Are regulators doing enough to ensure improved governance of firms and risk management? What could be improved or strengthened? Or are they doing too much already?
When it comes to using third-party providers, do regulators need to do more (or less) to ensure operational resilience of these firms?
How can cybersecurity information sharing be improved, between infrastructure providers and research organisations; and between different sectors?
What are the main challenges that lie ahead for operational resilience testing?
What roles should governments take to coordinate industry-wide tests and share best practices?
By creating complex group structures, could data localisation-like policies impede operational resilience?
Which single overseer should be responsible as most competent for all sectors, or should the responsibility lie with a consortium of authorities?
DORA (Digital Operational Resilience Act) level 2 – what to expect?
