DORA and SFDR: 2025 ESA Work Programme

The 2025 Joint Committee Work Programme of the European Supervisory Authorities (ESAs), released on 7 October 2024, introduces key updates focused on the implementation of the DORA and the ongoing advancements in the SFDR.

DORA and SFDR:  2025 ESA Work Programme



The 2025 Joint Committee Work Programme of the European Supervisory Authorities (ESAs), released on 7 October 2024, introduces key updates focused on the implementation of the Digital Operational Resilience Act (DORA) and the ongoing advancements in the Sustainable Finance Disclosure Regulation (SFDR). With DORA set to take effect in January 2025, the updates outline new measures for enhancing digital resilience, including ICT risk management and oversight of critical third-party providers. The SFDR updates focus on refining sustainability reporting through new technical standards for ESG rating disclosures and improved guidelines for Principal Adverse Impact (PAI) reporting. These updates reflect a concerted effort to strengthen both digital and sustainable finance infrastructures within the EU financial system.




Source

[1]

Joint Committee of the ESAs to focus on digital resilience and sustainability disclosures in 2025

[2]

ESMA 2025 Work Programme: Focus on key strategic priorities and implementation of new mandates



1. Digital Operational Resilience Act (DORA)


1.1 Overview of DORA


DORA, set to come into force in January 2025, focuses on strengthening the financial sector's digital operational resilience by ensuring that firms can withstand, respond to, and recover from ICT-related disruptions. This regulation applies to a wide range of financial entities, including banks, insurers, and investment firms, making it a cornerstone of the European Commission’s broader Digital Finance Package.


The ESAs play a central role in delivering the remaining policy mandates under DORA. By mid-January 2025, the ESAs will complete policy mandates including supervisory convergence, incident reporting frameworks, and cybersecurity coordination mechanisms. A key highlight is the development of a Threat Led Penetration Testing (TLPT) framework, designed to evaluate the robustness of financial entities in response to cyber threats.




1.2 EU-Wide Oversight Framework for Critical Third-Party Providers (CTPPs)


One of the most notable aspects of DORA is the establishment of an EU-wide Oversight Framework for ICT third-party providers. This framework aims to mitigate the risk posed by third-party ICT providers (e.g., cloud services), who are increasingly integral to the operations of financial institutions. Under DORA, the ESAs will assume direct oversight responsibilities for designated Critical Third-Party Providers (CTPPs), initiating a new governance and oversight structure.


The oversight activities will encompass several critical tasks:


  • Designation of CTPPs: By early 2025, the ESAs will establish a joint oversight network to evaluate and designate key ICT service providers as critical.
  • Incident Reporting: A central component is the implementation of a centralized ICT incident reporting hub, designed to streamline the reporting and management of major ICT incidents. This infrastructure will be pivotal for both risk management and regulatory reporting purposes, ensuring that CTPPs are adequately monitored for compliance with the DORA framework.
  • EU Systemic Cyber Incident Coordination Framework (EU-SCICF): The ESAs, together with the European Systemic Risk Board (ESRB), will oversee the development of an incident coordination framework to manage systemic cyber incidents across the EU.



1.3 Supervisory Convergence and Risk Management


A primary goal of DORA is the harmonization of digital risk management across financial sectors. The ESAs will focus on supervisory convergence, helping national authorities align their approaches to DORA’s mandates. This involves issuing guidelines and Q&A documents, as well as encouraging cross-border collaboration for regulatory consistency.


The cyber incident coordination processes, along with threat-led penetration testing, aim to create a unified approach to ICT risk management across the EU financial system. This convergence ensures that not only large financial institutions but also smaller players maintain adequate digital resilience.




2. Sustainable Finance Disclosure Regulation (SFDR)


2.1 Overview of SFDR


The Sustainable Finance Disclosure Regulation (SFDR) remains a cornerstone of the EU’s strategy to promote transparency and sustainability in financial markets. SFDR’s goal is to enhance transparency concerning sustainability risks and impacts, aligning with the EU's broader climate goals under the European Green Deal. In 2025, the focus shifts to refining regulatory technical standards (RTS) for Principal Adverse Impact (PAI) disclosures and enhancing sustainability reporting.


