The International Organization of Securities Commissions (IOSCO) has published its 2026 work programme , setting out its five strategic priorities for the year:

• Strengthening financial resilience and market effectiveness – new key initiatives in this field for 2026 include: (i) addressing over-the-counter derivatives reporting fragmentation; (ii) working on the impact of market microstructures on liquidity and of extended trading hours on equity trading venues; (iii) contributing to the Financial Stability Board's (FSB) work on issues of non-bank data availability, use and quality; and (iv) contributing, as necessary, to follow-up work on the issue of leverage in non-bank financial intermediation (NBFI). IOSCO will also continue to develop work to strengthen the operational resilience of financial market infrastructures (FMIs).
• Enhancing investor protection – IOSCO will launch a new TechSprint in partnership with the UK Financial Conduct Authority's AI Lab and will explore products such as cryptoasset funds, private credit vehicles and retail-facing derivatives. IOSCO will also continue to engage with platform providers to advocate for restrictions on harmful or fraudulent content and to promote the use of its I-SCAN tool (its Enhanced Investor Alerts Portal).
• The evolution of public and private markets – key initiatives in this field include assessing the growing interconnectedness between private equity activities and the audit sector, contributing to the FSB's deep dive on private credit and researching the functioning of public equity markets.

Read more.

The Financial Stability Board (FSB) has published its 2026 work programme. The FSB states it will continue its mission to promote global financial stability by addressing systemic financial risks and fostering international cooperation. Key priorities for the year include:

• Vulnerabilities assessments – the FSB will complete a report on private credit and will begin new work on vulnerabilities, possibly including work on foreign exchange derivative markets or private finance.
• Non-bank financial intermediation (NBFI) – the FSB will work to improve its methodologies to assess vulnerabilities in the non-bank sector as well as work on non-bank leverage and over-the-counter derivatives.
• Cross-border payments – the FSB will continue to coordinate the implementation of the G20 cross-border payments roadmap by helping jurisdictions with the development of their voluntary, specific and time-bound action plans.
• Digital innovation and AI – the FSB will continue to monitor developments regarding cryptoassets and will examine issues related to possible stablecoin vulnerabilities. It will also undertake work on sound practices for AI adoption, use and innovation by financial institutions, in close coordination with the standard-setting bodies.

Read more.

The Bank of England, UK Prudential Regulation Authority and UK Financial Conduct Authority have published their 2025 annual CBEST thematic report. CBEST is a threat-led penetration testing assessment framework of cyber resilience, helping regulators, firms and financial market infrastructures (FMIs) identify vulnerabilities and take remedial action. This report summarises insights from recent CBEST assessments conducted across firms and FMIs. While it does not introduce any new or additional regulatory expectations, it articulates gaps, some of them foundational, observed in firms' and FMIs' cyber defences.

Key messages for firms and FMIs to consider include:

• To reduce the likelihood of severe cyberattacks, firms and FMIs should harden operating systems by patching vulnerabilities and securely configuring key applications.
• The impact of unauthorised access to sensitive systems and information can be reduced by strengthening credentials management, enforcing strong passwords, considering the use of multi-factor authentication, preventing or detecting insecure credential storage and through appropriate segmentation of networks.

​​Read more.

The UK Prudential Regulatory Authority (PRA) has published Dear CEO letters setting out its 2026 supervisory priorities for UK deposit takers and international banks and designated investment firms. Across both letters, the PRA highlights its continued focus and expectations across risk management, operational resilience, financial resilience and data governance. It states that these priorities should be considered alongside firm-specific feedback provided though a firm's recent periodic summary meeting (PSM). It also announced plans to move certain supervisory activity, including PSMs, to a two-year cycle. The letters explain that a firm's supervisory contact will provide details in due course of what this means for the timing of the firm's next PSM.

The European Supervisory Authorities (comprising the European Securities and Markets Authority, the European Insurance and Occupational Pensions Authority and the European Banking Authority) have entered into a Memorandum of Understanding with the Bank of England (BoE), the UK Prudential Regulatory Authority and the UK Financial Conduct Authority (FCA). The MoU seeks to strengthen cross-border oversight of critical third parties (CTPs) and critical ICT third-party service providers (CTPPs) under the Digital Operational Resilience Act (DORA), including during incidents such as power outages or cyber-attacks. It sets out cooperation principles and procedures, information‑sharing arrangements and coordination of oversight activities between EU and UK regulators. To enable information sharing with a third country authority, the ESAs must first verify that the third country's confidentiality and professional secrecy regime is equivalent to that under EU law. Accordingly, prior to signing the MoU, the ESAs carried out an assessment confirming that the UK's regime meets the standards set out in DORA. Separate statements from the FCA and BoE announcing the signed MoU were published on the same day.

