Category: DORA
-
The Hidden Story Behind DORA Incident Reporting: From ICT Incidents to Dependency Intelligence
The European Supervisory Authorities’ first annual report on major ICT-related incidents under DORA offers a valuable snapshot of operational resilience across the EU financial sector. The headline figures are already receiving attention: 3,383 major ICT-related incidents were reported in 2025, approximately one third had a cross-border impact, and system failures emerged as the dominant driver…
-
ICT Risk Is Now Embedded in SREP: What the EBA’s 2026 Follow-Up Means
The EBA’s 2026 follow-up confirms ICT risk is now fully embedded in SREP under DORA. What this structural shift means for EU financial institutions.
-
DORA TLPT in Practice: A Supervisory Perspective
1. Why TLPT matters under DORA Threat-Led Penetration Testing (TLPT) occupies a distinct place within the DORA framework. It is not intended to be another technical control, nor a more advanced form of penetration testing. Its purpose is fundamentally different. From a supervisory perspective, TLPT is designed to test whether an organisation can withstand, respond…
-
DORA: What Financial Institutions Must Prepare For
DORA (Digital Operational Resilience Act) is an EU regulation harmonising ICT risk management for financial entities (banks, insurers, etc.) and critical third-party providers, effective January 2025, requiring robust frameworks for ICT risk management, incident reporting, testing, managing third-party risks, and information sharing to ensure they can withstand, respond to, and recover from digital disruptions like cyberattacks, creating a unified, resilient EU…
Regulatory Intelligence 