ARTICLE
16 April 2025

Technology And Innovation Client Update: January To March 2025 - DORA – Commission Delegated Regulation

AC
Arthur Cox

Contributor

Arthur Cox is one of Ireland’s leading law firms. For almost 100 years, we have been at the forefront of developments in the legal profession in Ireland. Our practice encompasses all aspects of corporate and business law. The firm has offices in Dublin, Belfast, London, New York and Silicon Valley.
The European Commission has adopted a Delegated Regulation supplementing DORA and setting down regulatory technical standards (RTS) (under Article 30(5) of DORA) for requirements...
European Union Technology

DATE OF UPDATE: 24 March 2025

LINKS

Register of Commission Documents - C(2025)1682

JC 2025 06 ESAs Opinion on the rejection of the RTS on subcontracting under DORA (PDF, 182KB)

DORA Compliance: What is an ICT Service?

CURRENT STATUS

The European Commission has adopted a Delegated Regulation supplementing DORA and setting down regulatory technical standards (RTS) (under Article 30(5) of DORA) for requirements when the use of sub-contracted ICT services supporting critical or important functions (or material parts of such functions) by ICT third-party service providers is permitted by financial entities.

WHY IS THIS APPLICABLE TO CLIENTS?

The European Commission initially rejected a version of the draft RTS because of concerns that requirements relating to the chain of ICT sub-contractors went beyond the mandate given to the European Supervisory Authorities (ESAs). The Joint Committee of the ESAs subsequently accepted the Commission's proposed amendments.

NEXT STEPS

This delegated act will be published in the Official Journal of the EU and enter into force if the European Parliament or the Council of the EU do not object to it, in accordance with Article 290(2) of the Treaty on the Functioning of the EU.

Cyber Resilience Act – Feedback on Draft Implementing Regulation

DATE OF UPDATE: 13 March 2025

APPLICABLE DATES:

The portal is open until 10 April 2025.

LINKS

Technical description of important and critical products with digital elements

Ensuring cyber resilience for connected products

CURRENT STATUS

The Cyber Resilience Act (Regulation (EU) 2024/2847) requires the Commission to specify the technical description of the categories of important and critical products with digital elements listed in Annex III and IV to the Regulation.

The Commission is seeking feedback on a Draft Implementing regulation. Commission adoption of this Implementing regulation is planned for the third quarter of 2025.

WHY IS THIS APPLICABLE TO CLIENTS?

The Cyber Resilience Act introduces cybersecurity requirements for products with digital elements throughout their whole lifecycle; from product design phase through to obsolescence. Its application will be of interest to both manufacturers and users of the in-scope products.

NIS2 -Enforcement

DATE OF UPDATE: 5 March 2025

APPLICABLE DATES:

The NIS2 Directive came into effect from 17 October 2024 but remains subject to the enactment of domestic Irish legislation to fully transpose its provisions.

LINKS

ENISA NIS360 2024 report: A comprehensive look at cybersecurity maturity and criticality of NIS2 sectors | ENISA

The Network and Information Security (NIS2) Directive

Are you Cyber Ready? Key Points of the NIS2 Directive

CURRENT STATUS

ENISA has published its NIS360 2024 Report identifying areas for improvement and tracking of progress across the sectors relevant to the Network and Information Security Directive 2022/2555 (NIS2 Directive).

WHY IS THIS APPLICABLE TO CLIENTS?

The NIS2 Directive applies to a wide range of sectors to include digital infrastructure and digital providers such as online marketplaces, online search engines and social networking services platforms.

Cybersecurity - EU framework for Cybersecurity Crisis Management

DATE OF UPDATE: 24 February 2025

LINKS

Commission launches new cybersecurity blueprint to enhance EU cyber crisis coordination | Shaping Europe's digital future

CURRENT STATUS

The European Commission has presented a proposal to ensure an effective and efficient response to large-scale cyber incidents. The proposed blueprint updates the comprehensive EU framework for Cybersecurity Crisis Management and maps the relevant EU actors, outlining their roles throughout the entire crisis lifecycle. The proposal updates the blueprint set out in Commission Recommendation (EU) 2017/1584.

WHY IS THIS APPLICABLE TO CLIENTS?

The blueprint seeks to enable relevant Union-actors (meaning Union-level individual entities and networks of entities) to understand how to interact and make the best use of available mechanisms across the full crisis management lifecycle.

DORA – Delegated Regulation 2025/301 and Implementing Regulation 2025/302

DATE OF UPDATE: 20 February 2025

APPLICABLE DATES:

The Regulations enter into force on the 20th day after publication in the Official Journal, i.e. 12 March 2025.

LINKS

Delegated regulation - EU - 2025/301 - EN - EUR-Lex

Implementing regulation - EU - 2025/302 - EN - EUR-Lex

Reporting Major ICT-related Incidents and Significant Cyber Threats | Central Bank of Ireland

CURRENT STATUS

Two new Acts were published in the Official Journal of the European Union:

  • Commission Delegated Regulation (EU) 2025/301 supplementing DORA with regard to regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats
  • Commission Implementing Regulation (EU) 2025/302 laying down implementing technical standards for the application of DORA with regard to the standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat

WHY IS THIS APPLICABLE TO CLIENTS?

