Understanding the Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) of DORA

Key Takeaways

• DORA is fully in effect as of January 17, 2025.
• ICT third-party registers and incident reporting systems are now mandatory.
• Critical ICT incidents must be reported within 4 hours.
• Subcontracting rules for critical ICT services take effect July 22, 2025.
• Threat-led penetration testing (TLPT) is required every 3 years.
• AI and automation are now essential for compliance efficiency.
• Contracts must include DORA-required SLAs, audit rights, and data access terms.

What’s Included in the Second Batch of RTS and ITS (Released July 2024)

The July 2024 release brings expanded detail and scope to the original DORA framework. Financial institutions must now act on:

• New procedures and templates for reporting major ICT incidents (with mandatory timelines as short as 4 hours for critical incidents)
• Standard methodology for calculating ICT-related aggregate losses, supporting financial impact reporting
• Mandatory threat-led penetration testing (TLPT) strategies, aligned with and extending beyond the TIBER-EU framework
• Substantive requirements on outsourcing arrangements, emphasizing CIF support, cross-border data access, and SLA benchmarking
• Cooperation protocols between ESAs and National Competent Authorities for consistent DORA supervision across the EU

Initially expected in November 2023, the release of the second batch of regulatory technical standards is running late. This delay leaves the industry eagerly anticipating whether the second batch of RTSs will unwrap as a digital gift during the holiday season or arrive as a belated offering in 2024. Finalization of the RTSs is expected on 17 July 2024.

What is a Regulatory Technical Standard?

A Regulatory Technical Standard (RTS) is a type of regulatory instrument used in the European Union to provide detailed technical specifications for the implementation of certain aspects of the legislation. In the context of the European financial regulatory framework, RTSs are often developed by the European Supervisory Authorities (ESAs) to provide more granular guidance and define specific rules that complement the broader provisions outlined in the primary legislation.

DORA, the Digital Operational Resilience Act, is a legislative framework that sets out high-level principles and requirements for ensuring the operational resilience of financial firms in the digital age. DORA’s main text, often called Level 1, contains the overarching provisions and objectives. To operationalize and provide more detailed guidance on how these provisions should be implemented, the ESAs develop the Regulatory Technical Standards (RTS), which are considered Level 2 legislation.

A Quick Overview of the Five DORA Pillars

The Digital Operational Resilience Act (DORA) establishes a transformative regulatory framework across five pillars to address Information and Communication Technology (ICT) risks in the EU financial sector.

1. ICT Risk Management Requirements:

DORA places “full and ultimate accountability” on the management body of financial entities, directing them to define a digital operational resilience strategy, set risk tolerances, and approve policies for ICT Third-Party Providers (TPPs). Firms must meticulously identify Critical or Important Functions (CIFs) and conduct business impact analyses to sharpen their focus on entity functions and activity.

2. ICT Incident Classification and Reporting:

Introducing enhancements to existing EU incident reporting obligations, DORA mandates financial entities to promptly inform relevant parties of significant cyber threats and document such incidents comprehensively. This pillar compels entities to enhance their capabilities for classifying and reporting ICT incidents and threats, ensuring a proactive response to emerging risks.

3. Digital Operational Resilience Testing:

DORA imposes annual security and resilience tests on critical ICT systems, addressing identified vulnerabilities. Advanced Threat-Led Penetration Testing (TLPT) every three years, aligned with the ECB’s TIBER-EU framework, adds an extra layer of sophistication. Testing encompasses all Third-Party Providers (TPPs) supporting CIFs, fostering a collaborative mapping approach.

4. Third-Party Risk Management (TPRM):

Expanding on existing ESA Guidelines, DORA’s TPRM requirements cover non-cloud Service Provider (CSP) ICT outsourcing, intensifying pressure on financial entities to negotiate with providers. The legal binding of terms underscores the need for concentration risk assessments, challenging firms to justify operating model decisions and adopt a multi-vendor approach when necessary.

5. ICT Third Party Providers Oversight Framework:

Granting extensive supervisory powers to ESAs over Critical ICT Third-Party Providers (CTPPs), DORA empowers ESAs to assess, request security practice changes, and sanction CTPPs. Safeguards ensure that suspension or termination of contracts with CTPPs is exceptional, considering sector-wide implications. The Joint Oversight Forum (JOF) assumes prominence in setting precise standards for CTPPs’ expected resilience, contributing to a robust oversight structure.

