FESE Digital Finance Simplification Proposals

On 14^th October 2025, FESE responded to the European Commission’s Call for Evidence on the upcoming Digital Omnibus (here).

FESE supports the Commission’s efforts to simplify digital regulations and reduce administrative burdens for businesses, citizens, and public authorities. On cybersecurity, we welcome the Commission’s acknowledgment of the heavy reporting requirements businesses face under multiple EU rules — both horizontal and sector-specific — often made more complex by national implementations. In this context, we offer targeted recommendations to improve the Digital Operational Resilience Act (DORA) and address its overlaps with other regulations.

• Definition of the ICT services: exclude standard hardware and software services from standard IT suppliers to reduce unnecessary administration efforts.
• Financial entities ICT-security awareness programmes: ensure that it is only the ICT service provider’s duty to regularly train their employees in ICT security awareness programs rather than financial institutions.
• Register of Information: reassess the areas where the fields of the Register of Information could be simplified and allow consolidation of the reporting obligation for groups of market infrastructures. The register should include a threshold or other objective criteria to determine which contracts must be entered in the register.
• Major incident reporting: simplify the reporting obligation for groups of market infrastructures, allowing the possibility to aggregate information for DORA reporting obligations. It is proposed to delete letter d) of Article 7(1), and to delete Article 7(2) of DORA ITS on the reporting of major ICT-related incidents.
• Subcontracting: limit the layers of ICT- subcontractors for which requirements must be fulfilled to certain levels of subcontracting (e.g. 3 layers) instead of focusing on the whole value-chain. Primarily concentrate on ICT subcontractors whose failure could have a material impact on the ICT services received by the financial entity.
• Thread-led penetration testing: the selection of companies for the TLPT testing should be based solely on their market share in terms of turnover at Union level as stipulated in Article 2(2)(f)(ii)) and not at national level.
• DORA & NIS 2 misalignment: enhance alignment between the DORA and NIS2 frameworks, with greater emphasis on developing joint auditing standards, fostering mutual recognition of certifications, and developing standardised contractual terms.
• DORA & CRA overlaps: propose a targeted exemption in the CRA for PDEs that are designed and provided by a DORA financial entity to another financial entity as part of the provision of an ICT service within the meaning of DORA.

For further information please refer to our response here.