The European Supervisory Authorities (comprising the European Banking Authority, European Insurance and Occupational Pensions Authority and European Securities and Markets Authority) have published a joint report, dated 4 December, responding to the European Commission's request under Article 58(3) of the EU Digital Operational Resilience Act (DORA). The report assesses whether statutory auditors and audit firms should be subject to strengthened digital operational resilience requirements by means of inclusion in the scope of DORA or by means of amendments to the Statutory Audit Directive. While acknowledging the critical role that auditors play in financial stability and the fact that confidentiality, integrity and availability of information accessed during audits is critical, the report clarifies that audit activities do not form part of the operational value chain of the auditee and therefore do not directly affect the continuity of financial or other services. The ESAs conclude that the identified negative implications of the application of DORA to statutory auditors and audit firms such as increased fixed costs, limiting audit choice, increased audit fees and significant re-skilling of national audit oversight authorities, appear to outweigh the potential benefits. Therefore, including statutory auditors and audit firms within DORA's scope is not warranted at this stage.

The European Central Bank (ECB) has announced it will conduct a geopolitical risk reverse stress test on 110 directly supervised banks in the Single Supervisory Mechanism in 2026. In a reverse stress test, a pre-defined outcome is set, and each bank defines the scenario in which that outcome would materialise. This exercise will complement the 2025 EBA stress test, which applied a common scenario for all banks and resulted in varying differences in their capital depletion. The 2026 stress test will focus on how geopolitical risk could affect banks' business models, who should identify relevant geopolitical events and quantify their impact. Additionally, the banks will be asked to describe how they would act to reduce that impact, if necessary, with a view to ensuring that they have robust governance and operational resilience frameworks in place.

Read more.

The Basel Committee on Banking Supervision (BCBS) has published its principles for the sound management of third‑party risk, replacing the 2005 Joint Forum outsourcing paper and establishing a common baseline for banks and supervisors. This follows the July 2024 consultation. The framework applies proportionately covering the full lifecycle of third‑party service provider (TPSP) arrangements and emphasises: (i) rigorous governance by the board and senior management; (ii) maintenance of a comprehensive third‑party risk management (TPRM) framework aligned with operational risk and resilience standards; and (iii) heightened expectations for critical services. Key areas covered include governance and strategy, risk assessment and due diligence, contracting, onboarding and monitoring, termination and the role of supervisors.

Read more.

The UK Prudential Regulation Authority (PRA) has published a letter addressed to credit union directors. It summarises key findings from its 2025 assessment of credit unions with assets up to GBP50 million and sets out supervisory priorities for 2026. The PRA identifies operational resilience as a key risk, with thematic work planned in 2026 to strengthen this area, including contingency planning and ensuring robust arrangements for replacing key staff and directors. The second key risk highlighted is disorderly failure: boards are expected to monitor prudential positions and financial forecasts proactively, act promptly on emerging issues and consider alternatives where activities become unsustainable, to avoid disorderly wind-down. In addition to these priorities, the PRA will maintain a focus on risk management throughout 2026. Governance standards also remain a priority, with emphasis on reducing dependency on key individuals and improving risk oversight. Areas for continued attention include succession planning, policy reviews, business planning and board performance appraisals (noted as a non-exhaustive list). The PRA reminds credit unions of their regulatory obligations, including maintaining open and cooperative engagement under Fundamental Rule 7. The letter should be read alongside the January Dear CEO letter to UK deposit takers, which outlines the PRA's priorities in this sector.

The European Central Bank (ECB) has published its guide on implementing the Threat Intelligence-based Ethical Red Teaming (TIBER-EU) framework for mandatory threat-led penetration testing (TLPT) of significant institutions under the Digital Operational Resilience Act (DORA). Under Articles 26 and 27 of DORA, significant institutions must conduct advanced operational resilience testing by means of TLPT at least every three years. To assist significant institutions in fulfilling the DORA TLPT requirements, the ECB has decided to adopt the TIBER-EU framework. The guide sets out: the ECB's role in identifying significant institutions subject to TLPT requirements; the testing process (preparation, execution and closure); key stakeholder responsibilities, including the use of external threat intelligence providers and red team testers; and general considerations for TLPT, including test management, secrecy and risk management. The ECB clarifies that while the TIBER-EU implementation guide provides detailed operational steps, only DORA and its accompanying regulatory technical standards on TLPT remain legally binding.

The European Insurance and Occupational Pensions Authority (EIOPA) has published a Q&A under the Digital Operational Resilience Act (DORA) on the interpretation of Article 13 of Commission Delegated Regulation (EU) 2024/1774 (comprising the regulatory technical standards on ICT risk management), which supplements DORA. The clarification concerns the Article 13(c) which requires financial entities to implement the use of a separate and dedicated network for the administration of ICT assets. EIOPA confirms that such administration should be interpreted broadly so as to include both manual and automated activities and processes, and cross refers to other DORA articles which are relevant for interpreting this provision.

