Summary Table of All RTS & ITS
| Ref. | Type | Topic | OJ Publication Date | DORA Pillar | PDF Documents |
|---|---|---|---|---|---|
| 2024/1774 | RTS | ICT Risk Management Framework & Simplified Framework | 25 June 2024 | Pillar 1 | rts-ict-risk-management.pdf |
| 2024/1772 | RTS | Criteria for Classification of ICT-related Incidents | 25 June 2024 | Pillar 3 | rts-incident-classification.pdf |
| 2024/1773 | RTS | ICT Third-Party Service Providers - Contractual Policies | 25 June 2024 | Pillar 4 | rts-third-party-risk.pdf |
| 2025/532 | RTS | Subcontracting of ICT Services | 17 April 2025 | Pillar 4 | |
| 2025/301 | RTS | Major Incident Reporting - Content & Time Limits | 20 February 2025 | Pillar 3 | rts-incident-reporting.pdf |
| 2025/302 | ITS | Standard Forms & Templates for Incident Reporting | 20 February 2025 | Pillar 3 | Included in reporting.pdf |
| 2024/2956 | ITS | Standard Templates for Register of Information | 29 November 2024 | Pillar 4 | Included in third-party.pdf |
| 2025/420 | RTS | Joint Examination Team (JET) Composition | 17 January 2025 | Pillar 4 | Oversight (authorities) |
| TIBER-EU | Framework | Threat-Led Penetration Testing (TLPT) | ECB 2018 (incorporated DORA) |
Pillar 2 | rts-tlpt-guide.pdf |
Chronological Timeline of Publications
2024
- 13 March 2024: Adoption of RTS 2024/1774 (Risk Management), 2024/1772 (Incident Classification), 2024/1773 (Third-Party Policies)
- 25 June 2024: Publication in the EU Official Journal of the first 3 RTS
- 29 November 2024: Publication of ITS 2024/2956 (Register Templates)
2025
- 17 January 2025: DORA ENTRY INTO FORCE - Mandatory application
- 20 February 2025: Publication of RTS 2025/301 (Incident Reporting) + ITS 2025/302 (Reporting Templates)
- 24 March 2025: Adoption of RTS 2025/532 (Subcontracting)
- 17 April 2025: Publication of RTS 2025/532 in the OJ
- 30 April 2025: DEADLINE: First transmission of ICT provider register to authorities
2026–2028
- 2026: First oversight inspections of critical ICT providers by ESAs
- Before 17 January 2028: TLPT DEADLINE: First mandatory TLPT exercise for significant entities
The 5 DORA Pillars and Their RTS/ITS
Pillar 1 ICT Risk Management
DORA Articles: 5-16
Applicable RTS: 2024/1774
Key requirements:
- Documented ICT risk management framework approved by management
- Complete inventory of ICT assets with criticality classification
- Identification of Critical or Important Functions (CIFs) — the cornerstone concept that drives every other DORA obligation
- Risk assessments at least annually
- Business continuity and disaster recovery policy (BCP/DRP) with regular testing
- Security controls (access, encryption, monitoring, vulnerability management)
Dedicated guide: rts-ict-risk-management.html · CIF methodology
Pillar 2 Digital Operational Resilience Testing
DORA Articles: 24-27
Applicable framework: TIBER-EU (ECB)
Key requirements:
- Regular resilience tests (vulnerability scans, pentests, etc.)
