The following posts provide a snapshot of selected UK, EU and global financial regulatory developments of interest to banks, investment firms, broker-dealers, market infrastructures, asset managers and corporates.
-
EU Delegated Regulation on threat-led penetration testing published in OJ
18 June 2025
Commission Delegated Regulation (EU) 2025/1190 of 13 February has been published in the Official Journal of the European Union. The Delegated Regulation supplements the Digital Operational Resilience Act (DORA) with regard to regulatory technical standards (RTS) related to threat-led penetration testing (TLPT). The RTS specify the criteria for identifying financial entities required to carry out TLPT, and establish detailed requirements regarding the scope of testing, the methodologies to be used and the handling and reporting of results. Further, the RTS also sets out the requirements and standards governing the use of internal testers, ensuring their independence and competence, and outlines the framework for supervisory and other forms of cooperation necessary for implementation of TLPT and the mutual recognition testing. The Delegated Regulation will enter into force on the twentieth day following its publication in the Official Journal of the European Union, which is 8 July.Topic : Operational Resilience -
ESMA publishes principles for supervisory oversight of third-party risk
12 June 2025
The European Securities and Markets Authority (ESMA) has published a comprehensive set of principles, accompanied by a press release, aimed at strengthening the supervision of third-party risks across the EU financial sector. The principles are intended to guide national competent authorities (NCAs) in identifying, assessing and overseeing third-party risks for EU entities in the securities markets, in accordance with the relevant legal framework and the principle of proportionality. Aligned with international standards (IOSCO, FSB and BCBS), the principles apply to all third-party arrangements, whether the third party is intra-group or external, located within the EU or in a third country, and irrespective of the technology used. The fourteen principles are grouped into four thematic areas to support NCAs in exercising effective oversight and ensuring that entities appropriately manage third-party risks.
Read more. -
EBA 2024 annual report on Work Programme Achievements – Part 1
20 May 2025
The European Banking Authority (EBA) has published part 1 of its 2024 annual report, with a press release, reflecting on key regulatory and supervisory achievements under its work programme over the past year. These include: (i) progress in the implementation of the Basel III reforms; (ii) the further integration of ESG considerations into regulatory frameworks, via the issuance of guidelines and reports on ESG risks, greenwashing and scenario analysis; (iii) the assessment of financial stability amid high interest rates and geopolitical uncertainties, supported by two risk assessment reports; (iv) the enhancement of regulatory data infrastructure through the EUCLID platform; (v) the development of oversight and supervisory capacity for firms subject to the EU Digital Operational Resilience Act (DORA) and the EU Markets in Crypto-Assets Regulation (MiCAR); and (vi) an enhanced focus on innovation and consumers (including access to financial services) while preparing for the transition to the new anti-money laundering and counter-terrorist financing (AML/CFT) framework. -
Corrigendum to Commission Delegated Regulation on RTS on risk management tools under DORA published in OJ
15 May 2025
A corrigendum to Commission Delegated Regulation (EU) 2024/1774, which supplements the Regulation on digital operational resilience for the financial sector (DORA), was published in the Official Journal of the European Union (OJ). Commission Delegated Regulation (EU) 2024/1774 contains regulatory technical standards (RTS) specifying ICT risk management tools, methods, processes and policies and the simplified ICT risk management framework. It reflects mandates under Articles 15 and 16(3) of DORA. The corrigendum replaces a reference to Article 15 of Commission Delegated Regulation (EU) 2024/1772 in Article 22 of the Delegated Regulation (ICT-related incident management policy) with a reference to Article 8(2) of that Delegated Regulation.Topic : Operational Resilience -
ECON draft report on impact of AI
15 May 2025
The European Parliament's Committee on Economic and Monetary Affairs (ECON) has released a draft report (dated 14 May) and motion for a European Parliament resolution on the impact of artificial intelligence (AI) on the financial sector. The report highlights the broad adoption of AI and its benefits across the EU financial services sector, including in fraud detection, anti-money laundering and personalised financial advice, among other areas. While acknowledging risks with AI-usage related to data quality and cybersecurity, ECON is of the view that these are already addressed through multiple pieces of sectoral legislation at both national and EU level, including the EU AI Act. With concerns of regulatory overlaps and legal uncertainties—which can limit the use of AI and complicate compliance for financial institutions— ECON advocates for responsible use of AI instead of new restrictive legislation. The motion for a resolution calls on the European Commission to: (i) provide clear guidance on how existing financial regulations apply to AI, ensuring consistent definitions and a simplified regulatory framework to avoid duplicative requirements; (ii) refrain from introducing new sector-specific AI regulation that can add complexity and uncertainty to already established sectoral rules, potentially creating barriers in cross-border markets; and (iii) support industry measures to enhance the understanding and responsible use of AI and provide clearer guidance with regard to the EU AI Act's requirements for financial institutions to comply with AI literacy requirements. -
FSB publishes finalised format for FIRE framework
15 April 2025
The Financial Stability Board (FSB) has published its finalised Format for Incident Reporting Exchange (FIRE), together with a press release and updated webpage. FIRE provides a standardised format for financial institutions to report cyber and other operational incidents to national regulators. It is intended to provide a foundation upon which to build for jurisdictions which do not currently have standardised reporting formats, and to be interoperable with existing systems for those jurisdictions with existing frameworks. National regulators are free to decide the extent to which they wish to adopt FIRE, if they do at all. The framework specifies the information items to be included in reports, identifying items which are essential and optional, as well as a baseline view of the reporting of individual information items against each reporting phase. The FSB will hold a workshop with industry and authorities two years after FIRE is finalised (e.g., in 2027) to take stock of their experiences with FIRE, including implementation challenges.Topic : Operational Resilience -
UK 2025 Regulatory Initiatives Grid published
14 April 2025
The Financial Services Regulatory Initiatives Forum (the Forum) has published the Regulatory Initiatives Forum Grid (the Grid), with the UK Financial Conduct Authority (FCA) also updating its webpage. The previous Grid was due to be published in May 2024 but was postponed due to the General Election, meaning the Forum published only an interim update in October 2024.