The European Commission (EC) has adopted its Digital Omnibus Package with a set of proposals which seek to simplify rules on AI, data and cybersecurity. This forms part of the EC's broader digital initiative to help EU businesses innovate, scale and save on administrative costs. At the core of the package is the proposal for a regulation on simplification of the digital legislation which introduces technical amendments to a large range of digital laws.

Key measures include:

• AI – providing clarifications and practical measures to ensure smooth application of AI rules, including provisions for regulatory sandboxes and SME-friendly compliance pathways. Further targeted amendments to the EU AI Act are made through a separate legal proposal within the package.
• Cybersecurity – establishing a single-entry reporting mechanism that consolidates mandatory obligations under, among others, the NIS2 Directive, the General Data Protection Regulation (GDPR) and the Digital Operational Resilience Act (DORA). In a second stage, sector-specific rules in areas such as energy and aviation will also be integrated into this single-entry point.

Read more.

The European Central Bank (ECB) has published the results of its 2025 supervisory review and evaluation process (SREP) and supervisory priorities for 2026–2028. The review covers 105 banks under ECB supervision and looks at their capital, liquidity, profitability, governance and risk management. Overall, banks maintained robust capital and liquidity positions and strong profitability in the second quarter of 2025.

Looking ahead, the ECB's supervisory priorities for 2026–2028 reflect a comprehensive assessment of emerging risks and vulnerabilities for supervised entities. Each supervisory priority targets a specific set of vulnerabilities in the banking sector for which dedicated strategic objectives have been set and tailored work programmes developed.

Read more.

The European Supervisory Authorities, referred to as ESAs (comprising the European Banking Authority, European Insurance and Occupational Pensions Authority and the European Securities and Markets Authority) have published the official list of designated critical ICT third-party providers (CTPPs) under the Digital Operational Resilience Act (DORA). This designation followed a structured process involving data collection from financial entities' ICT service registers, a criticality assessment in cooperation with national competent authorities and a notification process to those CTPPs identified as critical, after which they benefitted from their right to be heard by providing a reasoned statement. The final designation decisions were adopted following a careful review of all relevant information. Designated CTPPs, which deliver essential ICT services across the EU financial sector, will now be subject to direct oversight by the ESAs to ensure they have appropriate risk management and governance frameworks in place. The ESAs will continue engaging with CTPPs in the course of upcoming examination activities.

The European Securities and Markets Authority (ESMA) has announced that cyber risk and digital resilience will remain central to its Union Strategic Supervisory Priorities (USSPs) for 2026. This follows strong engagement from national competent authorities (NCAs) and aligns with the implementation of the Digital Operational Resilience Act (DORA), enhancing ICT risk management and supervisory coordination across EU financial markets. ESMA urges NCAs to sustain supervisory momentum into 2026, as coordination between authorities' supervisory work and the DORA oversight framework will be essential. Additionally, NCAs will target supervisory efforts to consolidate achievement under the environmental, social and governance disclosures USSP, with a focus on high-risk areas. ESMA will also consider the potential introduction of new supervisory topics to address emerging risks at the Union-wide level in the following years.

The European Banking Authority (EBA) has launched a consultation on its revised guidelines for the supervisory review and evaluation process (SREP) and supervisory stress testing, mandated under the Capital Requirements Directive (CRD). The proposed guidelines consolidate all relevant SREP provisions into a single, comprehensive framework as part of the EBA's efforts to simplify and enhance the EU supervisory framework. The update integrates new elements, including environmental, social and governance factors, operational resilience and mandates under the revised Capital Requirements Directive (CRD VI) relating to third-country branches and the output floor.

Read more.

The Bank of England, UK Financial Conduct Authority (FCA) and UK Prudential Regulation Authority (PRA) have published a joint document outlining effective practices in cyber response and recovery capabilities across systemic firms and financial market infrastructures (FMIs). The publication highlights practices drawn from firms' operational resilience self-assessments and is structured around the following four key areas:

• Response to a high severity cyber disruption – maturer firms are using a broader set of impact tolerance metrics, beyond just duration, to define critical service levels. These include metrics such as value, volume, critical activity, end-users and types of payments. Effective self-assessments also feature clear, timely crisis communication plans and resilient communication capabilities.

Read more.

The Joint Committee of the European Supervisory Authorities (comprising the European Banking Authority, European Insurance and Occupational Pensions Authority and European Securities and Markets Authority) (ESAs) have published their 2026 work programme, setting out key priorities for cross-sectoral collaboration for 2026.

