Latest News

9 June 2026. ISO 27001, SOC 2 and HIPAA are not DORA evidence. A procurement team at one of the world's largest insurers had made SOC 2 a hard prerequisite for ICT suppliers, with no rationale that survived a second question. Certifications and clean audit reports answer whether reasonable controls existed at a point in time. DORA asks whether a critical supplier can keep operating through a severe-but-plausible disruption and prove it with evidence a regulator can verify. Our analysis of why the “send me your SOC 2 and we are done” workflow is now a liability, and what third-party risk management has to do instead: Caught in the middle: why DORA means tough times for Procurement.

18 March 2026. Bank of England PS7/26 on operational incident and third-party reporting. The PRA published PS7/26, establishing a single PRA framework for reporting operational incidents and material third-party arrangements. The drafting choices were made with explicit interoperability with DORA and the FSB FIRE format in mind. New supervisory statement SS1/26 covers incident reporting. SS2/21 on outsourcing and third-party risk management has been updated alongside it. Rules take effect on 18 March 2027. Twelve months to align internal taxonomies, the material third-party list and the reporting pipelines, rather than discover the divergence between UK and EU expectations in production.

14 January 2026. UK and EU regulators sign MoU on cross-border CTPP oversight. The three ESAs (ESMA, EBA, EIOPA) and the UK authorities (Bank of England, PRA, FCA) signed a Memorandum of Understanding covering oversight of critical ICT third-party providers under DORA and the parallel UK CTP regime. The MoU sets out information sharing during incidents, coordination of examinations, and a process for handling providers in scope of both regimes (see also the Bank of England announcement). For providers operating across both jurisdictions, the intent is one set of artefacts rather than two; the practice will need some watching.

November 2025. ECB Supervisory Priorities 2026-2028. ECB Banking Supervision published its supervisory priorities for 2026-2028. Three lines stand out for DORA-affected entities: targeted threat-led penetration testing across selected banks; a deep-dive review of cloud concentration risk and bank preparedness for a major cloud-provider disruption; and a focused review of ICT change management practices. The supervisory message tracks the oversight one: examiners will not be satisfied with policies on paper, they want to see evidence the controls hold under stress. See also our analysis of TLPT under DORA.

18 November 2025. ESAs designate the first list of CTPPs under DORA. The three ESAs published the first list of designated critical ICT third-party providers, with parallel announcements on the EBA and EIOPA websites. This is the moment the DORA oversight framework moves from preparatory to operational, with the Joint Examination Teams now engaging directly with designated providers. We have a separate analysis of what the Critical 19 list actually tells us: the subcontracting chain, the on-prem and co-location segment that the cloud-native framing misses, and the sovereignty profile of the designated providers.

ICT subcontracting RTS was finally approved. While the final version presents certain simplifications compared to the draft suggestion, it still requires a significantly detailed risk assessment and ongoing management of IT third-party suppliers. Be prepared to identify the full chain of subcontractors, continuously monitor and assess the associated risks, and conduct an audit.

The audit, by the way, is not a check-box exercise, as the liability still lies with you.

Veeam published the results of a survey stating obvious that "96% of EMEA financial services organizations still feel their current level of data resilience falls short."

Without going into other unclear statements, any vendor-related surveys are usually biased. Which is OK, everyone should jump on the bandwagon.

The ESAs provided a roadmap towards the designation of CTPPs under DORA.

Collection of the Registers of Information: Competent Authorities must submit to the ESAs, by 30 April 2025, the Registers of Information on ICT third-party arrangements they received from financial entities.
Criticality assessments: The ESAs will perform the criticality assessments mandated by DORA and notify ICT third-party service providers of their classification as critical by July 2025. This notification will start a six-week period during which ICT third-party service providers may object to the assessment with a reasoned statement and relevant supporting information.
Final Designation: After six weeks, the ESAs will designate CTPPs and initiate oversight engagement.

Not much time, April is around a corner...

Luxemburg parliament voted for the national bill (8291) to incorporate EU DORA regulations within local law.