The 2025 Grid sets out the regulatory pipeline for the next 24 months and reflects the reprioritisation that has taken place since the new government came into power. Notable initiatives include:- motor finance commission review: the FCA intends to confirm, within six weeks of the Supreme Court's decision on past use of discretionary commission arrangements by motor finance firms, whether it will propose a redress scheme;
- liquidity risk management in funds: the FCA will consult on refined proposals regarding liquidity risk management in funds to implement FSB and IOSCO guidelines;
- Consumer Composite Investments (CCI) Regulation: the FCA published a second consultation paper on the new CCI regime on 16 April (see our update) and plans to issue a Policy Statement with final rules in late 2025;
Topics : Client Asset Protection, Conduct and Culture, Consumer / Retail, Financial Crime and Sanctions, Financial Market Infrastructure, FinTech, Fund Regulation, MiFID II, Operational Resilience, Other Developments, Payment Services and Payment Systems, Prudential Regulation, Recovery and Resolution, Securities -
UK PRA business plan 2025/26
10 April 2025
The Prudential Regulation Authority (PRA) has published its Business Plan 2025/26 which sets out the workplan for and regulatory initiatives to advance its strategic priorities. This year's business plan is said to reflect the evolution of the PRA's priorities, and in particular the work it is doing to deliver its new secondary objective on competitiveness and growth. Specific initiatives include:- Implementing the Basel 3.1 standards, where the PRA intends to publish its final rules, once Parliament has revoked the relevant parts of the Capital Requirements Regulation (CRR).
- Finalising and implementing the strong and simple framework for small domestic deposit takers. During 2025/26, the PRA will finalise the simplified capital regime and the additional liquidity simplifications. It intends to publish a policy statement on these in Q4.
Read more. -
ESMA final report on systematic internaliser ITS, volume cap and transparency calculations and trading venue RTS
10 April 2025
The European Securities and Markets Authority (ESMA) has published a final report in relation to certain changes being made as a result of the MiFID II/MiFIR review, together with an accompanying press release. The changes covered by this final report were part of the third consultation package following the MiFID II/MiFIR review, and relate to:- A new set of implementing technical standards for investment firms notifying competent authorities when it gains the status of systematic internaliser or decides to opt-in to the systematic internaliser regime. ESMA confirmed that it is making some changes to the original proposals, including reducing the number of reporting fields in the notification template to ease the reporting burden and extending the notification period from two weeks to 20 calendar days. ESMA also confirmed it will discuss with competent authorities areas where further guidance is required.
Read more. -
European Commission calls on Member States to fully transpose EU DORA Directive
27 March 2025
The European Commission (EC) has announced that it has opened infringement procedures by sending a letter of formal notice to 13 Member States (Belgium, Bulgaria, Denmark, Greece, Spain, France, Latvia, Lithuania, Malta, Poland, Portugal, Romania and Slovenia) for failing to fully transpose the Digital Operational Resilience Act Directive (Directive 2022/2556) (DORA Directive). Member States had to transpose the DORA Directive into national law by 17 January. The Member States concerned now have two months to respond and to complete their transposition and notify their measures to the EC. In the absence of a satisfactory response, the EC may decide to issue a reasoned opinion, the second stage of the formal infringement procedure.Topic : Operational Resilience -
European Commission adopts RTS on the elements to assess when subcontracting certain ICT services under DORA
24 March 2025
The European Commission has adopted a Delegated Regulation supplementing Regulation 2022/2554 on digital operational resilience for the financial sector (DORA) with regard to regulatory technical standards specifying the elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions. Articles 1 and 2 establish the rules on proportionality and group application. Article 3 sets out rules on due diligence and risk assessment regarding the use of subcontractors supporting critical or important functions. Article 4 establishes the description and the conditions under which ICT services supporting a critical or important function may be subcontracted. Articles 5 and 6 contain the rules on material changes to subcontracting arrangements of ICT service supporting critical or important functions and the provisions on the termination of the contractual arrangement. The Delegated Regulation will enter into force 20 days after its publication in the Official Journal of the EU.Topic : Operational Resilience -
RTS on criteria for the composition of joint examination teams under EU DORA published in OJ
24 March 2025
Commission Delegated Regulation 2025/420 has been published in the Official Journal of the EU. This Delegated Regulation supplements Regulation 2022/2554 on digital operational resilience for the financial sector (DORA) with regard to regulatory technical standards (RTS) to specify the criteria for determining the composition of the joint examination team ensuring a balanced participation of staff members from the European Supervisory Authorities and from the relevant competent authorities, their designation, tasks and working arrangements. The Delegated Regulation will enter into force on 13 April.Topic : Operational Resilience -
EU DORA guidelines on estimation of costs of major ICT-related incidents published
18 March 2025
Translations have been published of the joint guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents. The guidelines supplement the EU Digital Operational Resilience Act (DORA) which requires that financial entities report on request to their national competent authorities an estimation of aggregated annual costs and losses caused by major ICT-related incidents. The guidelines indicate how those estimations should be arrived at and include a related reporting template. The guidelines will apply from 19 May.Topic : Operational Resilience -
ESMA guidelines on maintenance of systems and security access protocols under MiCAR
26 February 2025
The European Securities and Markets Authority (ESMA) has published official translations of the guidelines on the maintenance of systems and security access protocols for offerors and persons seeking admission to trading of cryptoassets other than asset referenced tokens (ARTs) and e-money tokens (EMTs). The guidelines apply to competent authorities and to 'offerors' as defined in Article 3(1)(13) of the Markets in Crypto-Assets Regulation (MiCAR) and persons seeking admission to trading of cryptoassets other than ARTs or EMTs in relation to Article 14(1), point (d), of MiCAR.