- Mandatory TLPT every 3 years for significant entities
- TIBER-EU methodology or recognized equivalent
- Independent Red Team + scenarios based on real threat intelligence
- Remediation of identified vulnerabilities with timeline
Dedicated guide: rts-tlpt-guide.html
Pillar 3 ICT-related Incident Management & Reporting
DORA Articles: 17-23
Applicable RTS: 2024/1772 (Classification) + 2025/301 (Reporting)
Applicable ITS: 2025/302 (Templates)
Key requirements:
- Incident classification according to 7 RTS 2024/1772 criteria: (1) clients/transactions, (2) reputational impact, (3) duration, (4) geographical spread, (5) data losses, (6) criticality of services affected, (7) economic impact
- Major incident reporting:
- Initial: T+4 hours
- Intermediate: T+72 hours
- Final: T+1 month
- Voluntary notification of significant cyber threats
- Use of standardized XML templates (ITS 2025/302)
Dedicated guides: rts-incident-classification.html + rts-incident-reporting.html
Pillar 4 Third-Party Risk Management
DORA Articles: 28-44
Applicable RTS: 2024/1773 (Contractual clauses) + 2025/532 (Subcontracting)
Applicable ITS: 2024/2956 (Register)
Key requirements:
- Mandatory contractual clauses:
- Access and audit rights (including for supervisors)
- Data location and sovereignty
- Incident notification (2h max)
- Termination rights and exit strategy
- Subcontracting control
- ICT provider register: Annual transmission to authorities (first time: 30 April 2025)
- Due diligence before subcontracting + 30-day notification + customer approval
- Limitation of cascading subcontracting (max 2 levels for critical functions)
Dedicated guide: rts-third-party-risk.html
Pillar 5 Information Sharing
DORA Articles: 45-47
RTS/ITS status: No specific RTS (voluntary arrangements)
Key requirements:
- Possibility to establish voluntary arrangements for sharing cyber threat information
- Protection of sensitive and commercial data
- No legal obligation, but strongly encouraged
- Examples: Sectoral ISACs, IOC sharing (Indicators of Compromise)
Documentation: ESA Guidelines (no dedicated RTS)
Priorities by Compliance Phase
Phase 1: IMMEDIATE (January–April 2025) — Urgent
- Incident Management:
- Implement classification process (RTS 2024/1772)
- Create notification templates
- Obtain access to supervisor portal + eIDAS certificates
- Train IT/SOC teams on reporting deadlines (4h/72h/1 month)
- ICT Provider Register:
- List ALL ICT providers
- Complete register according to ITS 2024/2956 template
- Submit before 30 April 2025 (ABSOLUTE DEADLINE)
- Governance:
- Board briefing on DORA obligations
- Designation of ICT risk management function
- Validation of ICT risk strategy
Phase 2: SHORT TERM (Q2–Q3 2025) — High Priority
- Third-Party Risk Management:
- Gap analysis of all existing contracts vs. RTS 2024/1773
- Launch contract renegotiations (critical functions priority)
- Implement subcontracting approval process (RTS 2025/532)
- ICT Risk Management:
- Complete ICT asset inventory
- Classification by criticality
- First complete risk assessment
- Documentation of ICT policies compliant with RTS 2024/1774
- BCP/DRP:
- Review continuity plans
- Define RTO/RPO
- Test plans (at least annually)
Phase 3: MEDIUM TERM (Q4 2025 – 2026) — Medium Priority
- Contract Finalization:
- Complete renegotiations with ALL critical/important providers
- Migrate to new providers if DORA clauses refused
- Security Controls:
- Enhanced monitoring (SIEM, logs, alerting)
- Generalized MFA implementation
- Improved network segmentation
- Patch management program
- Audits & Tests:
- Internal DORA compliance audits
- Annual pentests
- BCP/DRP tests
Phase 4: LONG TERM (2027–2028) — Normal
- TLPT (if significant entity):
- Start planning 18 months before (mid-2026)
- Selection of TIBER-EU providers (Q3-Q4 2026)
- Test execution (2027)
- Completion before 17 January 2028
- Continuous Improvement:
- Integration of lessons learned from incidents
- Process optimization
- Annual review of all DORA elements
Want Your DORA Compliance Score — In 30 Minutes?
Book a Power Assessment: expert video call + personalised roadmap delivered within 48h. 149 EUR, 100% applicable to a full engagement.
