Authoritative external content
Comprehensive legislation on various cyber security topics including an oversight framework for service providers, applies to nearly all types of financial entities in the EU.
Basic legislative acts
Section titled “Basic legislative acts”ICT risk management
Section titled “ICT risk management”ICT-related incidents
Section titled “ICT-related incidents”- Delegated Regulation (EU) 2025/301 RTS on incident reporting
- Delegated Regulation (EU) 2024/1772 RTS on incident classification
- Implementing Regulation (EU) 2025/302 ITS on templates for incident reporting
Digital operational resilience testing
Section titled “Digital operational resilience testing”- Delegated Regulation (EU) 2025/1190 RTS on threat-led penetration testing
ICT third-party service providers
Section titled “ICT third-party service providers”- Delegated Regulation (EU) 2024/1773 RTS on ICT third-party service provider policy
- Delegated Regulation (EU) 2025/532 RTS on subcontracting ICT services
- Implementing Regulation (EU) 2024/2956 ITS on register of information
Oversight framework
Section titled “Oversight framework”- Delegated Regulation (EU) 2024/1502 Criteria for designating critical service providers
- Delegated Regulation (EU) 2025/295 RTS on harmonisation for oversight conduct
- Delegated Regulation (EU) 2025/420 RTS on joint examination teams