EU ICT Risk Newsroom

11:00

ESMA publishes 2024 data on cross-border investment activity

The European Securities and Markets Authority (ESMA), the EU’s financial markets regulator and supervisor, in cooperation with National Competent Authorities (NCAs), completed an analysis of the cross-border provision of investment services in 2024. Data was gathered from investment firms across 30 jurisdictions in the EU/EEA. The main findings include: Around 370 financial firms provided cross-border services to retail clients. Approximately 10.

10:33

EBA updates report on equivalence monitoring activities for non-EU jurisdictions

The European Banking Authority (EBA) has updated its confidential Report on equivalence monitoring activities. It submitted this report to the European Parliament, the Council, the European Commission, and other European Supervisory Authorities (ESAs). To enhance transparency, the EBA also published a public summary.

15:58

ESAs offer tips to consumers on detecting and preventing online frauds and scams.

The ESAs today published two factsheets designed to help consumers protect themselves from crypto and other online frauds and scams and explain how fraudsters increasingly use artificial intelligence (AI) to deceive consumers.

20:07

EBF: Market Integration Package Crucial for Savings and Investments Union

Brussels, 4 December 2025 – The European Banking Federation (EBF) notes the publication of the Market Integration and Supervision Package. This marks a decisive step toward delivering the objectives of the Savings and Investments Union Strategy (SIU). The EBF has long advocated for deep, competitive, and well-integrated capital markets in the EU.

18:00

Cyber Brief: November 2025 Executive Report on Cybersecurity Developments

Cyber Briefs are monthly executive reports. They aim to present an overview of the most relevant developments in cyber security, based exclusively on open sources. Their purpose is to inform political leadership and senior management in its constituency. Additional information on any item in this Brief can be provided upon request. Cyber Briefs are TLP:CLEAR.

11:30

ESMA to launch supervisory action on MiFID II conflicts of interest

The European Securities and Markets Authority (ESMA), the EU’s financial markets regulator and supervisor, will launch a Common Supervisory Action (CSA). This CSA will be conducted with National Competent Authorities (NCAs) to address conflicts of interest in the distribution of financial instruments.

13:17

EBF recommends boosting energy renovations in buildings

The European Banking Federation (EBF) submitted its response to the European Commission’s consultation. This consultation aims to increase lending for energy renovations in buildings. The EBF welcomes the initiative to develop a voluntary and non-binding portfolio framework to boost this lending. However, it is crucial to also address existing demand and supply-side issues that currently exist within the European Union.

12:58

EU Authorities Designate Critical ICT Providers Under Digital Operational Resilience Act

The European Supervisory Authorities (EBA, EIOPA, and ESMA – the ESAs) publish today the list of designated critical ICT third-party providers (CTPPs) under the Digital Operational Resilience Act (DORA). This designation marks a crucial step in the implementation of the DORA oversight framework. The list of the CTPP designated by the ESAs is accessible through this link. The designation process followed the methodology mandated by DORA.

12:30

EU Authorities Designate Critical ICT Providers Under Digital Operational Resilience Act

The European Supervisory Authorities (EBA, EIOPA, and ESMA – the ESAs) publish today the list of designated critical ICT third-party providers (CTPPs) under the Digital Operational Resilience Act (DORA). This designation marks a crucial step in the implementation of the DORA oversight framework. The list of the CTPP designated by the ESAs is accessible through this link. The designation process followed the methodology mandated by DORA.

12:09

EU Authorities Designate Critical ICT Providers Under Digital Operational Resilience Act

The ESAs published today the list of designated critical ICT third-party providers (CTPPs) under the Digital Operational Resilience Act (DORA). This designation marks a crucial step in the implementation of the DORA oversight framework.

12:30

ESMA outlines measures to improve depositary supervision

The European Securities and Markets Authority (ESMA) published a peer review today. This review assessed the supervision of depositaries, focusing on their oversight and safekeeping obligations. ESMA, the EU’s financial markets regulator, aims to enhance depositary supervision. The peer review concluded that foundational frameworks for depositary supervision exist. However, significant differences were noted across jurisdictions.

12:51

EIOPA warns public about scammers using its name and logo fraudulently

EIOPA has been made aware of recent fraudulent activities in which scammers falsely claiming to represent our institution are requesting payments or personal information from individuals.

15:30

ESAs' Joint Committee unveils 2026 Work Programme focusing on financial stability.

