Blog

Last Updated on June 11, 2025 by Arnaud Collignon

What is the primary purpose of this regulation concerning the financial sector?

The primary purpose of this regulation is to achieve a high level of digital operational resilience for regulated financial entities across the European Union. It aims to address the amplified ICT risk stemming from increased digitalization and interconnectedness, making the financial sector particularly vulnerable to cyber threats or ICT disruptions. The regulation seeks to harmonize disparate existing rules and fill gaps in areas like ICT-related incident reporting and digital operational resilience testing, which currently suffer from inconsistencies and emergent divergent national rules. By establishing a unified framework, it intends to enhance the financial sector’s ability to withstand, respond to, and recover from ICT-related incidents, ensuring the continuity and quality of financial services and preserving the stability and integrity of the financial system.

What entities are subject to this regulation, and are there any exemptions?

This regulation applies to a broad range of financial entities, collectively referred to as ‘financial entities.’ This includes, but is not limited to:

• Credit institutions
• Payment institutions (including exempted ones)
• Account information service providers
• Electronic money institutions (including exempted ones)
• Investment firms
• Crypto-asset service providers and issuers of asset-referenced tokens
• Central securities depositories, central counterparties, trading venues, and trade repositories
• Managers of alternative investment funds and management companies
• Data reporting service providers
• Insurance and reinsurance undertakings, and their intermediaries
• Institutions for occupational retirement provision
• Credit rating agencies
• Administrators of critical benchmarks
• Crowdfunding service providers
• Securitisation repositories
• ICT third-party service providers.

However, certain entities are explicitly excluded, such as:

• Post office giro institutions.
• Member States may also exclude specific entities referred to in Article 2(5), points (4) to (23), of Directive 2013/36/EU that are located within their respective territories, provided they inform the Commission.
• For the Oversight Framework of critical ICT third-party service providers, exemptions apply to financial entities providing ICT services to other financial entities, ICT third-party service providers already subject to oversight frameworks for European System of Central Banks tasks, ICT intra-group service providers, and ICT third-party service providers operating solely within one Member State for financial entities active only in that Member State.

What is “digital operational resilience” and why is it crucial for financial entities?

“Digital operational resilience” is defined as the ability of a financial entity to build, assure, and review its operational integrity and reliability. This is achieved by ensuring all necessary ICT-related capabilities, whether directly or indirectly through third-party providers, to address the security of network and information systems. Its goal is to support the continuous provision of financial services and maintain their quality, even throughout disruptions.

It is crucial for financial entities because the pervasive use of ICT systems, high digitalization, and interconnectedness are core features of modern financial activities. This increased reliance on technology amplifies ICT risk, making the financial system highly vulnerable to cyber threats and ICT disruptions. Without robust digital operational resilience, vulnerabilities can remain undetected, leading to significant adverse impacts on the stability and integrity of the financial sector, potentially causing substantial losses for entities and jeopardizing financial stability across the Union.

How does the regulation address ICT third-party risk, especially with critical providers?

The regulation places significant emphasis on managing ICT third-party risk, recognizing the systemic risk posed by increased outsourcing and concentration on critical ICT third-party service providers. Key principles for sound management of this risk include:

