DATE OF UPDATE: 24 March 2025
LINKS
Register of Commission Documents - C(2025)1682
JC 2025 06 ESAs Opinion on the rejection of the RTS on subcontracting under DORA (PDF, 182KB)
DORA Compliance: What is an ICT Service?
CURRENT STATUS
The European Commission has adopted a Delegated Regulation supplementing DORA and setting down regulatory technical standards (RTS) (under Article 30(5) of DORA) for requirements when the use of sub-contracted ICT services supporting critical or important functions (or material parts of such functions) by ICT third-party service providers is permitted by financial entities.
WHY IS THIS APPLICABLE TO CLIENTS?
The European Commission initially rejected a version of the draft RTS because of concerns that requirements relating to the chain of ICT sub-contractors went beyond the mandate given to the European Supervisory Authorities (ESAs). The Joint Committee of the ESAs subsequently accepted the Commission's proposed amendments.
NEXT STEPS
This delegated act will be published in the Official Journal of the EU and enter into force if the European Parliament or the Council of the EU do not object to it, in accordance with Article 290(2) of the Treaty on the Functioning of the EU.
Cyber Resilience Act – Feedback on Draft Implementing Regulation
DATE OF UPDATE: 13 March 2025
APPLICABLE DATES:
The portal is open until 10 April 2025.
LINKS
Technical description of important and critical products with digital elements
Ensuring cyber resilience for connected products
CURRENT STATUS
The Cyber Resilience Act (Regulation (EU) 2024/2847) requires the Commission to specify the technical description of the categories of important and critical products with digital elements listed in Annex III and IV to the Regulation.
The Commission is seeking feedback on a Draft Implementing regulation. Commission adoption of this Implementing regulation is planned for the third quarter of 2025.
WHY IS THIS APPLICABLE TO CLIENTS?
The Cyber Resilience Act introduces cybersecurity requirements for products with digital elements throughout their whole lifecycle; from product design phase through to obsolescence. Its application will be of interest to both manufacturers and users of the in-scope products.
NIS2 -Enforcement
DATE OF UPDATE: 5 March 2025
APPLICABLE DATES:
The NIS2 Directive came into effect from 17 October 2024 but remains subject to the enactment of domestic Irish legislation to fully transpose its provisions.
LINKS
The Network and Information Security (NIS2) Directive
Are you Cyber Ready? Key Points of the NIS2 Directive
CURRENT STATUS
ENISA has published its NIS360 2024 Report identifying areas for improvement and tracking of progress across the sectors relevant to the Network and Information Security Directive 2022/2555 (NIS2 Directive).
WHY IS THIS APPLICABLE TO CLIENTS?
The NIS2 Directive applies to a wide range of sectors to include digital infrastructure and digital providers such as online marketplaces, online search engines and social networking services platforms.
Cybersecurity - EU framework for Cybersecurity Crisis Management
DATE OF UPDATE: 24 February 2025
LINKS
CURRENT STATUS
The European Commission has presented a proposal to ensure an effective and efficient response to large-scale cyber incidents. The proposed blueprint updates the comprehensive EU framework for Cybersecurity Crisis Management and maps the relevant EU actors, outlining their roles throughout the entire crisis lifecycle. The proposal updates the blueprint set out in Commission Recommendation (EU) 2017/1584.
WHY IS THIS APPLICABLE TO CLIENTS?
The blueprint seeks to enable relevant Union-actors (meaning Union-level individual entities and networks of entities) to understand how to interact and make the best use of available mechanisms across the full crisis management lifecycle.
DORA – Delegated Regulation 2025/301 and Implementing Regulation 2025/302
DATE OF UPDATE: 20 February 2025
APPLICABLE DATES:
The Regulations enter into force on the 20th day after publication in the Official Journal, i.e. 12 March 2025.
LINKS
Delegated regulation - EU - 2025/301 - EN - EUR-Lex
Implementing regulation - EU - 2025/302 - EN - EUR-Lex
Reporting Major ICT-related Incidents and Significant Cyber Threats | Central Bank of Ireland
CURRENT STATUS
Two new Acts were published in the Official Journal of the European Union:
- Commission Delegated Regulation (EU) 2025/301 supplementing DORA with regard to regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats
- Commission Implementing Regulation (EU) 2025/302 laying down implementing technical standards for the application of DORA with regard to the standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat
WHY IS THIS APPLICABLE TO CLIENTS?
From 17 January 2025, financial entities subject to DORA are obliged to submit reports on major ICT-related incidents to the Central Bank, where the required criteria and thresholds have been met. In scope financial entities may also submit reports on significant cyber threats.
The Delegated Regulation and Implementing Regulation contain further information on these reporting requirements.
