The regulatory landscape for DORA continues to evolve as authorities refine technical standards based on industry feedback and implementation experience. This article examines the latest developments in DORA technical standards and their implications for financial institutions.

Recent Technical Standards Developments

February 2025: EBA Guidelines Amendment

On February 11, 2025, the European Banking Authority (EBA) amended its Guidelines on ICT and security risk management in the context of DORA application. These amendments aim to:

  • Simplify Framework: Reduce complexity in ICT risk management requirements
  • Legal Clarity: Provide clearer guidance on specific provisions
  • Narrow Scope: Focus entity scope only on those explicitly covered by DORA
  • Practical Implementation: Offer more actionable guidance for compliance

TIBER-EU Framework Update

Also on February 11, 2025, the TIBER-EU framework for threat intelligence-based ethical red-teaming was updated to align with DORA's regulatory technical standards (RTS) on digital operational resilience testing. Key changes include:

  • Enhanced alignment with DORA Article 26 requirements
  • Clarified threat-led penetration testing (TLPT) procedures
  • Updated guidance on red team qualifications
  • Improved incident handling during TLPT exercises
  • Strengthened coordination mechanisms with supervisors

March 2025: Subcontracting RTS Amendment

On March 7, 2025, the European Supervisory Authorities acknowledged the European Commission's amendments to the technical standard on subcontracting under DORA. This followed the Commission's January 21, 2025 rejection of the original draft RTS on subcontracting.

The Subcontracting Standards Controversy

European Commission Rejection

In a significant development, the European Commission rejected the ESAs' draft RTS on subcontracting arrangements in January 2025, citing that:

  • Provisions on monitoring subcontractors exceeded the mandate given to ESAs by DORA
  • Requirements were disproportionate to the risks
  • Implementation costs would be excessive without commensurate benefits
  • Approach was inconsistent with Level 1 text of DORA

Revised Approach

The amended technical standards adopted in March 2025 feature:

  • Proportionate Monitoring: Right-sized oversight of subcontracting arrangements
  • Risk-Based Focus: Enhanced requirements only for material subcontractors
  • Notification Requirements: Clearer triggers for subcontractor notification
  • Contractual Clauses: Refined provisions for subcontracting in contracts

Practical Implications

Financial institutions should:

  • Review subcontracting notification and approval processes
  • Assess which subcontractors are "material" under the revised standards
  • Update third-party contracts to reflect amended requirements
  • Adjust due diligence approaches for subcontractor oversight
  • Document decision-making on subcontracting risk management

Published Delegated and Implementing Regulations

Official Journal Publications

The EU has published several critical Commission Delegated and Implementing Regulations in the Official Journal, including:

Incident Reporting Standards

  • Detailed criteria for major ICT-related incident classification
  • Standard forms and templates for incident notifications
  • Timelines for initial, intermediate, and final reports
  • Information elements required at each reporting stage

Oversight Activities Standards

  • Harmonized conditions for conducting ESA oversight of CTPPs
  • Procedures for onsite inspections and general investigations
  • Information request protocols
  • Enforcement and penalty frameworks

TLPT Requirements

  • Detailed threat-led penetration testing methodology
  • Red team provider qualification criteria
  • Scope determination guidance
  • Reporting and remediation requirements

Implementing the Updated Standards

Priority Actions for Financial Institutions

Given the recent amendments, organizations should:

  1. Gap Analysis: Compare current practices against amended standards
  2. Policy Updates: Revise ICT risk management policies and procedures
  3. Contract Review: Update third-party contracts with revised clauses
  4. Training: Educate staff on clarified requirements
  5. Documentation: Enhance evidence of compliance with specific standards

EBA Guidelines Implementation

For the amended EBA Guidelines:

  • Review the simplified ICT risk management framework
  • Adjust governance structures based on clarified expectations
  • Update risk assessment methodologies
  • Refine incident management procedures
  • Enhance testing programs to meet clarified standards

TIBER-EU Alignment

For TLPT updates:

  • Review threat-led testing plans against updated framework
  • Ensure red team providers meet revised qualification criteria
  • Update TLPT scope definition procedures
  • Enhance coordination with supervisory authorities
  • Refine post-test reporting and remediation processes