The programme focuses on joint efforts in relation to:

• Digital Operational Resilience Act (DORA) – the ESAs will concentrate on the effective operation of the new oversight framework and work related to supervisory convergence of DORA. The ESAs will designate third-party providers critical (CTPPs) to the EU financial sector by the end of 2025 and will conduct risk assessments to outline individual annual oversight plans for each CTPP, complemented by a strategic multi-annual oversight plan.
• Consumer protection and financial innovation – in 2026, the ESAs expect to work on drafting regulatory technical standards based on the empowerments in the proposed amendments to the PRIIPs Regulation in the European Commission's (EC's) Retail Investment Strategy. Work on consumer confidence and protection will consider the EC's strategy to develop a Savings and Investment Union.

Read more.

The European Banking Authority (EBA) has published its 2026 work programme, setting out its key priorities and planned initiatives. The programme is driven by three overarching priorities: (i) developing a rulebook to foster a resilient and efficient financial single market, with proposals to simplify rules, improve public sector coordination and assess the framework's impact. This includes continuing work on the EU banking package and advancing proposals on the forthcoming revised Payment Services Directive 3, the Payment Services Regulation and the Financial Data Access Act; (ii) strengthening risk assessment capabilities through improved data, methodologies and oversight under the Digital Operational Resilience Act (for critical ICT third-party providers), Markets in Crypto-Assets Regulation (for supervision of crypto-asset issuers) and European Market Infrastructure Regulation (for validation of initial margin models); and (iii) advancing innovation and technological capacity across the financial sector, with a focus on AI and machine learning, including its contribution to the implementation of the EU AI Act. In parallel, the EBA has published a report (EBA/REP/2025/26) proposing ways to streamline the EU's regulatory and supervisory framework, following a comprehensive review earlier this year of four key areas: level 2 and 3 measures, reporting burdens on financial institutions, the EBA's role in the prudential framework and its internal processes. The review resulted in 21 recommendations which are set out in the report.

The European Securities and Markets Authority (ESMA) has published official translations of its final report updating the 2021 guidelines on outsourcing to cloud service providers. The updated guidelines, initially published in July, narrow the scope to exclude entities covered by the Digital Operational Resilience Act (DORA), ensuring they remain applicable only to financial entities outside DORA's remit, specifically, certain types of depositary under the Alternative Investment Fund Managers Directive and the Undertakings for Collective Investment in Transferable Securities Directive. The revision aims to prevent regulatory overlap, as DORA now governs ICT third-party risk for most financial entities. The revised guidelines apply from 30 September. National competent authorities must notify ESMA by 30 November whether they comply or intend to comply with the guidelines, and must inform ESMA of their reasons for non-compliance. Firms are not required to report on whether they comply.

The European Supervisory Authorities (ESAs, comprising the European Banking Authority, the European Insurance and Occupational Pensions Authority, and the European Securities Markets Authority) have published the Joint Committee's Autumn 2025 report, highlighting global risks to the EU financial system and recommending policy actions amid instability. The risks, attributed to ongoing geopolitical tensions including the U.S.'s imposition of widespread tariffs and continued conflicts in Ukraine and the Middle East, are said to have led to downward revisions in global and EU growth forecasts and divergence in monetary policy between the EU and U.S.

Read more.

The UK Financial Conduct Authority (FCA) has published a summary of discussions held throughout 2024 with industry members of the FCA's Cyber Coordination Group programme. The publication is not intended to introduce any additional regulatory expectations. The FCA states that it is making the insights widely available so that firms can consider them, within the context of the FCA's existing expectations, to learn from other firms and to help strengthen their cyber resilience capabilities. They included insights from both members' positive and more challenging experiences of the issues, and focus on three key topics: i) the reconnection framework and third-party management; ii) threat and vulnerability management and threat-led penetration testing; and iii) AI and other emerging technologies, including quantum computing.

The European Banking Authority has published single rulebook Q&A relating to the Digital Operational Resilience Act (DORA). The answers to the questions were given by the joint European Supervisory Authorities. The Q&A cover:

• The identification of ICT service providers (2024_7089).
• Guidance on completing the refPeriod field of the parameters.csv file for the DORA register of information (2025_7387).
• The obligation to maintain a register of information for FEs exempt under article 16, DORA (2025_7388).

The UK Financial Conduct Authority (FCA) has published a new webpage summarising the findings of its multi-firm review into how benchmark administrators (BMA) manage data-related risks. While the FCA found some firms to demonstrate some good arrangements, overall practices varied and often fell short of consistently supporting a strong control environment. The review follows the FCA's portfolio letter in which the FCA discussed its concerns on data quality controls, corporate governance and oversight, benchmark controls, disclosures and operational resilience. Key findings from the review are set out below.

Read more.