Not surprisingly, the CSSF (The Commission de Surveillance du Secteur Financier) added a few details about sanctions:

Personal fines - up to €5m
Company - up to €5m or 10% of a global revenue
If someone obstructs the regulator, does not comply with their injunctions and has knowingly provided inaccurate or incomplete information - €250-250,000
Transmit information to the State Prosecutor for criminal prosecution

We expect that other EU Member states will adopt a similar approach.

ECB consults on outsourcing cloud services.

The European Central Bank (ECB) launches a public consultation on its new Guide on outsourcing cloud services to cloud service providers.

Surprise-surprise - the full responsibility continues to lie with the institution in question...

ESAs launch joint consultation on second batch of policy mandates, including:

RTS and ITS on content, timelines and templates on incident reporting
GL on aggregated costs and losses from major incidents
RTS on subcontracting of critical or important functions
RTS on oversight harmonisation
GL on oversight cooperation between ESAs and competent authorities
RTS on threat-led penetration testing (TLPT)

If you have something to say, you can do this here until 4 March 2024.

The Bank of England decided to push with operational resilience legislation updates and released consultation paper "CP26/23 - Operational resilience: Critical third parties to the UK financial sector" here.

Some of DORA's similarities, but as usual, the BoE is not looking for an easy way and presents several nuances that need to be carefully assessed.

The European Supervisory Authorities (ESAs) surveyed 1,600 EU financial entities about the provision of ICT services by third-party service providers (approximately 15,000 TPPs).

Our review is here

Heads up: Financial entities and their IT providers should be worried about highly concentrated and non-substitutable environments.

German Federal Financial Supervisory Authority (BaFin) and the Federal Ministry of Finance released a draft Act on the Digitalisation of the Financial Market (Finance-Galization Act - FinmadiG), which includes several crypto-related legal requirements and EU DORA package.

This is an interesting view, effectively requiring all crypto-entities to comply with the full DORA framework without regard to its size. Details in German here.

ESAs consult on the first batch of DORA policy products

Consultation on the first batch of Digital Operational Resilience Act (DORA) policy products

Consultation paper on RTS on ICT risk management framework (Art.15) and RTS on simplified ICT risk management framework (Art.16)
Consultation paper on RTS on criteria for the classification of ICT-related incidents (Art.18.3)
Consultation paper on ITS to establish the templates for the register of information (Art.28.9)
Consultation paper on RTS to specify the policy on ICT services performed by ICT third-party providers (Art.28.10)

The consultation ended on 11 September 2023. Meanwhile, check out our reviews of full framework, simplified framework, third-party risk and incident management.

ESAs launch discussion on criteria for critical ICT third-party service providers and oversight fees

Happy times.. ESA is proposing two major definitions about the oversight activities:

Criteria of being a designated Critical Third-party Provider (CTTP) is (tentatively) 10% or more of the total number of financial entities in the EU
Suggested minimum fees are starting from €50,000 a year plus an unknown value from an annual revenue (TBD)

The consultation ended on 23 June, and expected technical advice was just published.

It is an interesting reading, especially the comment section. The suggested criteria was accepted.

The suggested ESA fees for companies under ESA oversight

ICT providers under ESA oversight unlikely to be happy about it.

The European Securities and Markets Authority (ESMA), the EU's financial market regulator and supervisor, published its work programme for 2024. One of the DORA-related projects is to conduct a feasibility study for the establishment of a single EU Hub for centralising major ICT-related incidents reporting.

This indicates regulatory attention to incident management and associated reporting.

New PSD3 proposed directive also sets out specific rules on information and communication technology (ICT) security controls and mitigation elements for obtaining an authorisation to provide payment services. Chapter 5 "Operational and security risks and authentication" describe several controls that are fully aligned with the requirements of DORA.

DORA impact on Indian outsourcers.

It is about time that the large global ICT providers will start evaluate their compliance with the new regulation. Based on the recent article from the Times of India (10 June 2023) it seems that there is a lack of understanding of the EU legislative process (which is already completed) and expected activities from third-party providers.

We expect some unpleasant surprises here...

Ready to discuss your DORA compliance challenges?

Our team of experienced consultants is here to help.

Get in Touch