Topic: Digital operational resilience in financial services dora

Most incidents handled by our Norton Rose Fulbright cyber team originate from the customer’s service provider. In many cases it is the service provider’s systems, infrastructure and environment which proves to be the most vulnerable to cyber breaches and security issues.

In the latest episode of our EMEA insights series, Maria Beatrice Gilesi of our Milan office discusses recent communications from the Italian regulators regarding MiCA, DORA, CRD 6 and AI.

On 27 March 2025, the European Commission issued a press release stating that it was taking action against several EU Member States that have failed to notify the Commission of measures they have adopted to transpose EU Directives into their national laws.

On 24 March 2025, the European Commission adopted a draft Delegated Regulation supplementing the Regulation on digital operational resilience for the financial sector (DORA) with regard to regulatory technical standards specifying the elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions.

Increased regulatory burdens on asset management businesses have resulted in additional cost pressures. However, regulation has also required more pricing transparency, which has led to an increasingly competitive market, with investors demanding either ultra-low cost or increasingly bespoke investment solutions.

On 20 February 2025, the following was published in the Official Journal of the EU (OJ).

On 18 February 2025, the European Supervisory Authorities (ESAs) issued a roadmap to the designation of critical ICT third-party service providers (CTPPs) under the Digital Operational Resilience Act (DORA).

On 13 February 2025, there was published in the Official Journal of the EU (OJ), Commission Delegated Regulation (EU) 2025/295 of 24 October 2024 supplementing the Regulation on digital operational resilience for the financial sector with regard to regulatory technical standards on harmonisation of conditions enabling the conduct of the oversight activities.

On 13 February 2025, the European Commission adopted a draft Delegated Regulation supplementing the Regulation on digital operational resilience for the financial sector with regard to regulatory technical standards

On 11 February 2025, the Eurosystem updated its European framework for threat intelligence-based ethical red-teaming (TIBER-EU framework) to align with the regulatory technical standards (RTS) of the Digital Operational Resilience Act (DORA) on threat-led penetration testing (TLPT).