The European Central Bank (ECB) has published its final guide on outsourcing cloud services, following from a July 2024 consultation. Feedback on the consultation is set out in an accompanying feedback statement. The guide clarifies supervisory expectations for banks under the ECB's remit in relation to the Digital Operational Resilience Act (DORA). While not legally binding, the guide outlines good practices for effective cloud outsourcing risk management, particularly given growing reliance on a limited number of third-party providers. Key areas covered include governance and risk management strategy, pre-outsourcing analysis, contractual arrangements, exit strategies and termination rights, and ongoing monitoring and oversight. The guide emphasises a risk-based and proportionate approach to outsourcing cloud services, tailored to the diverse structures, activities and risk profiles of ECB-supervised banks. The final version distinguishes more clearly between DORA requirements and ECB-recommended practices.

The European Supervisory Authorities (European Banking Authority, European Insurance Occupational Pensions Authority, and European Securities and Markets Authority) have published a joint guide detailing their oversight activities under the Digital Operational Resilience Act (DORA). The guide outlines the processes employed by the Joint Examination Teams to supervise critical ICT third-party service providers (CTPPs). Offering a high-level overview of the CTPP Oversight framework, the guide covers (i) governance structures; (ii) oversight processes; (iii) the founding principles; (iv) available supervisory tools; and (iv) the adoption process. While the guide is not legally binding and does not supersede existing EU legal requirements, the ESAs encourage financial entities and third-party providers to use it in preparation for DORA′ oversight implementation. The guide may be subject to future revisions, when necessary.

The European Securities and Markets Authority (ESMA) has published its final report, updating the 2021 guidelines on outsourcing to cloud service providers in line with the Digital Operational Resilience Act (DORA). The 2021 guidelines were designed to assist firms in identifying, managing and monitoring risks associated with cloud outsourcing. However, since the implementation of DORA in January, which covers the same scope including ICT third-party risks, these guidelines are no longer needed for most financial entities. However, DORA does not apply to certain depositories under the Alternative Investment Fund Managers Directive (AIFMD) and the Undertakings for Collective Investment in Transferable Securities Directive (UCITSD). Therefore, ESMA revises the scope of the 2021 guidelines to apply only to these specific depositaries that fall outside DORA's coverage. According to ESMA, the content of the guidelines has not substantively changed. The updated guidelines will now be translated into all official EU languages and published on ESMA's website. National competent authorities must notify ESMA within two months of publication whether they comply or intend to comply with guidelines.

The Bank of England's Financial Policy Committee (FPC) has published its July financial stability report alongside the record of its 27 June meeting. After assessing the risks to the UK financial system, the FPC reports that global financial markets remain vulnerable, with elevated risks stemming from geopolitical tensions, trade fragmentation and sovereign debt pressures.

Read more.

The Bank of England and the Prudential Regulation Authority (PRA) have released a letter to PRA-regulated firms and relevant financial market infrastructure (FMIs) outlining the thematic findings from the 2024 Cyber Stress Test (CST24). PRA-regulated firms and relevant FMIs are encouraged to consider these findings in the implementation of their operational resilience policies.

The CST24 involved providers and users of wholesale services modelling the operational, financial and confidence impacts of suspected, confirmed and longer cyber-attack scenarios affecting transaction settlement.

Read more.

The European Banking Authority (EBA) has published a consultation paper on its draft guidelines for managing third-party risk with regards to non-ICT related services. The guidelines will revise and update its prior 2019 outsourcing guidelines in line with the Digital Operational Resilience Act (DORA). The guidelines reaffirm that financial entities' management bodies remain fully accountable for all activities, including those outsourced to third-party service providers (TPSPs), particularly when critical or important functions are involved. The guidelines specify steps to be taken for the lifecycle of third-party arrangements, covering risk assessment, due diligence and termination processes, and stress the need for adequate resources to manage associated risks. To promote consistency with DORA, the draft guidelines allow financial institutions to maintain a single unified register for both ICT and non-ICT services, reducing administrative burden by limiting the level of information to be documented. A transitional period of two years is provided for financial entities under the scope of the updated guidelines, to review and amend existing third-party arrangements and update their non-ICT registers accordingly. The deadline for comments on the consultation is 8 October and a virtual public hearing is scheduled for 5 September.

Commission Delegated Regulation (EU) 2025/532 has been published in the Official Journal of the European Union. The Delegated Regulation supplements the Digital Operational Resilience Act (DORA) with regard to regulatory technical standards (RTS) specifying the elements that a financial entity has to determine and assess when subcontracting information and communication technology (ICT) services supporting critical or important functions.

Read more.

Commission Delegated Regulation (EU) 2025/1190 of 13 February has been published in the Official Journal of the European Union. The Delegated Regulation supplements the Digital Operational Resilience Act (DORA) with regard to regulatory technical standards (RTS) related to threat-led penetration testing (TLPT). The RTS specify the criteria for identifying financial entities required to carry out TLPT, and establish detailed requirements regarding the scope of testing, the methodologies to be used and the handling and reporting of results. Further, the RTS also sets out the requirements and standards governing the use of internal testers, ensuring their independence and competence, and outlines the framework for supervisory and other forms of cooperation necessary for implementation of TLPT and the mutual recognition testing. The Delegated Regulation will enter into force on the twentieth day following its publication in the Official Journal of the European Union, which is 8 July.