• Strategy on ICT Third-Party Risk: Financial entities, excluding microenterprises, must adopt and regularly review a strategy for ICT third-party risk as part of their overall ICT risk management framework. This strategy should consider a multi-vendor approach.
• Pre-contracting Analysis and Due Diligence: A thorough analysis must precede contractual arrangements, focusing on the criticality of services, supervisory approvals, potential concentration risk, and due diligence in selecting and assessing providers. For critical functions, providers should adhere to the highest information security standards.
• Contractual Harmonization: Essential contractual elements with ICT third-party service providers are harmonized to enable full monitoring of risks by financial entities, ensuring stability, functionality, availability, and security of received ICT services.
• Exit Strategies: Financial entities must put in place clear exit strategies for critical or important functions to ensure continuity of services, allowing for smooth transitions to other providers or in-house solutions in case of provider failure, service deterioration, or contract termination.
• ICT Concentration Risk Assessment: Financial entities must assess whether new contracts for critical or important functions would lead to reliance on easily unsubstitutable providers or multiple arrangements with the same provider. While avoiding rigid caps, the regulation aims to promote a balanced solution to concentration risk.
• Oversight Framework: A specific Oversight Framework is established for critical ICT third-party service providers. This framework involves:
• Designation: Critical ICT third-party service providers are designated based on criteria like systemic impact on financial stability, the systemic importance of relying financial entities, reliance on critical or important functions, and the degree of substitutability.
• Lead Overseer: A Lead Overseer (one of the European Supervisory Authorities – ESAs) is appointed for each designated critical ICT third-party service provider to continuously monitor their activities.
• Supervisory Powers: The Lead Overseer has powers to conduct assessments, request information, issue recommendations, and impose penalty payments for non-compliance.
• Union Subsidiary Requirement: Critical ICT third-party service providers established in a third country must establish a subsidiary in the Union within 12 months of designation to enable effective oversight.
• International Cooperation: The ESAs can enter into administrative arrangements with third-country authorities to foster cooperation on ICT third-party risk.

The regulation also emphasizes that intra-group ICT service provision should not be automatically considered less risky and should generally be subject to the same regulatory framework, though higher control may be considered in risk assessment.

What are the requirements for digital operational resilience testing, including advanced testing?

Financial entities are required to establish a comprehensive digital operational resilience testing program as an integral part of their ICT risk management framework. This program mandates:

• Regular Testing: Financial entities (other than microenterprises) must ensure that appropriate tests are conducted at least yearly on all ICT systems and applications supporting critical or important functions.
• Types of Tests: The program should include various tests such as vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, scenario-based tests, and penetration testing. Central securities depositories and central counterparties must perform vulnerability assessments before deploying new or existing applications/infrastructure.
• Threat-Led Penetration Testing (TLPT):
• Certain financial entities, specifically those identified as significant (e.g., credit institutions classified as significant by the ECB, and other entities identified by competent authorities), must carry out advanced testing by means of TLPT at least every three years. The frequency can be adjusted by the competent authority based on the entity’s risk profile.
• TLPT involves mimicking real-life cyber threats and conducting intelligence-led (red team) tests on the financial entity’s critical live production systems.
• ICT third-party service providers can be included in the scope of TLPT, with the financial entity retaining full responsibility. Pooled TLPT involving multiple financial entities is permitted under specific conditions.
• Internal testers can be used for TLPT with supervisory approval and no conflicts of interest, but external testers must be contracted every three tests. The threat intelligence provider for TLPT must always be external. Microenterprises and entities subject to simplified ICT risk management frameworks are exempt from TLPT requirements.
• Mutual Recognition: The regulation facilitates a coordinated testing regime and mutual recognition of advanced testing results across different jurisdictions, especially for cross-border financial entities, allowing them to incur testing costs in one jurisdiction only.

What are the requirements for ICT-related incident management and reporting?

Financial entities must define, establish, and implement a robust ICT-related incident management process to detect, manage, and notify incidents. Key requirements include:

• Incident Recording and Follow-up: All ICT-related incidents and significant cyber threats must be recorded. Entities need procedures to ensure consistent and integrated monitoring, handling, and follow-up, identifying root causes, and implementing remediation to prevent recurrence.
• Reporting Major Incidents: Major ICT-related incidents must be reported to the relevant competent authorities without undue delay. The ESAs (EBA, ESMA, EIOPA) and the ECB will assess if the incident is relevant for other Member States and notify them accordingly to protect financial system stability.
• Client Notification: Where a major ICT-related incident impacts clients’ financial interests, financial entities must inform their clients without undue delay about the incident and the measures taken to mitigate adverse effects.
• Information Sharing: Competent authorities can share information on major ICT-related incidents with other public authorities, including resolution authorities and the Single Resolution Board, especially if the incident poses a risk to critical functions. Financial entities can also voluntarily notify CSIRTs (Computer Security Incident Response Teams) designated under Directive (EU) 2022/2555.