The purpose of these guidelines is to specify the appropriate standards for offerors and persons seeking admission to trading who are not subject to the same operational resilience under MiCAR and the Digital Operational Resilience Regulation as their cryptoasset service provider and issuer counterparts. The guidelines include discussion of: (i) the general principle on proportionality; (ii) administrative arrangements and roles and responsibilities concerning systems and security access protocols; (iii) physical security access protocols; (iv) security access protocols for network and information systems; and (v) cryptographic key management.
The guidelines will apply from 27 April. National competent authorities must notify ESMA by 26 April whether they comply, do not comply but intend to comply or do not intend to comply with the guidelines. Offerors and persons seeking admission to trading are not required to report whether they comply with the guidelines. -
ESMA guidelines on reverse solicitation under MiCAR
26 February 2025
The European Securities and Markets Authority (ESMA) has published official translations of its guidelines on situations in which a third-country firm is deemed to solicit clients established or situated in the EU and supervision practices to detect and prevent circumvention of the reverse solicitation exemption under the Markets in Crypto-Assets Regulation (MiCAR). The guidelines apply to competent authorities in relation to Article 61(3) of MiCAR. The guidelines include discussion of: (i) the means of solicitation; (ii) the fact that the solicitation may be carried out by the third-country firm itself or any person acting on its behalf or having close links with the third-country firm; and (iii) the construction of the concept of 'exclusive initiative of the client'. The Annex to the guidelines contains a non-exhaustive list of examples of circumstances where a third-country firm is likely to be regarded as soliciting clients in the EU.
The guidelines will apply from 27 April. National competent authorities must notify ESMA by 26 April whether they comply, do not comply but intend to comply or do not intend to comply with the guidelines. -
EU DORA technical standards published
20 February 2025
Two delegated acts were published in the Official Journal of the European Union (OJ) in respect of the EU Digital Operational Resilience Act (DORA). These are:- Commission Delegated Regulation (EU) 2025/301, which comprises regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats.
- Commission Implementing Regulation (EU) 2025/302, which comprises implementing technical standards for the standard forms, templates and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat.
Both sets of technical standards relate to ICT-related incident management, one of the key pillars of the DORA legislation, and are mandated by article 20 of DORA which seeks to harmonise reporting content and templates in relation to ICT-related incidents and cyber threats. The Delegated and Implementing Regulations will enter into force on the twentieth day following their publication in the OJ.Topic : Operational Resilience -
ESAs roadmap for designation of critical ICT third-party service providers under DORA
18 February 2025
The European Supervisory Authorities (ESAs) have published a roadmap for the designation of critical ICT third-party service providers (CTPPs) under the EU Digital Operational Resilience Act (DORA). The roadmap of key dates between now and the end of the year. The roadmap sets out four milestones:- By 30 April, the ESAs will collect the registers of information that financial entities submitted to the competent authorities.
- By the end of July, the ESAs will perform criticality assessments required under DORA and notify third-party service providers if they are classified as critical.
- By the first half of September, there will be a hearing period where ICT third-party service providers may object to the assessment, with a reasoned statement and supporting information.
- By the end of this year, the ESAs will have designated and published the list of CTPPs and started the oversight engagement.
Alongside the roadmap, the European Banking Authority published a press release confirming that ICT third-party service providers not designated as critical may voluntarily request to be designated as critical once the list of CTPPs is published, with details of how to make such a request to be provided soon. The ESAs also plan to organised a workshop with ICT third-party providers in Q2 this year, with details to be published in due course.Topic : Operational Resilience -
European Commission adopts Delegated Regulation on RTS on threat-led penetration testing under DORA
13 February 2025
The European Commission (EC) has adopted a Commission Delegated Regulation supplementing the Digital Operational Resilience Act (DORA) with regard to RTS specifying the criteria used for identifying financial entities required to perform threat-led penetration testing (TLPT). Article 26(11) of DORA mandates the European Supervisory Authorities (ESAs), in agreement with the European Central Bank (ECB), to develop joint draft RTS in accordance with the ECB's European framework for threat intelligence-based ethical red teaming (TIBER-EU framework) to specify further the following: (i) the criteria to identify financial entities required to perform TLPT; (ii) the requirements regarding test scope, testing methodology and results of TLPT; (iii) the requirements and standards governing the use of internal testers; and (iv) the rules on supervisory and other cooperation needed for the implementation of TLPT and for mutual recognition of testing. The Delegated Regulation will enter into force on the 20th day following its publication in the Official Journal of the EU. The ECB has also published an updated version of the TIBOR-EU framework that aligns with the DORA RTS on TLPT.Topic : Operational Resilience -
European Banking Authority publishes amending guidelines on ICT and security risk management in the context of DORA
11 February 2025
The European Banking Authority (EBA) has published a final report with amending guidelines in respect of Guidelines EBA/GL/2019/04 on ICT and security risk management. The EBA reviewed the Guidelines in light of the Digital Operational Resilience Act (DORA), which introduced harmonised requirements for ICT, risk management framework (RMF), incident reporting and third-party risk management and testing for certain financial entities. The entities subject to DORA and the related RTS on RMF overlap with those subject to the Guidelines. Therefore, to ensure transparency and legal certainty, the EBA reviewed the Guidelines and concluded that the entities subject to the Guidelines should be narrowed down, and the scope of the Guidelines should be reduced to cover certain institutions providing payment services which are not in scope of DORA, and guidelines on relationship management of payment services where this is not covered by the DORA requirements. The amending guidelines will be translated into the official EU languages and apply by two months after issuance (at the latest).Topic : Operational Resilience -
European Central Bank updates TIBER-EU framework to align with DORA RTS on TLPT
11 February 2025
The European Central Bank (ECB) has published an updated version of the threat intelligence-based ethical red teaming framework (TIBER-EU framework) (dated January) to align with the Digital Operational Resilience Act (DORA) RTS on threat-led penetration testing (TLPT) (see item above). The ECB also published a news item on the updated framework.
