EBA's 2024‑2066 Supervisory Priorities on DORA 

Introduction

The EBA Supervisory Convergence Report provides a clear roadmap of regulatory priorities, offering critical insights into the supervisory community's approach to digital operational resilience. As financial entities navigate the implementation of the Digital Operational Resilience Act (DORA), this article distills the report's key findings to provide essential, forward‑looking analysis for risk management professionals.

1. A Union‑Wide Strategic Priority for 2024‑2026

The EBA has unequivocally established the development of supervisory capacity for DORA as a top‑tier strategic priority. The report designates one of only two Union‑wide strategic supervisory priorities (USSPs) for the 2024–2026 cycle as:

"Developing an oversight and supervisory capacity for DORA and MiCA."

The pairing of DORA with the Markets in Crypto‑assets Regulation (MiCA) underscores a broad and concerted regulatory push into all facets of digital finance. This top‑tier strategic designation is not merely symbolic; the EBA is substantiating this priority with a significant allocation of resources toward industry clarification and intensive supervisory training, as detailed in the sections below. This signals to financial institutions that regulatory attention will be heavily and consistently focused on DORA compliance.

2. A Barometer of Industry Concern: The Surge in DORA‑Related Questions

One of the clearest indicators of DORA's impact is the nature and volume of inquiries from the industry. Of the 329 new Q&As submitted to the EBA in 2024, 28 were specifically on DORA. While questions on established frameworks like CRR/CRD were more numerous, the DORA submissions represent a new and rapidly emerging area of regulatory focus, reflecting a concerted effort by financial entities to clarify complex compliance obligations.

These questions serve as a direct reflection of the industry's primary implementation hurdles and, therefore, a likely roadmap for future supervisory audits. The main themes of these inquiries were:

• ICT Third‑Party Risk Management: Questions concerning the management of risks associated with third‑party technology providers.
• ICT‑Related Incidents: Inquiries on the management, classification, and reporting of technology‑related incidents.
• Oversight of Critical Providers: Questions regarding the oversight framework for Critical Third‑Party Providers (CTPPs).
• Register of Information: Clarifications sought on the requirements for maintaining a register of information related to ICT third‑party service providers.

The report notes that this increase in DORA‑related questions has prompted greater coordination between the EBA, the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA), reinforcing the cross‑sectoral importance of the regulation.

3. Building Supervisory Expertise Through Targeted Training

To support its strategic priority, the EBA is executing a targeted capacity‑building strategy to enhance supervisory knowledge on DORA. The EBA's 2024 training program, developed in coordination with the Supervisory Digital Finance Academy (SDFA), demonstrates a deep commitment to arming competent authorities with the necessary expertise.

Notably, multiple sessions of advanced DORA training were delivered in 2024, including:

• EU‑SDFA DORA Advanced Course
• DORA Advanced Course

Crucially, the report describes the SDFA as "a multi‑year capacity‑building initiative of the Commission (DG REFORM) coordinated with the ESAs." This detail reveals that the push for DORA expertise is not just an EBA initiative but a coordinated, long‑term effort backed by the European Commission itself, signaling profound institutional commitment to sophisticated and harmonized oversight.

4. What This Means for Risk Managers: Key Takeaways

The EBA's report offers several clear signals for risk management professionals preparing for DORA implementation and supervision. The core insights can be summarized as follows:

1. Expect Heightened Scrutiny: With DORA established as a Union‑wide strategic supervisory priority for 2024‑2026, risk managers should anticipate more frequent and in‑depth reviews of their digital operational resilience frameworks. Regulatory engagement will be proactive and focused.
2. Focus on Common Challenge Areas: The 28 formal inquiries submitted to the EBA reveal the industry's primary challenge areas. These topics‑particularly third‑party risk management, incident reporting, and the register of information‑are where supervisors are most likely to concentrate their initial assessments.
3. Prepare for More Sophisticated Oversight: The extensive, Commission‑backed training of supervisory staff via the SDFA means that engagement with regulators on DORA will become increasingly specialized. Institutions must ensure their internal expertise, processes, and documentation are robust enough to withstand this more sophisticated level of review.