The Joint Committee of the European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) today presented its 2026 Work Programme. This programme outlines key areas of collaboration for the coming year. It aims to strengthen the financial system’s digital operational resilience and ensure consumer protection. Furthermore, it seeks to identify risks that could undermine financial stability.

11:30

ESAs' Joint Committee unveils 2026 Work Programme focusing on financial stability

The Joint Committee of the European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) today presented its 2026 Work Programme, outlining key areas of collaboration for the coming year. The upcoming Programme aims to strengthen the financial system’s digital operational resilience, ensure the continued protection of consumers, and identify risks that could undermine financial stability.

17:22

EBA publishes 2024 report on supervisory convergence in EU

The European Banking Authority (EBA) today published its annual Report on convergence of supervisory practices for 2024 across the European Union (EU). The Report details the EBA’s extensive efforts to strengthen the alignment of supervisory approaches across Member States.

20:30

ESMA's Inaugural Data Day: Reducing Burden Through Digitalisation

The European Securities and Markets Authority (ESMA), the EU’s financial markets regulator and supervisor, is announcing its first Data Day on 2 December 2025. This flagship event will showcase how smarter data use and digitalisation can simplify the regulatory framework and reduce reporting burdens. The event aims to achieve this while steering clear of deregulation.

20:00

Cyber Brief: Monthly Executive Report on Cybersecurity Developments (September 2025)

Cyber Briefs are monthly executive reports providing an overview of relevant cybersecurity developments. They are based exclusively on open sources, aiming to inform political leadership and senior management within their constituency. Additional information on any item in this Brief can be provided upon request. Cyber Briefs are TLP:CLEAR.

16:00

Cyber Brief August 2025

Cyber Briefs are monthly executive reports that aim to present an overview of the most relevant developments in cyber security, based exclusively on open sources, with a view to inform political leadership and senior management in its constituency. Additional information on any item in this Brief can be provided upon request. Cyber Briefs are TLP:CLEAR.

14:00

Cyber Brief: July 2025 - Executive Report on Cyber Security

Cyber Briefs are monthly executive reports that aim to present an overview of the most relevant developments in cyber security, based exclusively on open sources. This is with a view to inform political leadership and senior management in its constituency. Additional information on any item in this Brief can be provided upon request. Cyber Briefs are TLP:CLEAR.

11:15

Reminder: ICT incident reporting requirements for supervised entities

CSSF reminds of ICT incident reporting, emphasizing that publicity does not exempt supervised entities from reporting.

14:00

ESAs publish guide on DORA oversight activities.

ESAs publish a guide on DORA Oversight activities 15 July 2025 Digital Finance and Innovation Joint Committee The European Supervisory Authorities (EBA, EIOPA, ESMA – the ESAs) today published a guide on oversight activities under the Digital Operational Resilience Act (DORA).

21:00

ESMA publishes criteria for staff knowledge on crypto-assets information.

Knowledge and competence of staff providing information on crypto-assets – ESMA criteria published. 11 July 2025. Digital Finance and Innovation. Guidelines and Technical standards. The European Securities and Markets Authority (ESMA), the EU’s financial markets regulator and supervisor, has published today the guidelines specifying the criteria for assessing the knowledge and competence of staff at crypto-asset service providers (CASPs).

19:30

ESMA finds ways to improve MiCA authorisations for Crypto firms.

ESMA identifies opportunities to strengthen MiCA authorisations. 10 July 2025 Digital Finance and Innovation Supervisory convergence The European Securities and Markets Authority (ESMA), the EU’s financial markets regulator and supervisor, published today the results of a peer review looking at the authorisation of Crypto Asset Service Providers (CASPs) in Malta under the Market in Crypto Assets Regulation (MICA).

15:07

EBA consults on third-party risk management guidelines for non-ICT services

The European Banking Authority (EBA) today launched a public consultation on the draft Guidelines on the sound management of third-party risk. The draft Guidelines focus on third-party arrangements in relation to non-ICT related services provided by third-party service providers and their subcontractors with a particular focus on the provision of critical or important functions.

21:30

New Q&As Published by European Securities and Markets Authority (ESMA)

New Q&As available 27 June 2025 Digital Finance and Innovation Fund Management Prospectus The European Securities and Markets Authority (ESMA), the EU's securities markets regulator, has published or updated the following Questions and Answers: Prospectus Regulation Historical financial information (2454) Markets in Crypto-Assets Regulation (MiCA) Custody agreements in the exercise of rights attached to crypto-assets (2290) Commingling...