The TIBER-EU framework enables EU and national authorities to work with financial and other entities to put in place a programme to test and improve their resilience against sophisticated cyber-attacks. It also sets out detailed guidance on how to complete DORA TLPT in a qualitative, controlled and safe manner, applying a uniform approach across the EU. The updates introduced in the framework include: (i) aligning the process steps with the deliverables derived from the DORA RTS on TLPT; (ii) specifying purple-teaming as mandatory under TIBER-EU, as prescribed in the DORA RTS; (iii) introducing terminological changes to ensure consistency with DORA terminology, e.g., "White Team" to "Control Team" (iv) providing advice on how to assess the quality of a provider in the updated Guidance for Service Provider Procurement; (v) moving away from the requirement for authorities that want to implement TIBER-EU to publish a full national implementation guide; authorities can instead refer to the adoption of the TIBER-EU documentation and publish a short implementation document described in the framework; and (vi) establishing TIBER-EU guidance documents to facilitate the implementation of different parts of the framework and to ensure a secure and controlled TLPT execution.
Topic : Operational Resilience -
European Commission rejects draft technical standards on sub-contracting ICT services under Digital Operational Resilience Act
31 January 2025
The European Commission has published a letter (dated 21 January 2025) addressed to the Joint Committee of the European Supervisory Authorities (ESAs) rejecting certain draft regulatory technical standards (RTS) the ESAs submitted under the Digital Operational Resilience Act in July 2024. The draft RTS specified the elements which a financial entity should determine when subcontracting ICT services supporting critical or important functions. These include the overall risk profile of the financial entity and its services and operations, the need for due diligence processes and a risk assessment of service providers, and the need for a description of the services and the conditions under which they would be provided. The Commission rejected the draft RTS on the grounds that proposed Article 5, on subcontracting in relation to the chain of ICT subcontractors for critical or important functions, went beyond the scope of the mandate granted to the ESAs under DORA, because it introduced requirements not specifically linked to the conditions for subcontracting. The Commission has also proposed certain non-substantive drafting amendments to the draft RTS. The Commission intends to adopt the RTS once these modifications have been made by the ESAs.Topic : Operational Resilience -
European Supervisory Authorities approve terms of reference for new EU systemic cyber incidence co-ordination framework forum under the EU Digital Operational Resilience Act
January 27, 2025
The European Supervisory Authorities have published the terms of reference for the EU systemic cyber incident co-ordination framework Forum established under the EU Digital Operational Resilience Act. The Forum will be composed of representatives of EU and national bodies, including the ESAs and the European Commission. The Forum is tasked with: (i) developing and maintaining documents, protocols, procedures, arrangements, taxonomy and plans to support co-ordination in case of crisis mode, taking into account the existing coordination frameworks and the cyber threat landscape; (ii) preparing the set-up of a dedicated ad-hoc group responsible for managing crisis mode; and (iii) exercise and test the protocols and procedures to ensure continued preparedness in the event of activation of crisis mode. The terms of reference will be subject to review and endorsement by the Joint Committee and subsequent approval by the ESAs' Boards of Supervisors, and adapted to reflect any new developments, as relevant and appropriate, every two years. The terms of reference came into effect on January 17, 2025.Topic : Operational Resilience -
Financial Markets Standards Board publishes standard for sharing standard settlement instructions
January 27, 2025
The Financial Markets Standards Board has published the final version of its standard for sharing standard settlement instructions. The standard establishes core principles which set out expected practices for the sharing of SSIs between market participants and also includes templates for manually shared SSIs for cash and securities. These core principles relate to: use of industry platforms; off-platform settlement; timing; data fields; data format; data validation; validity; governance and responsibility; and periodic review. The standard is intended to supplement existing laws, regulation and guidance and applies to FMSB member firms in respect of their own or their clients' SSIs.Topic : Operational Resilience -
UK Prudential Regulation Authority writes to domestic and international banks on its 2025 supervisory priorities
January 21, 2025
The Prudential Regulation Authority has published a Dear CEO letter outlining its supervisory priorities for 2025 for domestic banks and international banks and large investment firms. The PRA's key areas of focus for 2025 include:- Risk management, governance and controls: firms' senior management, and boards need to ensure that their organizations have robust governance, risk management and controls frameworks in place that are adaptive and resilient, leveraging stress and scenario analyses to inform risk management, strategy and business planning. Firms are expected to have these frameworks in place across businesses, risk and internal audit functions, commensurate with the firm's business model. The PRA also notes that counterparty credit risk will remain an area of focus.
- Data risk: firms must continue to improve their ability to aggregate data to ensure that they have the information necessary to support holistic risk management, robust board decision-making, and accurate regulatory calculations. Throughout 2025 the PRA will continue to assess data accuracy.