The implementation of the EU’s Digital Operational Resilience Act (DORA) involves the development of draft regulatory technical standards (RTS) and implementing technical standards (ITS) to provide detailed guidelines for financial entities.

Overview of DORA’s Draft Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS)

1. Draft RTS on ICT Risk Management Framework and Draft RTS on Simplified ICT Risk Management Framework

Implications on DORA Pillar: ICT Risk Management

Details Covered:

The draft RTS on the ICT Risk Management Framework and its simplified counterpart aim to provide more detailed insights into ICT risk management’s protection, prevention, detection, and response aspects. These standards elaborate on the requirements outlined in DORA Chapter II, Section II, ensuring financial entities comprehensively understand their obligations.

Adaptations for Financial Entities:

Financial entities will gain clarity on necessary adjustments to their current risk management frameworks. Smaller entities benefit from the option of implementing a simplified ICT risk management framework, streamlining compliance efforts.

2. Draft RTS on Criteria for the Classification of ICT-Related Incidents

Implications on DORA Pillar: ICT-Related Incident Reporting

Details Covered:

This RTS proposes criteria for classifying ICT-related incidents, introducing a classification approach and materiality thresholds for major incidents and significant cyber threats. It ensures consistency with frameworks like the Network and Information Security Directive 2 (NIS2) and Payment Services Directive 2 (PSD2), facilitating comparability and minimizing adaptations for compliant financial institutions.

Consistency with Existing Frameworks:

The RTS aligns with existing frameworks to ensure a harmonized approach to incident reporting, making it easier for financial institutions already complying with NIS2 and PSD2.

3. Draft ITS to Establish Templates for the Register of Information

Implications on DORA Pillar: ICT Third-Party Risk Management

Details Covered:

This ITS establishes templates for the register of information, covering contractual arrangements with ICT Third-Party Providers (TPPs) at various levels. The extended information requirements of the ITS demand more comprehensive details compared to existing outsourcing guidelines from the European Supervisory Authorities (ESAs).

Extended Information Requirements:

Financial entities will need to invest additional effort in fulfilling the extended information requirements, enhancing the transparency and oversight of ICT third-party relationships.

4. Draft RTS to Specify the Policy on ICT Services Supporting Critical or Important Functions Performed by ICT TPPs

Implications on DORA Pillar: ICT Third-Party Risk Management

Details Covered:

This RTS specifies the content of the policy regarding the life cycle management of third-party arrangements, focusing on ICT services supporting critical or important functions. Developed with consideration for existing outsourcing guidelines from the ESAs, this RTS aids financial institutions that have already implemented these guidelines.

Alignment with Existing Guidelines:

The RTS aligns with existing guidelines, ensuring financial institutions can make required changes without overhauling their existing frameworks.

Technical Standards Expected to be Released in the Second Batch

The upcoming release is expected to cover various areas, including:

• recommendations on calculating aggregated costs or losses arising from substantial ICT incidents
• procedures for reporting major incidents related to ICT
• a structure for performing threat-led penetration testing
• guidelines for outsourcing ICT services crucial for critical or important functions
• cooperation between the ESAs and competent authorities for DORA supervision, ensuring harmonized oversight conditions

The final version of DORA’s technical standards is scheduled to be submitted to the European Commission by July 17, 2024.

Embracing Resilience with DORA

As stakeholders navigate the intricate landscape of DORA and its associated Regulatory Technical Standards, the financial sector is poised to embrace a resilient and secure digital future. DORA reflects a commitment to addressing the challenges posed by digitalization while fostering innovation. As the implementation deadline approaches, stakeholders must remain vigilant, adapting to the evolving digital landscape in alignment with the regulatory framework outlined by DORA.

Role of AI and Automation in DORA Compliance

Artificial intelligence (AI) and automation tools are now more than just “nice-to-haves”- they are instrumental in staying compliant with DORA’s updated technical standards. The 2024 RTSs underscore the importance of leveraging technology to meet resilience expectations.

