The recent publication of Commission Delegated Regulation 2025/420 in the Official Journal of the European Union marks a pivotal step in implementing Regulation 2022/2554, also known as the Digital Operational Resilience Act (DORA). This legislation is crucial for bolstering the resilience of the financial sector against digital threats, ensuring that companies in this domain can withstand, respond to, and recover from ICT-related disruptions. A key element of Delegated Regulation 2025/420 is its specification of regulatory technical standards (RTS), which define the criteria for the composition and functioning of the joint examination teams established under DORA. These teams will include members from European Supervisory Authorities (ESAs) and relevant national competent authorities (NCAs).
From a legal perspective, the Delegated Regulation operates under Article 23(4) of DORA, providing detailed guidelines on achieving a balance in the participation of ESA and NCA staff. It outlines their designation, tasks, and operational arrangements when conducting examinations of critical ICT third-party service providers (CTPPs). This measure ensures regulatory harmonization across the EU by standardizing oversight mechanisms, reducing the risk of fragmentation that could arise from differing national approaches.
Ethically, this regulation fosters transparency and accountability in the financial sector. By mandating clear standards for joint examination teams, it mitigates the risks of conflicts of interest and ensures fair representation across institutions. For example, ensuring balanced team composition prevents the dominance of any one authority or the undue influence of particular jurisdictions, which could otherwise compromise the impartiality of oversight.
In terms of industry implications, the Delegated Regulation is set to enhance trust in the EU’s financial system by reinforcing its cyber resilience. Financial institutions and ICT providers can expect increased scrutiny, but this also provides an opportunity for them to demonstrate compliance with high security standards, thereby strengthening their market reputation. For instance, a critical financial institution relying on a major cloud service provider will now face coordinated inspections that consider both technological and systemic risks. The standardized framework will also help ICT providers understand compliance expectations, reducing ambiguities that could lead to legal disputes.
The Delegated Regulation will come into effect on April 13, 2025, signaling to stakeholders the urgency of adapting their practices to align with these new requirements. The financial sector should proactively invest in ICT risk management and institutional collaboration to ensure smooth compliance with these regulations. Overall, this development represents a significant stride toward a unified and resilient financial ecosystem in the face of escalating digital threats.