Read more. -
EBA repeals guidelines on major incident reporting under the revised Payment Services Directive
January 17, 2025
The European Banking Authority has announced that it has repealed its guidelines on major incident reporting under the revised Payment Services Directive due to the application of harmonized incident reporting under the Digital Operational Resilience Act. DORA introduced harmonized incident reporting requirements that apply to financial entities across the banking, securities/markets, insurance, and pensions sectors, including most payment service providers. DORA also disapplies the incident reporting requirements under PSD2 for those PSPs. As such, the EBA has repealed the guidelines to simplify the reporting of major incidents by PSPs and provide legal certainty to the market. The EBA reminds firms that incident reporting requirements under PSD2 still apply for other types of PSPs, such as post office giro institutions and credit unions, that are not covered by DORA. The EBA notes that those PSPs that are still subject to PSD2 incident reporting requirements may be subject to national incident reporting requirements, regardless of the existence of the EBA guidelines. Competent national authorities willing to retain the incident reporting approach included in the EBA guidelines for those PSPs can continue to do so under their national legal framework or supervisory measures. -
EU joint report on the feasibility for further centralization of reporting of major ICT-related incidents
January 17, 2025
The European Supervisory Authorities have published a joint report on the feasibility of further centralization of the reporting of major ICT-related incidents by financial entities to competent authorities. The ESAs' joint report explores the potential for further centralization through the establishment of a single EU hub assessing the feasibility of three different models: (i) the baseline model; (ii) a model with enhanced data sharing arrangements; and (iii) a fully centralized model (i.e., an EU hub). The report considers the potential burden and cost reductions, as well as the efficiency and effectiveness gains that each model would bring for cross-sector supervisory practices.
Read more.Topic : Operational Resilience -
European Supervisory Authorities dry run exercise on reporting registers of information under Digital Operational Resilience Act
December 17, 2024
The European Supervisory Authorities have published a summary report with the key findings from the 2024 Dry Run exercise on reporting the registers of information under DORA. The quality of data observed in the registers submitted by almost 1,000 financial entities across the EU was in line with the ESAs' expectations, considering the 'best effort' nature of the exercise. The ESAs are confident that the objective of having registers of sufficient quality in 2025 that would allow for the designation of critical third-party service providers is not out of reach, subject to some additional efforts from the industry. The ESAs advise that all industry stakeholders carefully consider the report and all supporting materials to aid in preparing to report the registers in 2025.Topic : Operational Resilience -
UK authorities consult on operational incident and third-party reporting
December 13, 2024
The Financial Conduct Authority, Prudential Regulation Authority, and the Bank of England have launched consultations on operational incident and third-party reporting. The regulators propose to establish a framework to enhance incident and third-party risk management, strengthen firms' operational resilience and minimize harm. To achieve this, the regulators propose a definition for an operational incident and introduce new material third-party reporting rules. The proposals introduce standardized reporting templates to allow the regulators to collect data which would be used to monitor and respond to potential risks arising from operational incidents and firms' increasing reliance on third parties.
The deadline for comments is March 13, 2025. The FCA intends to publish finalized rules in H2 2025. The PRA and the BoE propose that the implementation date for the proposals will be no earlier than H2 2026. You may like to see our client bulletin, "Operational incident reporting: UK financial regulators propose new rules", which goes into the details of these proposals. -
European Supervisory Authorities Urge Financial Entities to Ensure Timely Compliance with EU Digital Operational Resilience Act
December 4, 2024
The European Supervisory Authorities have published a joint statement on the application of the EU Digital Operational Resilience Act. The ESAs emphasise that as DORA does not provide for a transitional period, it is important for financial entities to adopt a robust, structured approach in order to meet their obligations in a timely manner. DORA, and the technical standards and guidelines supplementing it, applies from January 17, 2025. Financial entities are expected to identify and address in a timely manner gaps between their internal setups and the DORA requirements. Financial entities should also prepare for the new reporting obligations. In particular, financial entities need to have their registers of ICT third-party providers' contractual arrangements available for competent authorities early in 2025, as the latter will have to report them to the ESAs by April 30, 2025. The ESAs note that competent authorities will supervise compliance with the DORA requirements in a risk-based manner considering the risk profile, size, complexity and scale of financial entities. The ESAs invite ICT third-party service providers, which consider they may meet the criticality criteria published in May, to assess their operational setup against DORA requirements. The first designation of critical third-party service providers is expected to take place in H2, 2025.Topic : Operational Resilience -
Implementing Regulation on Standard Templates for the Register of Information
December 2, 2024
Commission Implementing Regulation 2024/2956 laying down Implementing Technical Standards for the application of the EU Digital Operational Resilience Act with regard to standard templates for the register of information, was published in the Official Journal of the European Union. Under Article 28(3) of DORA, as part of their ICT risk management framework, financial entities must maintain and update at entity level, and at sub-consolidated and consolidated levels, a register of information for all contractual arrangements on the use of ICT services provided by ICT third-party service providers. These ITS set out the standard templates for the register of information.
The European Commission rejected the European Supervisory Authorities' draft ITS in September on the basis that financial entities should have the choice of using either EU unique identifiers or legal entity identifiers. The ESAs published an opinion in October setting out their concerns for introducing the EUID as an identifier for these purposes. Nonetheless, the Implementing Regulation refers to financial entities using a valid and active LEI or EUID.
The Regulation enters into force on December 22, 2024, 20 days after publication in the Official Journal.Topic : Operational Resilience -
Mansion House: HM Treasury Publishes Remit and Recommendations Letter for Financial Policy Committee
November 15, 2024
HM Treasury has published a letter from Rachel Reeves, Chancellor of the Exchequer, to Andrew Bailey, Governor of the Bank of England, setting out the remit and recommendations for the Financial Policy Committee for 2024/25.
In the letter, Ms. Reeves states that: (i) the FPC should continue to prioritize its work to address systemic vulnerabilities in market-based finance and ensure that the BoE continues to cooperate with relevant authorities and across jurisdictions to increase resilience in a way that is consistent with supporting sustainable economic growth; (ii) the FPC should continue to focus on cyber and operational risks, noting the evolving threat landscape, including how this might increase these risks, and other potential impacts for financial stability; and (iii) the FPC should assess and identify areas where there is potential to increase the ability of the financial system to contribute to sustainable economic growth without undermining financial stability.