The PAI disclosures require financial market participants to identify, measure, and disclose the adverse impacts of their investments on environmental, social, and governance (ESG) factors. For the second consecutive year, firms will use a standardized template to report PAI metrics, facilitating comparability and enhancing data quality across the industry.


2.2 Expansion of SFDR to Include ESG Ratings
2.2 Expansion of SFDR to Include ESG Ratings

2.2 Expansion of SFDR to Include ESG Ratings


With the adoption of the Regulation on ESG Ratings, the ESAs are empowered to introduce new technical standards for disclosing ESG ratings within financial products. These ratings will become an integral part of SFDR reporting, providing financial advisors and institutions with a framework to incorporate ESG ratings into their marketing communications and investment disclosures.


The expansion of SFDR into ESG ratings aims to provide greater transparency in ESG evaluation processes, as discrepancies in ESG ratings have been a point of contention among stakeholders. By standardising ESG rating disclosures, the regulation seeks to address concerns about “greenwashing” and enhance investor confidence in sustainable finance products.




2.3 Reporting and Monitoring Framework


SFDR's reporting framework will be a central focus of the ESAs’ efforts in 2025. The ESAs will conduct an annual review of the quality and extent of PAI disclosures under Article 18 of SFDR. This review will compare PAI indicators against the inaugural year’s metrics, aiming to identify trends and areas for improvement in sustainability-related disclosures.


Additionally, the ESAs may produce Q&A documents and other supervisory tools to help financial market participants navigate the complexities of SFDR implementation. By providing practical guidance and promoting consistency in disclosure practices, the ESAs aim to ensure the SFDR delivers its intended outcomes, particularly regarding transparency and investor protection.




2.4 Interaction with the EU Taxonomy and Other Sustainability Initiatives


The SFDR is closely intertwined with the EU Taxonomy Regulation, which defines criteria for determining whether economic activities are environmentally sustainable. SFDR disclosures require financial market participants to report how and to what extent their investments align with the EU Taxonomy’s environmental objectives.


In 2025, the ESAs will assess the practical application of the SFDR Delegated Regulation in conjunction with the taxonomy, streamlining reporting and ensuring that sustainability-related disclosures are aligned with the broader regulatory framework for sustainable finance. This harmonization effort will likely include further guidance on how to integrate taxonomy-aligned investments into SFDR reporting templates.




3. Cross-Sectoral Coordination and Technological Innovation


3.1 European Forum for Innovation Facilitators (EFIF)


The ESAs’ role in fostering financial innovation across Europe is embodied by the European Forum for Innovation Facilitators (EFIF). EFIF promotes coordination among national innovation hubs and regulatory sandboxes, with a particular focus on scaling technological solutions within the financial sector. As part of the broader digital transformation agenda, EFIF aims to streamline the supervisory response to emerging technologies like artificial intelligence (AI) and blockchain.


In 2025, the EFIF will continue to monitor the rise of BigTech and non-financial firms providing financial services, alongside ongoing workshops on AI policy and digital finance literacy.


3.2 Financial Education on Digital and Sustainable Finance


The ESAs have also prioritized financial literacy, particularly around digitalization and sustainable finance. This includes interactive factsheets and workshops designed to educate consumers on issues such as inflation, cybersecurity, and sustainability. The aim is to bridge the gap between consumers and financial institutions, reducing information asymmetries and promoting trust in digital financial products.




4. Risk Management and Supervision Across the Financial Ecosystem


4.1 Risk Assessment and Cross-Sectoral Coordination


Risk assessment remains a priority for the Joint Committee in 2025. The ESAs will continue to provide comprehensive risk analyses to ensure financial stability across sectors. In particular, cross-sectoral risk reports will focus on identifying and mitigating vulnerabilities related to digital resilience and sustainability risks.


The annual report on cross-sectoral risks and vulnerabilities will be a key deliverable, incorporating findings from the ESAs’ analysis of ICT threats, sustainability risks, and financial market disruptions.


4.2 Securitisation and Financial Conglomerates


In addition to DORA and SFDR, the ESAs will also focus on the Securitisation Regulation (SECR) and the supervision of financial conglomerates under the Financial Conglomerates Directive (FICOD). The Joint Securitisation Committee (JCSC) will provide technical advice on revising SECR, while work on supervisory convergence for financial conglomerates will continue, ensuring robust oversight of intra-group transactions and risk concentrations.

Reduce your
compliance risks