DORA and the EBA – who sets and enforces resilience rules

The EBA’s involvement ensures that DORA is more than a policy statement. It becomes an enforceable, consistent standard across all EU member states. Understanding how the EBA fits into DORA’s structure is critical for any institution preparing for the 2025 compliance deadline.

Who the EBA is and why it matters under DORA

The European Banking Authority was established in 2011 as part of the EU’s response to the global financial crisis. Its mandate is to maintain financial stability and protect consumers by promoting consistent regulatory standards across Europe’s banking sector.

Under DORA, the EBA’s responsibilities expand significantly. Alongside the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), the EBA is one of three “European Supervisory Authorities” tasked with developing the regulatory technical standards (RTS) and implementing technical standards (ITS) that give DORA its operational shape.

In practice, this means the EBA is setting the rules for how banks and financial institutions must manage ICT risk, classify incidents, and oversee their third-party service providers.

The EBA’s key responsibilities under DORA

According to the European Commission’s official guidance, the EBA is responsible for three core functions within DORA’s implementation framework.

1. Developing technical standards.

The EBA drafts and consults on RTS and ITS that specify how DORA’s high-level obligations are to be applied. These cover everything from ICT risk management to third-party oversight. Once approved by the European Commission, they become directly applicable EU law.

2. Supervising critical third-party providers.

Perhaps the most significant new responsibility, the EBA will oversee the designation and supervision of “critical ICT third-party providers.” These are companies that provide essential services such as cloud hosting, data processing, or payments infrastructure to multiple financial entities.

Under Article 31 of DORA, the EBA will coordinate with national regulators to monitor these providers’ risk management and incident reporting practices. This creates a central EU-level oversight mechanism for technology providers that underpin the financial system.

3. Coordinating the implementation of DORA.

The EBA serves as the bridge between European policy and national regulators. It provides interpretative guidance, coordinates supervisory colleges, and supports consistent enforcement across member states. Without this coordination, regregu

Why the EBA’s role changes the regulatory landscape

Before DORA, ICT and operational resilience rules were spread across multiple frameworks and national regulations. Each member state had its own interpretation of what constituted adequate ICT risk management. That created uneven supervision and competitive imbalances.

With DORA, and specifically with the EBA’s involvement, the EU is moving toward a single, coherent standard. This eliminates regulatory arbitrage and ensures that all institutions, regardless of jurisdiction, face equivalent scrutiny.

For large institutions operating across multiple countries, this is a step forward. It replaces dozens of conflicting expectations with one set of EU-level standards. For smaller firms, however, it means compliance expectations will rise sharply, as the EBA’s standards tend to be detailed and prescriptive.

Oversight of critical third-party providers

One of the most anticipated elements of the EBA’s new authority is its direct oversight of critical ICT third-party providers. These are technology companies whose failure could disrupt the financial system as a whole. The list will likely include major cloud infrastructure firms, global data analytics providers, and certain cybersecurity vendors.

According to Lexology’s summary of the DORA oversight framework, the EBA will coordinate with ESMA and EIOPA to designate which providers are critical based on size, interconnectedness, and systemic importance. Once designated, these providers will be subject to audits, resilience testing, and direct supervision from EU authorities.

This development shifts the compliance burden. Financial institutions will still be responsible for managing their own vendor risks, but they can expect a higher degree of transparency and accountability from their suppliers once EBA oversight is in place.

The connection between DORA, EBA, and national authorities

While the EBA will lead at the EU level, national competent authorities will remain responsible for supervising individual financial entities. The EBA’s role is to ensure consistency. It will issue binding technical standards, coordinate joint examinations, and provide guidance to harmonize enforcement.

For institutions, this dual layer of oversight means they must be prepared to demonstrate compliance both to their national regulators and, indirectly, to the EBA. It also means documentation, reporting, and testing processes must be aligned with the technical standards being drafted in Brussels.

The EBA’s approach is risk-based, meaning larger and more interconnected firms will face proportionally more scrutiny. However, DORA makes it clear that all entities must achieve a baseline level of operational resilience.

Challenges financial institutions face

The EBA’s involvement brings much-needed structure but also increases complexity. Institutions now need to monitor multiple regulatory outputs, including EBA consultations, delegated acts from the European Commission, and guidance from national authorities.

There is also a cultural challenge. DORA moves away from a “comply and report” mindset toward continuous, demonstrable resilience. The EBA expects firms to maintain living frameworks, not static documentation. Boards will be accountable for operational resilience in the same way they are accountable for financial soundness.

Preparing for this shift requires resources, expertise, and coordination between compliance, IT, and operations teams. Many institutions are still in the early stages of building governance structures that reflect this new reality.

“The EBA is not just another regulator under DORA. It’s the architect of how compliance will be tested and proven. Institutions that wait for final RTS publications before acting will already be behind.”
– Mark Medum Bundgaard, CPO, Partisia

This statement captures the urgency. The EBA’s guidance will continue to evolve, but the principles it enforces are already clear: resilience must be measurable, evidence-based, and continuous. DORA checklist & Article 24 requirements for resilience

The road ahead for DORA and the EBA

In 2025 and beyond, the EBA will move from drafting to enforcement. Institutions should expect supervisory visits, data requests, and thematic reviews focusing on testing programs, vendor risk management, and incident reporting.

The EBA will likely issue ongoing clarifications as new technologies emerge. Areas such as artificial intelligence, cloud-native systems, and data collaboration will all raise new operational resilience questions. The goal will remain the same: to ensure that financial entities can operate safely even under disruption.

Partisia’s viewpoint

The EBA’s approach to DORA reinforces a core truth: operational resilience depends on trustworthy data collaboration. Regulatory reporting, third-party oversight, and resilience testing all require the exchange of sensitive information between financial institutions, vendors, and authorities. That exchange must be both verifiable and privacy-preserving.

Partisia’s privacy-preserving data collaboration platform supports exactly this kind of regulated transparency. Using Multi-Party Computation (MPC), institutions can share and validate resilience data without exposing underlying details. This allows secure verification of compliance metrics, vendor performance, and incident reporting outcomes while maintaining confidentiality.

In a future where the EBA and other regulators expect proof, not promises, privacy-preserving computation provides a bridge between compliance assurance and data protection. Partisia’s approach aligns with DORA’s objective of operational trust built on verifiable, secure, and privacy-first collaboration.