The letter sets out: (a) the matters that the FPC should regard as relevant to the BoE's financial stability objective, and the responsibility of the FPC in relation to the achievement of that objective; (b) the responsibility of the FPC in relation to support for the U.K. government's economic policy; and (c) matters to which the FPC should have regard in exercising its functions. The FPC must respond to the government, describing any action it has taken or intends to take in response to a specific recommendation. -
UK Regulators Finalize Rules on Critical Third Parties to the UK Financial Sector
November 12, 2024
The Prudential Regulation Authority and Financial Conduct Authority have published a joint policy statement on operational resilience for critical third parties (CTPs) in the U.K. financial sector, which includes their final rules for CTPs. The overall objective of the final policy is to manage risks to the stability of, or confidence in, the U.K. financial system that may arise due to a failure in, or disruption to, the services that a CTP provides to one or more authorised persons, relevant service providers and/or financial market infrastructure entities.
The rules will take effect from January 1, 2025, but will only apply to individual CTPs from the date their HM Treasury CTP designations come into force. HM Treasury has not yet made any such CTP designations.
Read more. -
European Commission Adopts Regulatory Technical Standards on Conduct of Oversight Activities under EU Digital Operational Resilience Act
October 24, 2024
The European Commission has adopted a Commission Delegated Regulation supplementing the EU Digital Operational Resilience Act with regard to Regulatory Technical Standards on harmonization of conditions enabling the conduct of the oversight activities. The draft RTS cover: (i) the information to be provided by an ICT third-party service provider in the application for a voluntary request to be designated as critical; (ii) the information to be submitted by the ICT third–party service providers that is necessary for the Lead Overseer to carry out its duties; and (iii) the details of the competent authorities' assessment of the measures taken by critical third party providers based on the recommendations of the Lead Overseer. Separate RTS will be adopted focusing on the criteria for determining the composition of the joint examination team, their designation, tasks, and working arrangements. The Delegated Regulation shall enter into force 20 days after publication in the OJ. DORA will apply as of January 17, 2025.Topic : Operational Resilience -
European Commission Adopts Implementing Technical Standards and Regulatory Technical Standards on Notification of Major ICT-Incidents and Cyber Threats under EU Digital Operational Resilience Act
October 23, 2024
The European Commission has adopted the following legislation supplementing the EU Digital Operational Resilience Act: (i) Commission Delegated Regulation containing Regulatory Technical Standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats; and (ii) Commission Implementing Regulation laying down Implementing Technical Standards with regard to the standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat. The Council of the European Union and the European Parliament will now scrutinize the Delegated Regulation. If neither object, it will be published in the Official Journal of the European Union. The Implementing Regulation will be published in the Official Journal without further scrutiny. Both Regulations will enter into force 20 days after publication in the Official Journal of the European Union. DORA will apply as of January 17, 2025.Topic : Operational Resilience -
Financial Stability Board Letter to G20 Finance Ministers and Central Bank Governors – Cyber and Operational Resilience
October 22, 2024
The Financial Stability Board has published a letter sent to G20 finance ministers and central bank governors providing an update on various workstreams, including on cyber and operational resilience. The FSB notes that cyber and operational resilience risks continue to pose a threat to financial stability and is therefore delivering, for public consultation, a common Format for Incident Reporting Exchange (FIRE). FIRE is designed to enhance convergence in incident reporting, address operational challenges arising from reporting to multiple authorities and foster better communication amongst authorities. After public consultation, the FSB expects to publish the final version of FIRE by Q2 2025. The FSB's other publications include: (i) G20 status reports on crypto-asset policy implementation; (ii) a report on the financial stability implications of tokenisation; (iii) G20 roadmap progress reports on cross-border payments; and (iv) a report on lessons learned from the March 2023 banking turmoil.Topic : Operational Resilience -
Revised Eurosystem Cyber Resilience Strategy Published
October 18, 2024
The Eurosystem revised its cyber resilience strategy to further address evolving cyber threats. The revised strategy updates the original 2017 Strategy taking account of the evolving threat landscape and leveraging industry best practices, lessons learnt from the original strategy and the practical application of the Cyber Guidance issued by the Committee on Payments and Market Infrastructures and the International Organization of Securities Commissions.
Revisions to the strategy include: (i) the incorporation of new non-FMI entities that are overseen under the Eurosystem oversight framework for electronic payment instruments, schemes and arrangements – the PISA framework. These entities are encouraged to use tools developed by the Eurosystem to periodically assess and continuously enhance their cyber resilience; (ii) measures to address threats linked to geopolitical tensions or technological innovation such as artificial intelligence and quantum computing; and (iii) amendments to take into account recent EU regulation, namely the EU Digital Operational Resilience Act, which applies to certain FMIs covered by the strategy including central securities depositories and central counterparties. The strategy also includes a new overarching component for monitoring implementation, which is designed to promote harmonisation.Topic : Operational Resilience -
European Central Bank Publishes Paper on TIBER-EU and EU Digital Operational Resilience Act Requirements
September 26, 2024
The European Central Bank has published a paper outlining how the European framework for threat intelligence-based ethical red teaming, the TIBER-EU framework, can help competent authorities and financial entities fulfil their threat-led penetration testing requirements under the EU Digital Operational Resilience Act. TIBER-EU is a common European framework that delivers a controlled, bespoke and intelligence-led red team test of financial entities' critical live production systems. It was established as a tool for testing and improving key elements of the cyber resilience of participating financial entities, while focusing heavily on the learning opportunities provided by the testing. The ECB suggests that guiding and performing threat-led penetration testing on the basis of the DORA regulatory technical standards alone will be challenging given the high standards required by such tests but that TIBER-EU will alleviate these difficulties to a large extent and provides a framework that can be used to fulfil the DORA threat-led penetration testing requirements. The paper considers the benefits of the TIBER-EU framework for authorities and financial entities subject to DORA.Topic : Operational Resilience -
European Central Bank Supervisory Board Speech on Banks' Operational Resilience
September 4, 2024
The European Central Bank has published a speech by Frank Elderson, ECB Executive Board member and Supervisory Board Vice-Chair, on banks' operational resilience. Operational resilience has become a key priority for regulators globally. Mr Elderson notes that EU's Digital Operational Resilience Act, which applies from January 17, 2025, will significantly enhance IT and cyber risk management. However, the ECB's cyber resilience stress test earlier this year illustrated that there is scope for improvement, and the ECB appeals to Eurozone banks to prioritize operational and cyber resilience.