The European Securities and Markets Authority (ESMA) has published a comprehensive set of principles, accompanied by a press release, aimed at strengthening the supervision of third-party risks across the EU financial sector. The principles are intended to guide national competent authorities (NCAs) in identifying, assessing and overseeing third-party risks for EU entities in the securities markets, in accordance with the relevant legal framework and the principle of proportionality. Aligned with international standards (IOSCO, FSB and BCBS), the principles apply to all third-party arrangements, whether the third party is intra-group or external, located within the EU or in a third country, and irrespective of the technology used. The fourteen principles are grouped into four thematic areas to support NCAs in exercising effective oversight and ensuring that entities appropriately manage third-party risks.

Read more.

The European Banking Authority (EBA) has published part 1 of its 2024 annual report, with a press release, reflecting on key regulatory and supervisory achievements under its work programme over the past year. These include: (i) progress in the implementation of the Basel III reforms; (ii) the further integration of ESG considerations into regulatory frameworks, via the issuance of guidelines and reports on ESG risks, greenwashing and scenario analysis; (iii) the assessment of financial stability amid high interest rates and geopolitical uncertainties, supported by two risk assessment reports; (iv) the enhancement of regulatory data infrastructure through the EUCLID platform; (v) the development of oversight and supervisory capacity for firms subject to the EU Digital Operational Resilience Act (DORA) and the EU Markets in Crypto-Assets Regulation (MiCAR); and (vi) an enhanced focus on innovation and consumers (including access to financial services) while preparing for the transition to the new anti-money laundering and counter-terrorist financing (AML/CFT) framework.

A corrigendum to Commission Delegated Regulation (EU) 2024/1774, which supplements the Regulation on digital operational resilience for the financial sector (DORA), was published in the Official Journal of the European Union (OJ). Commission Delegated Regulation (EU) 2024/1774 contains regulatory technical standards (RTS) specifying ICT risk management tools, methods, processes and policies and the simplified ICT risk management framework. It reflects mandates under Articles 15 and 16(3) of DORA. The corrigendum replaces a reference to Article 15 of Commission Delegated Regulation (EU) 2024/1772 in Article 22 of the Delegated Regulation (ICT-related incident management policy) with a reference to Article 8(2) of that Delegated Regulation.

The European Parliament's Committee on Economic and Monetary Affairs (ECON) has released a draft report (dated 14 May) and motion for a European Parliament resolution on the impact of artificial intelligence (AI) on the financial sector. The report highlights the broad adoption of AI and its benefits across the EU financial services sector, including in fraud detection, anti-money laundering and personalised financial advice, among other areas. While acknowledging risks with AI-usage related to data quality and cybersecurity, ECON is of the view that these are already addressed through multiple pieces of sectoral legislation at both national and EU level, including the EU AI Act. With concerns of regulatory overlaps and legal uncertainties—which can limit the use of AI and complicate compliance for financial institutions— ECON advocates for responsible use of AI instead of new restrictive legislation. The motion for a resolution calls on the European Commission to: (i) provide clear guidance on how existing financial regulations apply to AI, ensuring consistent definitions and a simplified regulatory framework to avoid duplicative requirements; (ii) refrain from introducing new sector-specific AI regulation that can add complexity and uncertainty to already established sectoral rules, potentially creating barriers in cross-border markets; and (iii) support industry measures to enhance the understanding and responsible use of AI and provide clearer guidance with regard to the EU AI Act's requirements for financial institutions to comply with AI literacy requirements.

The Financial Stability Board (FSB) has published its finalised Format for Incident Reporting Exchange (FIRE), together with a press release and updated webpage. FIRE provides a standardised format for financial institutions to report cyber and other operational incidents to national regulators. It is intended to provide a foundation upon which to build for jurisdictions which do not currently have standardised reporting formats, and to be interoperable with existing systems for those jurisdictions with existing frameworks. National regulators are free to decide the extent to which they wish to adopt FIRE, if they do at all. The framework specifies the information items to be included in reports, identifying items which are essential and optional, as well as a baseline view of the reporting of individual information items against each reporting phase. The FSB will hold a workshop with industry and authorities two years after FIRE is finalised (e.g., in 2027) to take stock of their experiences with FIRE, including implementation challenges.

The Financial Services Regulatory Initiatives Forum (the Forum) has published the Regulatory Initiatives Forum Grid (the Grid), with the UK Financial Conduct Authority (FCA) also updating its webpage. The previous Grid was due to be published in May 2024 but was postponed due to the General Election, meaning the Forum published only an interim update in October 2024.

