The European authorities and the EU Commission have recently issued several regulations and level three documents under DORA. These include the following:

1. EBA amends final guidelines on ICT and security risk management in context of DORA application

On 11 February 2025, the European Banking Authority (EBA) published a final report (EBA/GL/2025/02) containing guidelines amending its guidelines on ICT and security risk management.

The EBA updated its guidelines on ICT and security risk management, initially effective from 30 June 2020, in response to the introduction of the Regulation on digital operational resilience for the financial sector (DORA) which came into effect on 17 January 2025. These updates aim to align with DORA's harmonised requirements across the financial sector, including banking and insurance, by narrowing the scope of entities and guidelines covered. Specifically, the revisions limit the application of the guidelines to entities within DORA's scope, such as credit institutions and certain payment service providers, and focus the guidelines' content primarily on relationship management for payment service users. The adjustments ensure transparency and legal certainty, acknowledging that while some entities and requirements overlap with DORA, PSD2's security and operational risk management obligations persist for entities like post office giro institutions and credit unions not covered by DORA. The amended guidelines will be effective two months following their translation into official EU languages and publication.

2. European Commission adopts Delegated Regulation on RTS on threat-led penetration testing under DORA

On 13 February 2025, the European Commission adopted Delegated Regulation (C(2025) 885 final) supplementing Regulation (EU) 2022/2554 on digital operational resilience for the financial sector in ensuring that financial entities regularly assess their ICT systems. The purpose of this exercise is to test the effectiveness of their preventive and resilience measures, addressing any ICT vulnerabilities.

The Regulation focuses on threat-led penetration testing (TLPT). It outlines criteria for identifying financial entities required to perform TLPT, standards for internal testers, and requirements for the testing phases, including scope, methodology, results, closure and remediation.

Consultations with stakeholders across the financial sector resulted in adjustments to the draft regulatory technical standards (RTS) to address concerns about the requirements for TLPT providers and the proposed testing process. Key changes include revised criteria for selecting insurance and reinsurance undertakings for mandatory TLPT, clarifications on pooled and joint TLPTs involving multiple financial entities and ICT service providers, and more flexible requirements for testers and threat intelligence providers.

The Act emphasises the importance of supervisory cooperation and mutual recognition of TLPT results across Member States to reduce market fragmentation. 

3. ESAs publish roadmap for designation of critical ICT third-party service providers under DORA

On 18 February 2025, the European Supervisory Authorities (ESAs) (that is, the EBA, EIOPA and ESMA) published a roadmap for the designation of critical ICT third-party service providers (CTPPs) under the Regulation on digital operational resilience for the financial sector ((EU) 2022/2554) (DORA). 

The roadmap outlines a four-step process for designating CTPPs in 2025, with deadlines as follows:

• By 30 April 2025, the ESAs will gather registers of ICT third-party arrangements from financial entities.
• By end of July 2025, the ESAs will conduct criticality assessments as per DORA and inform third-party service providers of their critical status.
• By mid-September 2025, a six-week hearing period allows ICT third-party service providers to object to their assessment.
• By end of 2025, the ESAs will announce and begin oversight of designated CTPPs, while also maintaining ongoing market engagement.

The EBA press release adds that non-critical ICT third-party service providers can voluntarily seek designation after the CTPPs list is published, with upcoming details on the request process.