Index of Available PDF Documents
1. RTS ICT Risk Management (2024/1774)
File: rts-ict-risk-management.html
Content: Complete ICT risk management framework, governance, asset inventory, risk assessments, security controls, BCP/DRP, simplified framework for small entities
Pages: ~15 | Level: Detailed
2. RTS Incident Classification (2024/1772)
File: rts-incident-classification.html
Content: 7 RTS criteria for classifying major incidents (clients, reputation, duration, geography, data, criticality, economic impact), thresholds by entity type, practical examples, decision tree
Pages: ~18 | Level: Very detailed
3. RTS Incident Reporting (2025/301)
File: rts-incident-reporting.html
Content: Reporting deadlines (4h/72h/1 month), mandatory content of each report, voluntary notification of cyber threats, submission process, penalties
Pages: ~16 | Level: Very detailed
4. RTS Third-Party Risk Management (2024/1773 + 2025/532)
File: rts-third-party-risk.html
Content: 8 mandatory contractual clauses, audit rights, data location, exit strategies, subcontracting rules, provider register (ITS 2024/2956), negotiation strategies
Pages: ~20 | Level: Very detailed
5. TLPT Complete Guide (TIBER-EU)
File: rts-tlpt-guide.html
Content: Complete TIBER-EU framework, 8 phases of TLPT, who is concerned, Red/Blue/White Team methodology, timeline (9-14 months), budgeting (€150k-500k), preparation checklist
Pages: ~18 | Level: Detailed
6. Complete Overview (this document)
File: dora-rts-its-complete-overview.html
Content: Summary table of all RTS/ITS, chronological timeline, mapping of 5 DORA pillars, compliance roadmap, key deadlines
Pages: ~10 | Level: Summary
Absolute Deadlines Not to Miss
| Date | Obligation | Concerns | Penalty if Non-Compliant |
|---|---|---|---|
| 17 Jan. 2025 | Full application of DORA | All EU financial entities | General non-compliance = penalties up to 2% of global turnover |
| 30 April 2025 | First transmission of ICT provider register | All entities (via supervisor) | Fines + remediation order |
| Ongoing from Jan 2025 | Major incident reporting (4h/72h/1 month) | All entities | Non-notification: up to 2% turnover · Delay: up to 1% turnover |
| 17 Jan. 2028 | First mandatory TLPT cycle | Significant entities only (~250 in EU) | Penalties + enhanced oversight |
| Annual (every 30 April) | ICT provider register update | All entities | Proportional fines |
| Every 3 years | TLPT (after the first) | Significant entities | Penalties + in-depth audit |
Links and Official Resources
Official EUR-Lex Texts
- DORA Regulation (EU) 2022/2554: eur-lex.europa.eu/eli/reg/2022/2554
- RTS 2024/1774 (Risk Management): eur-lex.europa.eu/eli/reg_del/2024/1774
- RTS 2024/1772 (Incident Classification): eur-lex.europa.eu/eli/reg_del/2024/1772
- RTS 2025/301 (Incident Reporting): eur-lex.europa.eu/eli/reg_del/2025/301
Supervisory Authorities
- European Banking Authority (EBA): eba.europa.eu/DORA
- EIOPA (Insurance): eiopa.europa.eu/DORA
- ESMA (Securities): esma.europa.eu/DORA
- European Central Bank (TIBER-EU): ecb.europa.eu/tiber-eu
European Commission
- Official DORA page: European Commission DORA
Practical Advice for Compliance
1. Pillar-by-Pillar Approach
Don't do everything at once. Prioritize:
- Pillar 3 (Incidents): Immediate risk if incident occurs from January 2025
- Pillar 4 (Third-Party): Register deadline 30 April 2025
- Pillar 1 (Risk Management): Foundation for everything else
- Pillar 2 (Testing): Longer timeline (TLPT 2028)
- Pillar 5 (Sharing): Voluntary, consider later
2. Internal Resources
Build a cross-functional team:
- Executive sponsor: Board member (DORA mandatory)
- DORA project leader: Centralized coordination
- CISO / IT Security: Technical aspects
- Compliance / Legal: Regulatory interpretation
- Risk Management: Risk assessments
- IT Operations: Practical implementation
- Procurement: Vendor contract management
3. Budgeting
Ballpark figures for average entity:
- External consultants: €200k – €500k (gap analysis, support)
- Technology tools: €100k – €300k/year (SIEM, GRC platform, monitoring)
- Contract renegotiations: €50k – €200k (legal resources)
- TLPT (if applicable): €150k – €500k every 3 years
- Staff training: €50k – €100k
- TOTAL first year: €500k – €1.5M
- Annual run rate: €200k – €500k
4. Points of Vigilance
- Don't underestimate timelines: Contract renegotiations can take 6–12 months
- Hyperscaler resistance: AWS/Azure/GCP have their own timelines — anticipate
- Exhaustive documentation required: Plan resources for writing/maintenance
- Ongoing operational burden: DORA is not a one-shot project but a permanent change
Download All DORA Guides as PDF
Get the TLPT guide, incident reporting templates, and the complete RTS overview in print-ready format — free.
Run Your DORA Gap Analysis
Interactive tool — see where your institution stands against each of the 13 RTS/ITS in under 15 minutes.