The CBI has also issued guides for these reports.
DORA – Frequently Asked Questions
DATE OF UPDATE: 14 February 2025
APPLICABLE DATES:
Financial entities will need to submit their first Register of Information containing the 105 prescribed data points for each contract with an ICT Service Provider during the first week of April.
LINKS
20250214 - DORA RoI reporting FAQ (PDF, 1445 KB)
DORA Register of Information - Achieving a Key Milestone
DORA Register of Information – The Final Stretch
Guide to Submitting DORA Registers on the Central Bank of Ireland Portal (PDF, 2.5MB)
CURRENT STATUS
The European Supervisory Authorities have updated their FAQ about the preparation and the reporting of the registers of information of contractual arrangements with the ICT third-party providers that financial entities need to maintain in accordance with Article 28(3) DORA and as specified in the Commission Implementing Regulation (EU) 2024/2956 (ITS on the registers of information).
WHY IS THIS APPLICABLE TO CLIENTS?
Financial entities in scope of DORA will be paying attention to the guidance issued by the European Supervisory Authorities in order to ensure compliance with DORA by the various deadlines.
DORA – Commission Delegated Regulation 2025/295
DATE OF UPDATE: 13 February 2025
APPLICABLE DATES:
This Delegated Regulation took effect on 5 March 2025.
LINKS
Delegated regulation - EU - 2025/295 - EN - EUR-Lex
CURRENT STATUS
Commission Delegated Regulation (EU) 2025/295 of 24 October 2024 supplementing DORA with regard to regulatory technical standards on harmonisation of conditions enabling the conduct of the oversight activities was published in the Official Journal of the European Union.
DORA – Irish Regulations: S.I. No. 20 of 2025
DATE OF UPDATE: 11 February 2025
LINKS
S.I. No. 20/2025 - European Union (Digital Operational Resilience) (No. 2) Regulations 2025
CURRENT STATUS
The European Union (Digital Operational Resilience) (No. 2) Regulations 2025 give effect to DORA in Ireland.
WHY IS THIS APPLICABLE TO CLIENTS?
The primary effect of S.I. No. 20 of 2025 is to set out the enforcement powers of the CBI under DORA.
DORA – Irish Regulations: S.I. No. 12 of 2025
DATE OF UPDATE: 17 January 2025
APPLICABLE DATES:
S.I. No. 12 of 2025 came into operation on 17 January 2025.
LINKS
S.I. No. 12/2025 - European Union (Digital Operational Resilience) Regulations 2025
CURRENT STATUS
European Union (Digital Operational Resilience) Regulations 2025 give effect to DORA in Ireland as regards digital operational resilience for the financial sector.
WHY IS THIS APPLICABLE TO CLIENTS?
S.I. No. 12 of 2025 amends a number of Regulations with the general effect that the financial entities each S.I. regulates must implement appropriate security and business continuity measures to ensure operational resilience in accordance with DORA.
Regulation (EU) 2025/38 ("Cyber Solidarity Act”)
DATE OF UPDATE: 15 January 2025
APPLICABLE DATES:
The Cyber Solidarity Act entered into force on 4 February 2025.
LINKS
Regulation - EU - 2025/38 - EN - EUR-Lex
The EU Cyber Solidarity Act | Shaping Europe's digital future
CURRENT STATUS
Regulation (EU) 2025/38 of the European Parliament and of the Council of 19 December 2024 laying down measures to strengthen solidarity and capacities in the Union to detect, prepare for and respond to cyber threats and incidents and amending Regulation (EU) 2021/694 was published in the Official Journal of the European Union.
WHY IS THIS APPLICABLE TO CLIENTS?
The Cyber Solidarity Act will improve the preparedness, detection and response to cybersecurity incidents across the EU.
Regulation (EU) 2025/37 amending Regulation (EU) 2019/881 as regards managed security services
DATE OF UPDATE: 15 January 2025
APPLICABLE DATES:
Regulation (EU) 2025/37 entered into force on 4 February 2025.
LINKS
Regulation - EU - 2025/37 - EN - EUR-Lex
Proposed Regulation on ‘managed security services' amendment. | Shaping Europe's digital future
CURRENT STATUS
This Regulation contains a targeted amendment to the Cybersecurity Act (Regulation (EU) 2019/881). It was published in the Official Journal of the European Union in January. The amendment will enable the establishment of European certification schemes for these managed security services, in addition to information and technology (ICT) products, ICT services and ICT processes, which are already covered under the Cybersecurity Act.
WHY IS THIS APPLICABLE TO CLIENTS?
The amendment to the Cybersecurity Act will be of interest to managed security services and organisations that use these services.
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.