The 2025 Grid sets out the regulatory pipeline for the next 24 months and reflects the reprioritisation that has taken place since the new government came into power. Notable initiatives include:

• motor finance commission review: the FCA intends to confirm, within six weeks of the Supreme Court's decision on past use of discretionary commission arrangements by motor finance firms, whether it will propose a redress scheme;
• liquidity risk management in funds: the FCA will consult on refined proposals regarding liquidity risk management in funds to implement FSB and IOSCO guidelines;
• Consumer Composite Investments (CCI) Regulation: the FCA published a second consultation paper on the new CCI regime on 16 April (see our update) and plans to issue a Policy Statement with final rules in late 2025;

Read more.

The Prudential Regulation Authority (PRA) has published its Business Plan 2025/26 which sets out the workplan for and regulatory initiatives to advance its strategic priorities. This year's business plan is said to reflect the evolution of the PRA's priorities, and in particular the work it is doing to deliver its new secondary objective on competitiveness and growth. Specific initiatives include:

• Implementing the Basel 3.1 standards, where the PRA intends to publish its final rules, once Parliament has revoked the relevant parts of the Capital Requirements Regulation (CRR).
• Finalising and implementing the strong and simple framework for small domestic deposit takers. During 2025/26, the PRA will finalise the simplified capital regime and the additional liquidity simplifications. It intends to publish a policy statement on these in Q4.

Read more.

The European Securities and Markets Authority (ESMA) has published a final report in relation to certain changes being made as a result of the MiFID II/MiFIR review, together with an accompanying press release. The changes covered by this final report were part of the third consultation package following the MiFID II/MiFIR review, and relate to:

• A new set of implementing technical standards for investment firms notifying competent authorities when it gains the status of systematic internaliser or decides to opt-in to the systematic internaliser regime. ESMA confirmed that it is making some changes to the original proposals, including reducing the number of reporting fields in the notification template to ease the reporting burden and extending the notification period from two weeks to 20 calendar days. ESMA also confirmed it will discuss with competent authorities areas where further guidance is required.

Read more.

The European Commission (EC) has announced that it has opened infringement procedures by sending a letter of formal notice to 13 Member States (Belgium, Bulgaria, Denmark, Greece, Spain, France, Latvia, Lithuania, Malta, Poland, Portugal, Romania and Slovenia) for failing to fully transpose the Digital Operational Resilience Act Directive (Directive 2022/2556) (DORA Directive). Member States had to transpose the DORA Directive into national law by 17 January. The Member States concerned now have two months to respond and to complete their transposition and notify their measures to the EC. In the absence of a satisfactory response, the EC may decide to issue a reasoned opinion, the second stage of the formal infringement procedure.

The European Commission has adopted a Delegated Regulation supplementing Regulation 2022/2554 on digital operational resilience for the financial sector (DORA) with regard to regulatory technical standards specifying the elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions. Articles 1 and 2 establish the rules on proportionality and group application. Article 3 sets out rules on due diligence and risk assessment regarding the use of subcontractors supporting critical or important functions. Article 4 establishes the description and the conditions under which ICT services supporting a critical or important function may be subcontracted. Articles 5 and 6 contain the rules on material changes to subcontracting arrangements of ICT service supporting critical or important functions and the provisions on the termination of the contractual arrangement. The Delegated Regulation will enter into force 20 days after its publication in the Official Journal of the EU.

Commission Delegated Regulation 2025/420 has been published in the Official Journal of the EU. This Delegated Regulation supplements Regulation 2022/2554 on digital operational resilience for the financial sector (DORA) with regard to regulatory technical standards (RTS) to specify the criteria for determining the composition of the joint examination team ensuring a balanced participation of staff members from the European Supervisory Authorities and from the relevant competent authorities, their designation, tasks and working arrangements. The Delegated Regulation will enter into force on 13 April.

Translations have been published of the joint guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents. The guidelines supplement the EU Digital Operational Resilience Act (DORA) which requires that financial entities report on request to their national competent authorities an estimation of aggregated annual costs and losses caused by major ICT-related incidents. The guidelines indicate how those estimations should be arrived at and include a related reporting template. The guidelines will apply from 19 May.

The European Securities and Markets Authority (ESMA) has published official translations of the guidelines on the maintenance of systems and security access protocols for offerors and persons seeking admission to trading of cryptoassets other than asset referenced tokens (ARTs) and e-money tokens (EMTs). The guidelines apply to competent authorities and to 'offerors' as defined in Article 3(1)(13) of the Markets in Crypto-Assets Regulation (MiCAR) and persons seeking admission to trading of cryptoassets other than ARTs or EMTs in relation to Article 14(1), point (d), of MiCAR.

The purpose of these guidelines is to specify the appropriate standards for offerors and persons seeking admission to trading who are not subject to the same operational resilience under MiCAR and the Digital Operational Resilience Regulation as their cryptoasset service provider and issuer counterparts. The guidelines include discussion of: (i) the general principle on proportionality; (ii) administrative arrangements and roles and responsibilities concerning systems and security access protocols; (iii) physical security access protocols; (iv) security access protocols for network and information systems; and (v) cryptographic key management.

