Digital operational resilience in the financial sector
Comprehensive legislation on various cyber security topics including an oversight framework for service providers, applies to nearly all types of financial entities in the EU.
Basic legislative acts
Section titled “Basic legislative acts”- Regulation (EU) 2022/2554 DORA regulation
- Directive (EU) 2022/2556 DORA directive
ICT risk management
Section titled “ICT risk management”- Commission Delegated Regulation (EU) 2024/1774 RTS on ICT risk management framework
ICT-related incidents
Section titled “ICT-related incidents”- Commission Delegated Regulation (EU) 2025/301 RTS on incident reporting
- Commission Delegated Regulation (EU) 2024/1772 RTS on incident classification
- Commission Implementing Regulation (EU) 2025/302 ITS on templates for incident reporting
Digital operational resilience testing
Section titled “Digital operational resilience testing”- Commission Delegated Regulation (EU) 2025/1190 RTS on threat-led penetration testing
ICT third-party service providers
Section titled “ICT third-party service providers”- Commission Delegated Regulation (EU) 2024/1773 RTS on ICT third-party service provider policy
- Commission Delegated Regulation (EU) 2025/532 RTS on subcontracting ICT services
- Commission Implementing Regulation (EU) 2024/2956 ITS on register of information
Oversight framework
Section titled “Oversight framework”- Commission Delegated Regulation (EU) 2024/1502 Criteria for designating critical service providers
- Commission Delegated Regulation (EU) 2025/295 RTS on harmonisation for oversight conduct
- Commission Delegated Regulation (EU) 2025/420 RTS on joint examination teams