Read more.Topic : Operational Resilience -
Final Technical Standards on Subcontracting ICT Services Under the EU Digital Operational Resilience Act
July 26, 2024
The European Supervisory Authorities have published a final report on draft regulatory technical standards to specify the elements that a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions as mandated by Article 30(5) of the Digital Operational Resilience Act. The draft RTS set out requirements when the use of subcontracted ICT services supporting critical or important functions or material parts thereof by ICT third-party service providers is permitted by financial entities and set out the conditions applying to such subcontracting. In particular, the draft RTS require financial entities to assess the risks associated with subcontracting during the precontractual phase, which includes the due diligence process.
The draft RTS also set out requirements regarding the implementation, monitoring, and management of contractual arrangements regarding the subcontracting conditions for the use of ICT services supporting critical or important functions or material parts thereof ensuring that financial entities are able to monitor the entire ICT subcontracting chain of ICT services supporting critical or important functions. The ESAs will now submit the draft RTS to the European Commission for adoption.Topic : Operational Resilience -
King's Speech 2024
July 17, 2024
The King's speech to Parliament sets out the new government's legislative program. The government has published background briefing notes relating to the King's Speech, providing a summary of the legislation to be brought forward. The Bills announced, in relation to financial services, include:- A Bank Resolution (Recapitalisation) Bill, which would aim to enhance the U.K.'s resolution regime, providing the Bank of England with a more flexible toolkit to respond to the failure of small banks. The Bill would expand the statutory function of the Financial Services Compensation Scheme to provide funds to the BoE upon request, to be used where necessary to support the resolution of a failing bank. The FSCS would then recover the funds provided by charging levies on the banking sector, similar to the current arrangements for funding depositor pay-outs in insolvency. Credit unions will not be in scope of this levy. The BoE will also be provided with the power to require a bank in resolution to issue new shares, facilitating the use of FSCS funds to meet a failing bank's recapitalization costs.
-
European Supervisory Authorities Finalize Second Set of Technical Standards and Guidelines Under Digital Operational Resilience Act
July 17, 2024
The European Supervisory Authorities have published the final reports for the second collection of policy materials under the Digital Operational Resilience Act. These are the:- ​Final report on draft regulatory technical standards and implementing technical standards on the content, format, templates and timelines for reporting major ICT-related incidents and significant cyber threats under Article 20 DORA.
- Final report on draft RTS on the harmonization of conditions enabling the conduct of the oversight activities under Article 41(1)(c) DORA.
- Final report on draft RTS on the harmonization of conditions enabling the conduct of the oversight activities under Article 41(1)(a), (b) and (d) of DORA.
- Final report on draft RTS specifying elements related to threat-led penetration tests under Article 26(11) DORA.
- Final report on joint guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents under Article 11(11) DORA.
Topic : Operational Resilience -
EU Technical Standards on classification of ICT-Related Incidents, Contractual Arrangements Policy and Risk Management Tools Published
June 25, 2024
The following three regulatory technical standards supplementing the Digital Operational Resilience Act have been published in the Official Journal of the European Union:- RTS on the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents (Delegated Regulation 2024/1772).
- RTS specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (Delegated Regulation 2024/1773).
- RTS specifying ICT risk management tools, methods, processes and policies and the simplified ICT risk management framework (Delegated Regulation 2024/1774).
The Delegated Regulations will enter into force on July 15, 2024, the twentieth day following their publication in the Official Journal.Topic : Operational Resilience -
EU Consultation on Draft Technical Standards for Operational Risk Loss under Third Capital Requirements Regulation
June 6, 2024
The European Banking Authority has opened a consultation on a package of draft regulatory technical standards that aim to standardize the collection and the record of operational risk losses and to provide clarity on the exemptions for the calculation of the annual operational risk loss and on the adjustments to the loss data set that banks must perform in case of merged or acquired entities or activities. The package consists of:- Draft RTS on establishing a risk taxonomy on operational risk, which provide a list of operational risk event types, categories, and attributes that institutions must use when recording operational risk loss events in line with the current framework and the international standards.
- Draft RTS on the conditions under which it would be unduly burdensome for an institution to calculate the annual operational risk loss. In such cases, the draft RTS allow for a temporary waiver from the requirement to calculate the annual operational risk loss.
- Draft RTS on the adjustments to an institution's loss data set following the inclusion of losses from merged or acquired entities or activities, which provide indications on the currency and the risk taxonomy to be used when incorporating the loss data set of merged entities or activities.