01:20

Generative AI in Cybersecurity: Balancing Innovation and Risk

The integration of generative AI into cybersecurity operations represents both unprecedented opportunity and emerging risk. While these technologies offer powerful capabilities for threat analysis, incident response, and security automation, they simultaneously introduce new attack vectors that adversaries are rapidly exploiting.

00:00

DORA ICT Subcontracting RTS Published After Commission Rejection

The Regulatory Technical Standards (RTS) on ICT Subcontracting have been published in the EU Official Journal and will enter into force on 22 July 2025. Financial entities and ICT providers must ensure compliance.

20:00

Cyber Brief 25-07: June 2025 Cybersecurity Report Overview

Cyber Briefs are monthly executive reports that aim to present an overview of the most relevant developments in cyber security, based exclusively on open sources, with a view to inform political leadership and senior management in its constituency. Additional information on any item in this Brief can be provided upon request. Cyber Briefs are TLP:CLEAR.

19:30

May 2025 Cyber Brief: Executive Report on Cyber Security

Cyber Briefs are monthly executive reports that aim to present an overview of the most relevant developments in cyber security, based exclusively on open sources, with a view to inform political leadership and senior management in its constituency. Additional information on any item in this Brief can be provided upon request. Cyber Briefs are TLP:CLEAR.

15:09

EU Commission Regulation on ICT Subcontracting

supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions

10:03

New Circulars on ICT Incident Reporting for DORA, PSPs, and ESA Guidelines

08:40

CSSF Circular 25/893: DORA Reporting for ICT Incidents & Cyber Threats

on reporting of major ICT-related incidents and significant cyber threats under the Digital Operational Resilience Act (DORA)

08:38

CSSF Circular: ICT Incident Cost Estimation Guidelines

Application of the Joint ESA Guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents under Regulation (EU) 2022/2554 (JC 2024 34).

20:00

Cyber Brief: April 2025 Security Overview for Leaders

Cyber Briefs are monthly executive reports that aim to present an overview of the most relevant developments in cyber security, based exclusively on open sources, with a view to inform political leadership and senior management in its constituency. Additional information on any item in this Brief can be provided upon request. Cyber Briefs are TLP:CLEAR.

17:35

CSSF Updates Circulars on ICT Risk Management and Outsourcing

17:00

CSSF Circular 25/882: ICT Third-Party Services for Financial Entities under DORA

on requirements on the use of ICT third-party services for Financial Entities subject to the Digital Operational Resilience Act (DORA)

16:55

CSSF Circular 25/881 Amends ICT Security Rules

Circular CSSF 25/881 amends Circular CSSF 20/750, which outlines requirements for information and communication technology (ICT) and robust security risk management practices.

16:51

CSSF Circular 25/880: Payment Services and ICT Assessment

on relationship management of payment service users and PSP ICT assessment

03:00

Updated Notification on Critical ICT Outsourcing

Version 4

03:00

Updated CSSF Circulars on ICT and Security Risk Management Requirements

Requirements regarding information and communication technology (ICT) and security risk management

19:00

Cyber Brief 25-04: March 2025 Cybersecurity Overview

Cyber Briefs are monthly executive reports designed to provide an overview of the most relevant developments in cybersecurity. These reports are compiled exclusively from open sources, aiming to inform political leadership and senior management within their respective constituencies. Further details on any topic covered in these Briefs are available upon request. All Cyber Briefs are classified as TLP:CLEAR.

14:57

EU Regulation 2025/302: ICT Incident Reporting for Financial Entities

This regulation establishes the detailed technical standards that financial entities must follow when reporting significant ICT-related incidents and notifying major cyber threats. It specifies the standard forms, templates, and procedures required under EU Regulation 2022/2554.

14:52

New EU Regulation 2025/301 on ICT Incident Reporting and Cyber Threats

This regulation supplements Regulation (EU) 2022/2554, introducing regulatory technical standards. These standards specify the required content and time limits for the initial notification, as well as intermediate and final reports, concerning major ICT-related incidents. Furthermore, the regulation defines the content for voluntary notifications of significant cyber threats.

19:00

Cyber Brief: Monthly Cybersecurity Developments for February 2025

Cyber Briefs are monthly executive reports providing an overview of the most relevant cybersecurity developments. Based exclusively on open sources, they aim to inform political leadership and senior management. Additional information on any item within these Briefs is available upon request. All Cyber Briefs are TLP:CLEAR.