DORA regulation is supported by two layers of technical standards: Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS). Understanding the difference is crucial for compliance.
What are RTS (Regulatory Technical Standards)?
Definition
RTS are regulatory technical standards developed by the European Banking Authority (EBA) to specify the technical criteria and procedures for DORA compliance.
Key Characteristics
- Binding: Legally enforceable requirements
- Detailed: Provide specific technical specifications
- Flexible: Allow for alternative approaches meeting objectives
- Focus: Establish minimum standards for compliance
RTS Coverage Areas
- ICT Risk Management Framework requirements
- Incident Reporting procedures and thresholds
- Digital Operational Resilience Testing specifications
- Third-Party Risk Management criteria
- Outsourcing and cloud service requirements
What are ITS (Implementing Technical Standards)?
Definition
ITS are implementing technical standards that specify the technical details and formats for implementing the RTS requirements.
Key Characteristics
- Prescriptive: Often specify exact formats and procedures
- Detailed: Include templates and technical specifications
- Mandatory: Must be followed as specified
- Focus: Operational implementation details
ITS Coverage Areas
- Incident Reporting templates and formats
- Classification schemes for incidents
- Data submission procedures
- Testing scenario specifications
- Documentation format requirements
Key Differences Summary
| Aspect | RTS | ITS |
|---|---|---|
| Flexibility | More flexible in approach | More prescriptive |
| Details | Framework-level specifications | Technical implementation details |
| Scope | Broader requirements | Specific operational procedures |
| Examples | Governance frameworks, testing requirements | Reporting templates, classification codes |
| Authority | EBA | EBA |
DORA RTS in Detail
RTS on ICT Risk Management
Specifies how financial institutions should:
- Establish governance structures
- Manage ICT risks
- Conduct risk assessments
- Report on risk metrics
RTS on Digital Operational Resilience Testing
Defines testing procedures including:
- Threat-Led Penetration Testing (TLPT) scenarios
- Testing frequency and scope
- Testing team requirements
- Reporting of findings
RTS on Third-Party Risk Management
Specifies requirements for:
- Vendor due diligence
- Contractual arrangements
- Continuous monitoring
- Exit procedures
DORA ITS in Detail
ITS on Incident Reporting
Provides templates for:
- Incident classification codes
- Impact assessment templates
- Reporting format and structure
- Data submission procedures
ITS on Testing Specifications
Defines:
- Test scenario templates
- Expected outcomes
- Documentation requirements
- Reporting formats
Implementation Strategy
For IT and Risk Teams
- Phase 1: Study RTS to understand requirements
- Phase 2: Review ITS for technical specifications
- Phase 3: Map current processes to RTS/ITS requirements
- Phase 4: Implement gaps and enhancements
- Phase 5: Test compliance with ITS procedures
- Phase 6: Document adherence to both standards
Common Implementation Challenges
- Complexity: Technical standards are detailed and complex
- Overlap: Some requirements appear in both RTS and ITS
- Evolution: Standards may be updated or clarified
- Integration: Fitting requirements into existing systems
Resources for RTS/ITS Learning
- EBA Website: Official standards documents
- Implementation Guides: Practical guidance documents
- Webinars: Industry expert explanations
- Compliance Tools: Automated compliance mapping