The deadline for comments is September 6, 2024. The EBA intends to finalize the draft RTS by the end of 2024. -
UK Prudential Regulation Authority Delays Publication of Second Resolvability Assessment Due to General Election
June 6, 2024
The Prudential Regulation Authority has published a modification by consent of Rule 4.1 of the Resolution Assessment Part of the PRA Rulebook. The PRA explains that, as with previous general elections, it will be following the Cabinet Office's election guidance, which includes limiting communications activities until after the election. In line with this approach, the Bank of England and PRA have chosen to delay publication of the second Resolvability Assessment Framework assessment of the major U.K. banks to early August. The publication of the BoE's assessment was due by June 14, 2024, alongside firms' own public disclosures (as required by Rule 4.1 of the Resolution Assessment Part of the PRA Rulebook). As such, the PRA is offering a modification by consent to delay the deadline for firms to publish their RAF disclosures from the second Friday in June, to the second Friday in August at the latest. Each firm that wishes to take advantage of this modification should consider the terms of the direction. -
International Organization of Securities Commissions Report on Trading Venues' Resilience
June 5, 2024
The International Organization of Securities Commissions has published its final report on market outages. The report examines key findings from recent market outages on listing trading venues in IOSCO jurisdictions and builds on past IOSCO work on operational resilience and business continuity planning to identify good practices for listing trading venues that may enhance market-wide resilience in the event of a market outage.
The good practices include: (a) establishing and publishing an outage plan; (b) implementing a communication plan, which provides, through an appropriate communication channel, initial notice (as soon as practicable) of the outage to market participants and the general public and, thereafter, regular updates to all market participants on the status of the outage and the recovery pathway; (c) communicating information relevant to the reopening of trading in a timely and simultaneous manner to all market participants, providing clarity on the status of orders and ensuring an adequate period of notice before the resumption of trading; (d) ensuring the processes and procedures that trading venues will follow to operate a closing auction and/or to establish alternative closing prices are published in the outage plan and communicated to all market participants during an outage; and (e) conducting and sharing with the relevant regulators a lessons-learnt exercise of the market outage and adopt a post-outage plan, with clearly defined timelines and allocation of responsibilities for remediation, designed to reduce the likelihood of future incidents and to improve the ability of the trading venue to effectively respond to outages.
Read more. -
European Central Bank Consults on Draft Guide on Outsourcing Cloud Services
June 3, 2024
The European Central Bank has opened a consultation on a draft guide on outsourcing cloud services to cloud service providers. The guide aims to clarify both the ECB's understanding of related legal requirements, including those under the EU's Digital Operational Resilience Act and the Capital Requirement Directive, and its expectations for the banks it supervises. The guide sets out detailed supervisory expectations, drawing on risks and best practices observed in the context of ongoing supervision and dedicated on-site inspections. It covers topics including: (i) the governance of cloud services; (ii) the availability and resilience of cloud services; (iii) ICT security, data confidentiality and integrity; (iv) exit strategy and termination rights; and (v) oversight monitoring and internal audits. The deadline for comments is July 15, 2024. -
Delegated Regulations under the EU Digital Operational Resilience Act Published
May 30, 2024
The following Delegated Regulations supplementing Digital Operational Resilience Act have been published in the Official Journal of the European Union:- Delegated Regulation (EU) 2024/1502 on the criteria for the designation of ICT third-party service providers as critical for financial entities.
- Delegated Regulation (EU) 2024/1505 determining the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid.
Both Delegated Regulations will enter into force on June 19, 2024, except for the systemic assessment sub-criterion on the ICT third-party service provider's dependency on subcontractors, which will be effective as of January 16, 2025.Topic : Operational Resilience -
UK Financial Conduct Authority Shares Insights on Firms’ Preparations for Operational Resilience
May 28, 2024
The Financial Conduct Authority has set out its observations and insights on the preparations firms have made towards complying with its operational resilience rules ahead of March 31, 2025. The FCA expects firms to use these observations to review their approach and assess their readiness on the following key areas of the policy:- important business services;
- impact tolerance;
- mapping and third parties;
- scenario testing;
- vulnerabilities and remediation;
- response and recovery plans; and
- governance and self-assessment.
Read more.Topic : Operational Resilience -
UK Approach to Critical Third-Party Supplier Designation Published
03/31/2024
The Financial Services and Markets Act 2023 established a framework for the regulation of third parties who provide significant services to financial institutions, giving HM Treasury power to designate an entity as a "critical third party" if its failure would pose financial stability or confidence risk to the U.K. We discussed this in our client note, "The U.K.'s New Regime for Critical Third Party Supervision". HM Treasury published on March 21, 2024, its policy approach to designation of critical third parties.
When designating CTPs, HM Treasury is required by the FSM Act 2023 to consider the materiality of the third party's services to the delivery of essential activities, services or operations in the financial sector as well as the number and type of licensed firms to which the services are provided. This is a process where HM Treasury carries out the designation; a "critical third party" is not a status that firms would apply for. The policy paper sets out the process for designation, including receipt of a recommendation from one of the financial regulators and assessment of the basis for making a designation decision. HM Treasury discusses how it will engage with the relevant third-party service provider and the regulators, including communicating its decision. The process for de-designating a critical third party is also described.
Read more. -
UK Regulators Propose Rules for Supervising Critical Third Parties
12/12/2023
Following feedback to their July discussion paper, the U.K. regulators—the Bank of England, Prudential Regulation Authority and Financial Conduct Authority—have launched a joint consultation proposing rules and regulatory expectations for critical third parties. This follows concerns that the financial sector relies heavily on unregulated service providers, particularly in the IT sector, for critical infrastructure whose failure could cause systemic issues or customer issues. The Financial Services and Markets Act 2023 gave HM Treasury powers to designate an entity as a "critical third party" if its failure would pose financial stability or confidence risk to the U.K. and the regulators will have new direct powers over third parties that provide critical services to authorized firms, their service providers and financial market infrastructures. The regulators' rules would only apply to the services provided by a CTP to one of those firms. Responses to the consultation may be submitted until March 15, 2024.
Read more.