engagement.
Not much time, April is around a corner...


Luxemburg parliament voted for the national bill (8291) to incorporate EU DORA regulations within local law.
Not surprisingly, the CSSF (The Commission de Surveillance du Secteur Financier) added a few details about sanctions:
  • Personal fines - up to €5m
  • Company - up to €5m or 10% of a global revenue
  • If someone obstructs the regulator, does not comply with their injunctions and has knowingly provided inaccurate or incomplete information - €250-250,000
  • Transmit information to the State Prosecutor for criminal prosecution
We expect that other EU Member states will adopt a similar approach.


ECB consults on outsourcing cloud services.
The European Central Bank (ECB) launches a public consultation on its new Guide on outsourcing cloud services to cloud service providers.

Surprise-surprise - the full responsibility continues to lie with the institution in question...


ESAs launch joint consultation on second batch of policy mandates, including:

  • RTS and ITS on content, timelines and templates on incident reporting
  • GL on aggregated costs and losses from major incidents
  • RTS on subcontracting of critical or important functions
  • RTS on oversight harmonisation
  • GL on oversight cooperation between ESAs and competent authorities
  • RTS on threat-led penetration testing (TLPT)
If you have something to say, you can do this here until 4 March 2024


The Bank of England decided to push with operational resilience legislation updates and released consultation paper "CP26/23 - Operational resilience: Critical third parties to the UK financial sector" here.

Some of DORA's similarities, but as usual, the BoE is not looking for an easy way and presents several nuances that need to be carefully assessed.


The European Supervisory Authorities (ESAs) surveyed 1,600 EU financial entities about the provision of ICT services by third-party service providers (approximately 15,000 TPPs).

Our review is here

Heads up: Financial entities and their IT providers should be worried about highly concentrated and non-substitutable environments.


German Federal Financial Supervisory Authority (BaFin) and the Federal Ministry of Finance released a draft Act on the Digitalisation of the Financial Market (Finance-Galization Act - FinmadiG), which includes several crypto-related legal requirements and EU DORA package.
This is an interesting view, effectively requiring all crypto-entities to comply with the full DORA framework without regard to its size. Details in German here.


ESAs consult on the first batch of DORA policy products
Consultation on the first batch of Digital Operational Resilience Act (DORA) policy products
  • Consultation paper on RTS on ICT risk management framework (Art.15) and RTS on simplified ICT risk management framework (Art.16)
  • Consultation paper on RTS on criteria for the classification of ICT-related incidents (Art.18.3)
  • Consultation paper on ITS to establish the templates for the register of information (Art.28.9)
  • Consultation paper on RTS to specify the policy on ICT services performed by ICT third-party providers (Art.28.10)
The consultation ended on 11 September 2023. Meanwhile, check out our reviews of full framework, simplified framework , third-party risk and management.


ESAs launch discussion on criteria for critical ICT third-party service providers and oversight fees
Happy times.. ESA is proposing two major definitions about the oversight activities:
  • Criteria of being a designated Critical Third-party Provider (CTTP) is (tentatively) 10% or more of the total number of financial entities in the EU
  • Suggested minimum fees are starting from €50,000 a year plus an unknown value from an annual revenue (TBD)
The consultation ended on 23 June, and expected technical advice was just published.
It is an interesting reading, especially the comment section. The suggested criteria was accepted.
The suggest ESA fees for companies under ESA oversight
ICT providers under ESA oversight unlikely to be happy about it.


The European Securities and Markets Authority (ESMA), the EU’s financial market regulator and supervisor, published its work programme for 2024. One of the DORA-related projects is to conduct a feasibility study for the establishment of a single EU Hub for centralising major ICT-related incidents reporting.
This indicates regulatory attention to incident management and associated reporting.

New PSD3 proposed directive also sets out specific rules on information and communication technology (ICT) security controls and mitigation elements for obtaining an authorisation to provide payment services. Chapter 5 "Operational and security risks and authentication" describe several controls that are fully aligned with the requirements of DORA.


DORA impact on Indian outsourcers.
It is about time that the large global ICT providers will start evaluate their compliance with the new regulation. Based on the recent article from the Times of India (10 June 2023) it seems that there is a lack of understanding of the EU legislative process (which is already completed) and expected activities from third-party providers.
We expect some unpleasant surprises here...

Would you like to talk about DORA compliance? Contact us.