DORA Regulation (III): The European Supervisory Authorities in DORA. Keys to their regulatory role

April 15, 2025

As we have seen, DORA (Digital Operational Resilience Act) Regulation has not only brought about a change in the way the European Union (EU) financial sector manages the risks arising from digitalisation, but this change has also had a relative impact on the role played by EU supervisory bodies.

Within this framework, the European Supervisory Authorities (ESAs) play an important role in ensuring regulatory compliance and the security of the digital financial ecosystem. Yet, what functions do they have within the DORA framework?

We are going to try to break down with some examples the functions and advantages of the ESAs.

What are the ESAs, and which ones operate within DORA?

First of all, it is worth explaining what these European Supervisory Authorities (ESAs) are, which are made up of:

  • EBA (European Banking Authority): this is the European Union's regulatory body, responsible for guaranteeing the stability and integrity of the European banking system, one of its functions being to develop a single regulatory and supervisory framework for all banking entities in the EU.

    This includes the creation of technical regulations, guidelines and standards that ensure consumer protection, transparency in banking services and prudent management of financial risks.
  • ESMA (European Securities and Markets Authority): this authority is responsible for improving the functioning of financial markets and protecting consumers. Its functions include supervising securities markets, rating agencies, financial data providers, etc.

    Its role is key to guaranteeing a transparent, efficient and stable market, developing (like the EBA) technical standards and various guidelines.
  • EIOPA (European Insurance and Occupational Pensions Authority): EIOPA, as the body that supervises the insurance and pensions sector in Europe, seeks to protect policyholders, pensioners and beneficiaries by promoting market stability and transparency.

    Additionally, as with the EBA and ESMA, it also develops guidelines, recommendations and technical standards to strengthen the resilience and soundness of entities in the sector.

Therefore, these entities, in coordination with the European Central Bank (ECB) and other national authorities, are responsible for ensuring financial stability in the digital environment, harmonizing regulations and ensuring that entities comply with operational resilience requirements.

Supervision and regulatory compliance

In addition to the requirements set out in the Regulation, another pillar of DORA is the creation of a robust supervisory framework at European level, and in this respect the ESAs have an important role to play, for example when it comes to:

  • Supervising financial institutions and essential ICT service providers: They will assess the digital operational resilience of banks, insurers, investment firms and other key players in the financial sector.
  • Coordination with other national authorities, which in the case of Spain can be the CNMV, the DGSFP or the BdE: They will guarantee the homogeneous application of DORA in all Member States.
  • The application of sanctions (the Draft Law on the Digitalisation and Modernisation of the Financial Sector has recently been published): In case of non-compliance, the ESAs may impose corrective measures and financial sanctions on non-compliant entities.

Incident notification and management

Cyber incident management is key in the DORA Regulation and also in the published technical standards. The ESAs, also in this case, play an important role:

  • They centralise information on serious incidents and ensure that entities report within the established deadlines.
  • They coordinate responses to try to prevent the spread of threats in the European financial ecosystem.
  • They analyze trends and issue recommendations to strengthen the digital security of financial institutions.
  • In addition, they can also receive information about significant cyber threats.

Let's remember that according to the DORA Regulation, an ICT incident classified as serious must be reported within a maximum period of 24 hours from its detection.

Oversight of third-party ICT service providers

This is perhaps one of the most important issues within DORA, and the Regulation establishes requirements for implementing strict control over ICT providers that are considered essential to the financial sector. Regarding this, the ESAs have the power to:

  • Request and carry out a registration of ICT providers of Financial Entities at the EU level.
  • Evaluate and designate critical providers to guarantee their reliability.
  • Require periodic audits and risk assessments and carry out other types of supervision.
  • Request that measures be taken to correct or mitigate identified deficiencies if they present security risks.

Having well-defined document management with the government also facilitates adaptation to new regulations, integrating improvements without the need to restructure the entire document management system.

Pentesting

The ESAs also oversee threat led penetration testing (TLPT) designed to assess the resilience of entities. The functions to be carried out include:

  • Defining TLPT testing methodologies based on the TIBER-EU framework.
  • Evaluating and selecting the entities that must undergo mandatory testing according to their risk profile.
  • Supervising the application of corrective measures based on the results of the tests carried out.

Benefits of having the ESAs in the DORA framework

The role of the ESAs within DORA brings benefits to the European financial sector and to service users. Examples include the following:

  • Greater harmonization and regulatory consistency: Regulatory differences between countries are avoided, guaranteeing a level playing field for all entities and achieving a more cohesive regulatory landscape.
  • Better protection against cyber threats: Supervision also improves the sector's preparedness for attacks or other disruptive events.
  • Transparency and trust in the market: Regulation reinforces the credibility of financial institutions and their suppliers in the eyes of society in general.

Conclusion

The European Supervisory Authorities play a key role within DORA by ensuring that the financial sector is more secure, resilient, and prepared for digital challenges. The economic stability of the EU is strengthened by their work in supervising entities, regulating ICT providers, and managing cyber incidents.

Finally, this collaboration will become increasingly important because in an increasingly interconnected world, having strong and well-coordinated bodies will make the difference between financial security and vulnerability.

■ MORE OF THIS SERIES

DORA Regulation (I): challenges in the digitalization of the financial sector
Telefónica Tech
DORA Regulation (I): challenges in the digitalization of the financial sector
March 19, 2025
DORA Regulation (II): Impact on governance. The management body's role
Telefónica Tech
DORA Regulation (II): Impact on governance. The management body's role
April 2, 2025

■ RELATED

Mastering DORA: Practical strategies to ensure operational resilience in the financial sector
Telefónica Tech
Mastering DORA: Practical strategies to ensure operational resilience in the financial sector
March 27, 2025