The guidelines will apply from 27 April. National competent authorities must notify ESMA by 26 April whether they comply, do not comply but intend to comply or do not intend to comply with the guidelines. Offerors and persons seeking admission to trading are not required to report whether they comply with the guidelines.

The European Securities and Markets Authority (ESMA) has published official translations of its guidelines on situations in which a third-country firm is deemed to solicit clients established or situated in the EU and supervision practices to detect and prevent circumvention of the reverse solicitation exemption under the Markets in Crypto-Assets Regulation (MiCAR). The guidelines apply to competent authorities in relation to Article 61(3) of MiCAR. The guidelines include discussion of: (i) the means of solicitation; (ii) the fact that the solicitation may be carried out by the third-country firm itself or any person acting on its behalf or having close links with the third-country firm; and (iii) the construction of the concept of 'exclusive initiative of the client'. The Annex to the guidelines contains a non-exhaustive list of examples of circumstances where a third-country firm is likely to be regarded as soliciting clients in the EU.

The guidelines will apply from 27 April. National competent authorities must notify ESMA by 26 April whether they comply, do not comply but intend to comply or do not intend to comply with the guidelines.

Two delegated acts were published in the Official Journal of the European Union (OJ) in respect of the EU Digital Operational Resilience Act (DORA). These are:

• Commission Delegated Regulation (EU) 2025/301, which comprises regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats.
• Commission Implementing Regulation (EU) 2025/302, which comprises implementing technical standards for the standard forms, templates and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat.

Both sets of technical standards relate to ICT-related incident management, one of the key pillars of the DORA legislation, and are mandated by article 20 of DORA which seeks to harmonise reporting content and templates in relation to ICT-related incidents and cyber threats. The Delegated and Implementing Regulations will enter into force on the twentieth day following their publication in the OJ.

The European Supervisory Authorities (ESAs) have published a roadmap for the designation of critical ICT third-party service providers (CTPPs) under the EU Digital Operational Resilience Act (DORA). The roadmap of key dates between now and the end of the year. The roadmap sets out four milestones:

• By 30 April, the ESAs will collect the registers of information that financial entities submitted to the competent authorities.
• By the end of July, the ESAs will perform criticality assessments required under DORA and notify third-party service providers if they are classified as critical.
• By the first half of September, there will be a hearing period where ICT third-party service providers may object to the assessment, with a reasoned statement and supporting information.
• By the end of this year, the ESAs will have designated and published the list of CTPPs and started the oversight engagement.

Alongside the roadmap, the European Banking Authority published a press release confirming that ICT third-party service providers not designated as critical may voluntarily request to be designated as critical once the list of CTPPs is published, with details of how to make such a request to be provided soon. The ESAs also plan to organised a workshop with ICT third-party providers in Q2 this year, with details to be published in due course.

The European Commission (EC) has adopted a Commission Delegated Regulation supplementing the Digital Operational Resilience Act (DORA) with regard to RTS specifying the criteria used for identifying financial entities required to perform threat-led penetration testing (TLPT). Article 26(11) of DORA mandates the European Supervisory Authorities (ESAs), in agreement with the European Central Bank (ECB), to develop joint draft RTS in accordance with the ECB's European framework for threat intelligence-based ethical red teaming (TIBER-EU framework) to specify further the following: (i) the criteria to identify financial entities required to perform TLPT; (ii) the requirements regarding test scope, testing methodology and results of TLPT; (iii) the requirements and standards governing the use of internal testers; and (iv) the rules on supervisory and other cooperation needed for the implementation of TLPT and for mutual recognition of testing. The Delegated Regulation will enter into force on the 20th day following its publication in the Official Journal of the EU. The ECB has also published an updated version of the TIBOR-EU framework that aligns with the DORA RTS on TLPT.

The European Banking Authority (EBA) has published a final report with amending guidelines in respect of Guidelines EBA/GL/2019/04 on ICT and security risk management. The EBA reviewed the Guidelines in light of the Digital Operational Resilience Act (DORA), which introduced harmonised requirements for ICT, risk management framework (RMF), incident reporting and third-party risk management and testing for certain financial entities. The entities subject to DORA and the related RTS on RMF overlap with those subject to the Guidelines. Therefore, to ensure transparency and legal certainty, the EBA reviewed the Guidelines and concluded that the entities subject to the Guidelines should be narrowed down, and the scope of the Guidelines should be reduced to cover certain institutions providing payment services which are not in scope of DORA, and guidelines on relationship management of payment services where this is not covered by the DORA requirements. The amending guidelines will be translated into the official EU languages and apply by two months after issuance (at the latest).