What role do the European Supervisory Authorities (ESAs) and other bodies play in this regulatory framework?

The European Supervisory Authorities (EBA, EIOPA, ESMA) play a central and significant role in the implementation and oversight of this regulation, often acting jointly through the Joint Committee. Their roles include:

• Developing Technical Standards: The ESAs are mandated to develop common draft regulatory technical standards (RTS) and implementing technical standards (ITS) to specify further details of the regulation, such as elements of the ICT risk management framework, ICT business continuity policy, and advanced testing requirements (TLPT).
• Oversight of Critical ICT Third-Party Service Providers: Through the Joint Committee and upon recommendation from the Oversight Forum, the ESAs designate critical ICT third-party service providers and appoint a Lead Overseer (one of the ESAs) for each. The Lead Overseer is responsible for assessing, monitoring, and overseeing these critical providers.
• Maintaining Lists: The ESAs, through the Joint Committee, establish, publish, and update yearly the list of critical ICT third-party service providers at Union level.
• Information Sharing and Coordination: The ESAs, in consultation with ENISA (European Union Agency for Cybersecurity) and in cooperation with competent authorities, assess and notify relevant competent authorities in other Member States about major ICT-related incidents. They also foster international cooperation on ICT third-party risk by concluding administrative arrangements with third-country authorities.
• Enforcement: While national competent authorities primarily impose administrative penalties and remedial measures, the Lead Overseer for critical ICT third-party service providers can impose daily penalty payments for non-compliance with recommendations.

Other important bodies include:

• European Central Bank (ECB): Provides opinions on legislative acts and is notified by the ESAs about major ICT-related incidents, particularly those relevant to the payment system. It also acts as the competent authority for significant credit institutions under Regulation (EU) No 1024/2013.
• National Competent Authorities: Designated to oversee compliance by financial entities within their respective Member States, including the power to impose administrative penalties and remedial measures. They can also designate a single public authority for TLPT matters or delegate tasks.
• ENISA: Consulted by the ESAs for developing common draft regulatory technical standards, particularly regarding cybersecurity aspects.

When does this regulation come into force and what are its broader implications?

This regulation entered into force on the twentieth day following its publication in the Official Journal of the European Union. However, it applies from 17 January 2025.

The broader implications of this regulation are significant for the financial sector within the EU and for ICT third-party service providers globally:

• Harmonization and Consistency: It establishes a single, coherent set of rules on digital operational resilience across the entire EU financial sector, addressing previous fragmentation, gaps, and inconsistencies caused by divergent national approaches. This reduces operational challenges and costs for cross-border financial entities.
• Enhanced Cybersecurity Posture: By mandating comprehensive ICT risk management frameworks, regular testing (including TLPT), and robust incident management and reporting, the regulation aims to significantly improve the financial sector’s ability to prevent, detect, respond to, and recover from cyber threats and ICT disruptions.
• Increased Oversight of Third-Party Dependencies: The establishment of a dedicated Oversight Framework for critical ICT third-party service providers signals a proactive approach to managing concentration risk and ensuring the resilience of services outsourced by financial entities, even those provided from outside the EU. The requirement for critical non-EU providers to establish a Union subsidiary is a notable aspect of this.
• Systemic Stability: The regulation acknowledges the systemic nature of ICT risk in the financial sector. By enhancing the resilience of individual entities and critical third-party providers, it aims to protect the overall stability and integrity of the Union’s financial system.
• Accountability: It places clear responsibilities on financial entities’ management bodies for their digital operational resilience strategies and risk management.
• Adaptability to Technological Developments: The broad definition of “ICT services” and the emphasis on continuous monitoring and review indicate an intention to keep pace with evolving technological landscapes and emerging risks.