Incomplete Technical Standards

Work in Progress

As of October 2025, not all delegated and implementing regulations under DORA are finalized and applicable. This creates compliance challenges as:

  • Some detailed requirements remain subject to interpretation
  • Industry practices are still evolving
  • Supervisory expectations may vary pending final standards
  • Implementation approaches may need adjustment as standards are finalized

Managing Uncertainty

Best practices include:

  • Monitor Developments: Track regulatory publications and consultations
  • Industry Engagement: Participate in trade association responses
  • Flexible Design: Build compliance programs adaptable to changes
  • Documentation: Record compliance approaches and rationales
  • Supervisor Dialogue: Engage with authorities on interpretive questions

Cross-Regulation Coordination

Alignment with Other EU Regulations

Recent technical standards also address coordination with:

  • NIS2 Directive: Cybersecurity requirements for essential entities
  • GDPR: Data protection and privacy obligations
  • MiCA: Crypto-asset service provider requirements
  • AI Act: Artificial intelligence governance

Avoiding Duplication

Technical standards increasingly recognize:

  • DORA as lex specialis for financial sector ICT resilience
  • Need to avoid duplicative reporting and compliance burdens
  • Importance of proportionate requirements for smaller entities
  • Value of leveraging existing frameworks and certifications

Industry Feedback Mechanisms

ESA Consultations

The ESAs continue to seek industry input on:

  • Implementation challenges and practical difficulties
  • Proportionality concerns for different entity types
  • International consistency and cross-border issues
  • Technology-specific considerations (cloud, AI, etc.)

How to Engage

Organizations can contribute through:

  • Direct responses to consultations
  • Industry association working groups
  • Supervisor dialogue and Q&A forums
  • Participation in industry conferences and roundtables

Looking Ahead

Expected Further Developments

Anticipated in late 2025 and 2026:

  • Additional guidance on CTPP oversight implementation
  • Clarification on incident reporting edge cases
  • Further refinement of proportionality application
  • Sector-specific guidance (insurance, payments, investment firms)
  • Technology-specific standards (for AI, quantum computing, etc.)

International Coordination

Watch for:

  • Equivalence discussions with third countries
  • Alignment efforts with Basel Committee and IOSCO
  • Mutual recognition of testing and certification
  • Cross-border incident notification coordination

Compliance Strategy in Evolving Landscape

Building Adaptable Programs

To manage ongoing regulatory evolution:

  • Modular Design: Build compliance programs in components that can be easily updated
  • Document Rationales: Record why specific approaches were chosen
  • Monitor Continuously: Track regulatory developments systematically
  • Test and Validate: Regularly assess effectiveness of controls
  • Maintain Flexibility: Budget for potential changes and enhancements

Communication and Training

Keep stakeholders informed through:

  • Regular updates to board and senior management on regulatory changes
  • Training programs updated with latest requirements
  • Clear communication of changes to business units
  • Vendor notifications of updated expectations

Key Resources

Official Sources

  • EUR-Lex: Official Journal of the European Union
  • ESA Websites: EBA, EIOPA, and ESMA regulatory publications
  • National Competent Authorities: Local supervisory guidance
  • European Commission: DORA implementation page

Industry Resources

  • Trade association guidance documents
  • Industry working group outputs
  • Professional services firm updates
  • Vendor whitepapers and webinars

Key Takeaways

  • DORA technical standards continue to evolve based on implementation experience
  • Recent amendments have simplified and clarified key requirements
  • The European Commission rejected overly burdensome subcontracting requirements
  • TIBER-EU framework updated to align with DORA TLPT standards
  • Not all technical standards are final, requiring flexible compliance approaches
  • Regular monitoring of regulatory developments is essential
  • Industry engagement helps shape practical and proportionate standards

Conclusion

The refinement of DORA technical standards demonstrates the authorities' responsiveness to industry feedback and implementation realities. Financial institutions should view this as a positive development while maintaining vigilance in tracking changes and adapting their compliance programs. The key to success is building frameworks that are robust yet flexible enough to accommodate the ongoing evolution of regulatory expectations.