Where AI and Automation Help:

• Real-time threat detection: AI systems can monitor network behavior against pre-trained cybersecurity models, enabling faster classification and response.
• Automated incident reporting: With prescriptive formats and tight deadlines, ITS-compliant platforms can auto-generate, pre-fill, and format incident reports- reducing human error.
• Vendor surveillance at scale: AI-powered risk engines process third-party performance, contract compliance, and concentration risk across multiple vendors in real time.
• Operational resilience testing: AI-enhanced simulations improve the efficiency of threat-led testing and highlight gaps in coverage, redundancy, or recovery.

DORA-Ready Tip: Institutions should review whether their current cybersecurity, compliance, and risk tooling includes automation and AI capabilities that align with DORA technical standards- especially those in incident categorization and third-party monitoring.

Preparing Your Organization for DORA Compliance in 2025

As the enforcement date passes and supervisory pressure builds, financial institutions must proactively harden their digital infrastructure. Immediate priorities include:

1. Gap Assessments Against Final RTS/ITS – Conduct new audits based on second-batch RTSs to assess target operating models.
2. Integration of AI-Based Monitoring Systems – Deploy AI tools that support real-time incident detection, third-party scanning, and reporting.
3. Formalizing TLPT Plans – Begin coordination with qualified testers, design attack scenarios, and liaise with competent authorities for test approval.
4. Update Vendor Contracts – Ensure that all third-party agreements reflect the new DORA-required clauses regarding audit rights, data sovereignty, and subcontracting.
5. Board-Level Engagement – Train board members and C-level executives on their legal accountability and required oversight duties under DORA.

Summary: RTS and ITS Compliance Snapshot (Mid-2025)

DORA Pillar	What’s New in 2024 RTS/ITS
ICT Risk Management	Extended governance criteria, AI-monitoring encouraged, simplified options clarified
Incident Reporting	Structured format, real-time thresholds, auto-submission templates for large firms
Resilience Testing	Mandatory TLPTs, scenario design expectations, pooled testing mechanisms
Third-Party Risk Management	Updates to contractual clauses, SLA visibility, mandatory multi-vendor analysis
ICT TPP Oversight	Governance metrics defined, ESA intervention powers delineated, JOF roles expanded

Embracing Resilience with DORA

As we enter the first full year of DORA enforcement, financial institutions must move beyond checking compliance boxes. A resilient operational model is not only a regulatory requirement- it’s a competitive advantage. By embracing AI, automation, and the latest technological tools, firms can improve visibility, speed, and confidence in their digital infrastructure.

Frequently Asked Questions on DORA in 2025

Q: Is DORA fully in effect, and does it apply to my organization?

A: Yes, DORA has been in effect since January 17, 2025, and applies to all EU-regulated financial entities and their critical ICT service providers, directly or indirectly.

Q: What if a country has not yet transposed the DORA Directive into national law?

A: While most regulations are directly applicable, the European Commission has started infringement procedures against several member states for delays. Entities in these countries should continue to implement DORA requirements and remain vigilant for further guidance.

Q: Must all ICT incidents be reported, and in what format?

A: No, only ‘major’ ICT incidents and, where relevant, significant cyber threats must be reported. DORA’s technical standards specify criteria, thresholds, and new templates for reporting. Entities must follow established procedures and notify both authorities and, where required, clients.

Q: How often must we conduct digital operational resilience testing?

A: Regular (at least annual) resilience testing is required, with advanced threat-led testing (TLPT) for systemically important institutions, per the finalized RTS. Testing must be independent and comprehensive.

Q: What happens if a third-party ICT provider does not have a Legal Entity Identifier (LEI) or European Unique Identifier (EUID) for the register?

A: ESAs have published guidance on this scenario. Entities should follow the latest Q&A recommendations to complete the register and ensure all relationships are properly documented.

Q: What counts as a “critical” ICT third-party provider under DORA?

A: Criteria are defined in DORA and related technical standards. The ESAs and competent authorities maintain updated designations and oversee the regulatory process for critical providers.

Q: How should we align DORA with other frameworks like NIS2 or TIBER-EU?

A: DORA has been constructed to align with existing EU cyber and resilience frameworks (like NIS2 and TIBER-EU). Entities should consider cross-referencing NIS2 and EBA ICT guidelines in their compliance reviews.