Laws and regulations

Acts and directly applicable EU regulations

• No. 31/2025 Coll. (external link), Financial Market Digitalisation Act
• Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 (external link) on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011

EU Level 2 EU regulations

• Commission Delegated Regulation (EU) 2025/301 of 23 October 2024 (external link) supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats
• Commission Delegated Regulation (EU) 2025/302 of 23 October 2024 (external link) laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to the standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat
• Commission Delegated Regulation (EU) 2025/295 of 24 October 2024 (external link) supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards on harmonisation of conditions enabling the conduct of the oversight activities
• Commission Delegated Regulation (EU) 2025/532 of 24 March 2025 (external link) supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions
• Commission Delegated Regulation (EU) 2025/1190 of 13 February 2025 (external link) supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria used for identifying financial entities required to perform threat-led penetration testing, the requirements and standards governing the use of internal testers, the requirements in relation to the scope, testing methodology and approach for each phase of the testing, results, closure and remediation stages and the type of supervisory and other relevant cooperation needed for the implementation of TLPT and for the facilitation of mutual recognition
• Commission Delegated Regulation (EU) 2025/420 of 16 December 2024 (external link) supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards to specify the criteria for determining the composition of the joint examination team ensuring a balanced participation of staff members from the ESAs and from the relevant competent authorities, their designation, tasks and working arrangements
• Commission Implementing Regulation (EU) 2024/2956 of 29 November 2024 (external link) laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to standard templates for the register of information
  • Corrigendum to Commission Implementing Regulation (EU) 2024/2956 (external link) of 29 November 2024 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to standard templates for the register of information (as of 19. 9. 2025)
• Commission Delegated Regulation (EU) 2024/1774 of 13 March 2024 (external link) supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework
  • Corrigendum to Commission Delegated Regulation (EU) 2024/1774 of 13 March 2024 (external link) supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management Framework  (as of 15. 5. 2025)
• Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 (external link) supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents
• Commission Delegated Regulation (EU) 2024/1773 of 13 March 2024 (external link) supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers
• Commission Delegated Regulation (EU) 2024/1505 of 22 February 2024 (external link) supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by determining the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid
• Commission Delegated Regulation (EU) 2024/1502 of 22 February 2024 (external link) supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by specifying the criteria for the designation of ICT third-party service providers as critical for financial entities