From 17 January 2025, financial entities subject to DORA are obliged to submit reports on major ICT-related incidents to the Central Bank, where the required criteria and thresholds have been met. In scope financial entities may also submit reports on significant cyber threats.

The Delegated Regulation and Implementing Regulation contain further information on these reporting requirements.

The CBI has also issued guides for these reports.

DORA – Frequently Asked Questions

DATE OF UPDATE: 14 February 2025

APPLICABLE DATES:

Financial entities will need to submit their first Register of Information containing the 105 prescribed data points for each contract with an ICT Service Provider during the first week of April.

LINKS

20250214 - DORA RoI reporting FAQ (PDF, 1445 KB)

DORA Register of Information - Achieving a Key Milestone

DORA Register of Information – The Final Stretch

Guide to Submitting DORA Registers on the Central Bank of Ireland Portal (PDF, 2.5MB)

CURRENT STATUS

The European Supervisory Authorities have updated their FAQ about the preparation and the reporting of the registers of information of contractual arrangements with the ICT third-party providers that financial entities need to maintain in accordance with Article 28(3) DORA and as specified in the Commission Implementing Regulation (EU) 2024/2956 (ITS on the registers of information).

WHY IS THIS APPLICABLE TO CLIENTS?

Financial entities in scope of DORA will be paying attention to the guidance issued by the European Supervisory Authorities in order to ensure compliance with DORA by the various deadlines.

DORA – Commission Delegated Regulation 2025/295

DATE OF UPDATE: 13 February 2025

APPLICABLE DATES:

This Delegated Regulation took effect on 5 March 2025.

LINKS

Delegated regulation - EU - 2025/295 - EN - EUR-Lex

CURRENT STATUS

Commission Delegated Regulation (EU) 2025/295 of 24 October 2024 supplementing DORA with regard to regulatory technical standards on harmonisation of conditions enabling the conduct of the oversight activities was published in the Official Journal of the European Union.

DORA – Irish Regulations: S.I. No. 20 of 2025

DATE OF UPDATE: 11 February 2025

LINKS

S.I. No. 20/2025 - European Union (Digital Operational Resilience) (No. 2) Regulations 2025

CURRENT STATUS

The European Union (Digital Operational Resilience) (No. 2) Regulations 2025 give effect to DORA in Ireland.

WHY IS THIS APPLICABLE TO CLIENTS?

The primary effect of S.I. No. 20 of 2025 is to set out the enforcement powers of the CBI under DORA.

DORA – Irish Regulations: S.I. No. 12 of 2025

DATE OF UPDATE: 17 January 2025

APPLICABLE DATES:

S.I. No. 12 of 2025 came into operation on 17 January 2025.

LINKS

S.I. No. 12/2025 - European Union (Digital Operational Resilience) Regulations 2025

CURRENT STATUS

European Union (Digital Operational Resilience) Regulations 2025 give effect to DORA in Ireland as regards digital operational resilience for the financial sector.

WHY IS THIS APPLICABLE TO CLIENTS?

S.I. No. 12 of 2025 amends a number of Regulations with the general effect that the financial entities each S.I. regulates must implement appropriate security and business continuity measures to ensure operational resilience in accordance with DORA.

Regulation (EU) 2025/38 ("Cyber Solidarity Act”)

DATE OF UPDATE: 15 January 2025

APPLICABLE DATES:

The Cyber Solidarity Act entered into force on 4 February 2025.

LINKS

Regulation - EU - 2025/38 - EN - EUR-Lex

The EU Cyber Solidarity Act | Shaping Europe's digital future

CURRENT STATUS

Regulation (EU) 2025/38 of the European Parliament and of the Council of 19 December 2024 laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cyber threats and incidents and amending Regulation (EU) 2021/694 was published in the Official Journal of the European Union.

WHY IS THIS APPLICABLE TO CLIENTS?

The Cyber Solidarity Act will improve the preparedness, detection and response to cybersecurity incidents across the EU.

Regulation (EU) 2025/37 amending Regulation (EU) 2019/881 as regards managed security services

DATE OF UPDATE: 15 January 2025

APPLICABLE DATES:

Regulation (EU) 2025/37 entered into force on 4 February 2025.

LINKS

Regulation - EU - 2025/37 - EN - EUR-Lex

Proposed Regulation on ‘managed security services' amendment. | Shaping Europe's digital future

CURRENT STATUS

This Regulation contains a targeted amendment to the Cybersecurity Act (Regulation (EU) 2019/881). It was published in the Official Journal of the European Union in January. The amendment will enable the establishment of European certification schemes for these managed security services, in addition to information and technology (ICT) products, ICT services and ICT processes, which are already covered under the Cybersecurity Act.

WHY IS THIS APPLICABLE TO CLIENTS?

The amendment to the Cybersecurity Act will be of interest to managed security services and organisations that use these services.

This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More