About a-team Marketing Services
The knowledge platform for the financial technology industry
The knowledge platform for the financial technology industry

A-Team Insight Blogs

DG FISMA Rejects the ESAs’ Draft RTS for DORA

Subscribe to our newsletter

Less than one week after the Digital Operations Resilience Act (DORA) came into full force in the EU, the Directorate-General for Financial Stability, Financial Services and Capital Markets Union (DG FISMA) issued a letter to the Chair of the Joint Committee of the European Supervisory Authorities (ESAs) rejecting the draft regulatory technical standards (RTS) submitted earlier in July.

Collectively, the ESAs—European Banking Authority (ABA), European Insurance and Occupational Pensions Authority (EIOPA) and European Securities and Markets Authority (ESMA), are responsible for developing the RTS to ensure consistent application of DORA across EU member states. DG FISMA is the branch of the European Commission tasked with ensuring financial stability, market integrity, and the implementation of EU financial policies.

DG FISMA rejected the draft RTS, noting that certain sections, particularly Article 5, exceeded DORA’s legislative requirements. Article 5 mandates financial entities to identify and maintain an up-to-date record of the entire chain of subcontractor dependencies for Information and Communications Technology (ICT) vendors, a requirement deemed overly broad and burdensome. DG FISMA recommended the removal of Article 5 and related recitals to align the RTS with DORA’s mandate.

The rejection has created legal uncertainty across the EU. Financial entities and ICT service providers that have already implemented the draft RTS in their contractual arrangements are now in a difficult position, as amendments to these contracts may be required in the near future. Firms are now facing a longer wait before they can finalize their contracts to reflect DORA’s requirements, even though the legislation is already in effect, increasing the risk of non-compliance.

Next Steps:

The ESAs have a six-week period  from the date of DG FISMA’s letter—January 21—to amend the draft Regulatory Technical Standards (RTS) in accordance with the feedback provided by the European Commission, particularly addressing concerns that certain provisions exceeded their mandate.

Upon completing the revisions, the ESAs are required to resubmit the amended draft RTS to the European Commission for approval. Should the Commission accept the revised RTS, it will then be forwarded to the European Parliament and the Council for scrutiny. Assuming no objections arise, the RTS will be published in the Official Journal of the European Union and will take effect 20 days thereafter.

In the event that the ESAs do not submit an amended draft within the six-week timeframe, or if the revisions fail to meet the Commission’s requirements, the Commission may either adopt the RTS with its own amendments or reject it entirely. The six-week revision period ending on March 4, and the subsequent procedural steps, could extend the finalization and adoption of the RTS into the second quarter of 2025. This timeline is subject to the ESAs’ timely revisions and the absence of further objections during the approval process.

Supply Chain Risk

Supply chain risk management is well advanced in other regulated industries. In the pharmaceutical sector for example, supply chain integrity is key to ensuring product safety and efficacy. Regulations mandate stringent controls over the sourcing, manufacturing, and distribution processes. For instance, the U.S. Drug Supply Chain Security Act (DSCSA) requires the establishment of electronic systems to trace prescription medications throughout the supply chain, aiming to prevent counterfeit drugs from entering the market.

Many RegTech vendors already cite global standards for their cloud-based software as a service (SaaS) solutions. Among the most frequently cited standards is SOC 2, which evaluates controls related to security, availability, processing integrity, confidentiality, and privacy.

Similarly, ISO/IEC 27001 is an international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS), providing a systematic approach to managing sensitive information securely.

ISO 28000:2022 is designed for the supply chain, applicable to organizations of all types and sizes, regardless of the industry, providing a comprehensive framework to improve security management systems.

It remains to be seen how supply chain risk will be regulated across the EU under DORA.

Subscribe to our newsletter

Related content

WEBINAR

Upcoming Webinar: Hearing from the Experts: AI Governance Best Practices

9 September 2025 10:00am ET | 3:00pm London | 4:00pm CET Duration: 50 Minutes The rapid spread of artificial intelligence in the financial industry presents data teams with novel challenges. AI’s ability to harvest and utilize vast amounts of data has raised concerns about the privacy and security of sensitive proprietary data and the ethical...

BLOG

Delta Capita’s Elaris OTC Stitches New Rails into the Derivatives Backoffice

Over the counter (OTC) derivatives remain one of the world’s largest financial markets. Bank for International Settlements (BIS) data puts notional outstanding at roughly US $700 trillion at mid 2024. Yet pockets of manual effort still reside in day today processing with industry estimates suggesting 20% of OTC trades are confirmed and settled by email...

EVENT

TradingTech Briefing New York

Our TradingTech Briefing in New York is aimed at senior-level decision makers in trading technology, electronic execution, trading architecture and offers a day packed with insight from practitioners and from innovative suppliers happy to share their experiences in dealing with the enterprise challenges facing our marketplace.

GUIDE

The DORA Implementation Playbook: A Practitioner’s Guide to Demonstrating Resilience Beyond the Deadline

The Digital Operational Resilience Act (DORA) has fundamentally reshaped the European Union’s financial regulatory landscape, with its full application beginning on January 17, 2025. This regulation goes beyond traditional risk management, explicitly acknowledging that digital incidents can threaten the stability of the entire financial system. As the deadline has passed, the focus is now shifting...