DORA RTS & ITS - Complete Overview 2025

Ref.	Type	Topic	OJ Publication Date	DORA Pillar	PDF Documents
2024/1774	RTS	ICT Risk Management Framework & Simplified Framework	25 June 2024	Pillar 1	rts-ict-risk-management.pdf
2024/1772	RTS	Criteria for Classification of ICT-related Incidents	25 June 2024	Pillar 3	rts-incident-classification.pdf
2024/1773	RTS	ICT Third-Party Service Providers - Contractual Policies	25 June 2024	Pillar 4	rts-third-party-risk.pdf
2025/532	RTS	Subcontracting of ICT Services	17 April 2025	Pillar 4	rts-third-party-risk.pdf
2025/301	RTS	Major Incident Reporting - Content & Time Limits	20 February 2025	Pillar 3	rts-incident-reporting.pdf
2025/302	ITS	Standard Forms & Templates for Incident Reporting	20 February 2025	Pillar 3	↑ Included in reporting.pdf
2024/2956	ITS	Standard Templates for Register of Information	29 November 2024	Pillar 4	↑ Included in third-party.pdf
2025/420	RTS	Joint Examination Team (JET) Composition	17 January 2025	Pillar 4	Oversight (authorities)
TIBER-EU	Framework	Threat-Led Penetration Testing (TLPT)	ECB 2018 (incorporated DORA)	Pillar 2	rts-tlpt-guide.pdf

📅 Chronological Timeline of Publications

2024

📌 13 March 2024: Adoption of RTS 2024/1774 (Risk Management), 2024/1772 (Incident Classification), 2024/1773 (Third-Party Policies)
📌 25 June 2024: Publication in the EU Official Journal of the first 3 RTS
📌 29 November 2024: Publication of ITS 2024/2956 (Register Templates)

2025

📌 17 January 2025: 🚨 DORA ENTRY INTO FORCE - Mandatory application
📌 20 February 2025: Publication of RTS 2025/301 (Incident Reporting) + ITS 2025/302 (Reporting Templates)
📌 24 March 2025: Adoption of RTS 2025/532 (Subcontracting)
📌 17 April 2025: Publication of RTS 2025/532 in the OJ
📌 30 April 2025: 🚨 DEADLINE: First transmission of ICT provider register to authorities

2026-2028

📌 2026: First oversight inspections of critical ICT providers by ESAs
📌 Before 17 January 2028: 🚨 TLPT DEADLINE: First mandatory TLPT exercise for significant entities

🏛️ The 5 DORA Pillars and Their RTS/ITS

Pillar 1 ICT Risk Management

DORA Articles: 5-16

Applicable RTS: 2024/1774

Key requirements:

✅ Documented ICT risk management framework approved by management
✅ Complete inventory of ICT assets with criticality classification
✅ Risk assessments at least annually
✅ Business continuity and disaster recovery policy (BCP/DRP) with regular testing
✅ Security controls (access, encryption, monitoring, vulnerability management)

📄 Dedicated PDF: rts-ict-risk-management.html

Pillar 2 Digital Operational Resilience Testing

DORA Articles: 24-27

Applicable framework: TIBER-EU (ECB)

Key requirements:

✅ Regular resilience tests (vulnerability scans, pentests, etc.)
✅ Mandatory TLPT every 3 years for significant entities
✅ TIBER-EU methodology or recognized equivalent
✅ Independent Red Team + scenarios based on real threat intelligence
✅ Remediation of identified vulnerabilities with timeline

📄 Dedicated PDF: rts-tlpt-guide.html

Pillar 3 ICT-related Incident Management & Reporting

DORA Articles: 17-23

Applicable RTS: 2024/1772 (Classification) + 2025/301 (Reporting)

Applicable ITS: 2025/302 (Templates)

Key requirements:

✅ Incident classification according to 6 criteria (clients, duration, geography, data, €, criticality)
✅ Major incident reporting:
- Initial: T+4 hours
- Intermediate: T+72 hours
- Final: T+1 month
✅ Voluntary notification of significant cyber threats
✅ Use of standardized XML templates (ITS 2025/302)

📄 Dedicated PDFs: rts-incident-classification.html + rts-incident-reporting.html

Pillar 4 Third-Party Risk Management

DORA Articles: 28-44

Applicable RTS: 2024/1773 (Contractual clauses) + 2025/532 (Subcontracting)

Applicable ITS: 2024/2956 (Register)

Key requirements:

✅ Mandatory contractual clauses:
- Access and audit rights (including for supervisors)
- Data location and sovereignty
- Incident notification (2h max)
- Termination rights and exit strategy
- Subcontracting control
✅ ICT provider register: Annual transmission to authorities (first time: 30 April 2025)
✅ Due diligence before subcontracting + 30-day notification + customer approval
✅ Limitation of cascading subcontracting (max 2 levels for critical functions)

📄 Dedicated PDF: rts-third-party-risk.html

Pillar 5 Information Sharing

DORA Articles: 45-47

RTS/ITS status: No specific RTS (voluntary arrangements)

Key requirements:

✅ Possibility to establish voluntary arrangements for sharing cyber threat information
✅ Protection of sensitive and commercial data
✅ No legal obligation, but strongly encouraged
✅ Examples: Sectoral ISACs, IOC sharing (Indicators of Compromise)

📄 Documentation: ESA Guidelines (no dedicated RTS)

🎯 Priorities by Compliance Phase

Phase 1: IMMEDIATE (January-April 2025) - ⚠️ URGENT

☑️ Incident Management:
- Implement classification process (RTS 2024/1772)
- Create notification templates
- Obtain access to supervisor portal + eIDAS certificates
- Train IT/SOC teams on reporting deadlines (4h/72h/1 month)
☑️ ICT Provider Register:
- List ALL ICT providers
- Complete register according to ITS 2024/2956 template
- Submit before 30 April 2025 (ABSOLUTE DEADLINE)
☑️ Governance:
- Board briefing on DORA obligations
- Designation of ICT risk management function
- Validation of ICT risk strategy

Phase 2: SHORT TERM (Q2-Q3 2025) - 🔴 HIGH PRIORITY

☑️ Third-Party Risk Management:
- Gap analysis of all existing contracts vs. RTS 2024/1773
- Launch contract renegotiations (critical functions priority)
- Implement subcontracting approval process (RTS 2025/532)
☑️ ICT Risk Management:
- Complete ICT asset inventory
- Classification by criticality
- First complete risk assessment
- Documentation of ICT policies compliant with RTS 2024/1774
☑️ BCP/DRP:
- Review continuity plans
- Define RTO/RPO
- Test plans (at least annually)

Phase 3: MEDIUM TERM (Q4 2025 - 2026) - 🟡 MEDIUM PRIORITY

☑️ Contract Finalization:
- Complete renegotiations with ALL critical/important providers
- Migrate to new providers if DORA clauses refused
☑️ Security Controls:
- Enhanced monitoring (SIEM, logs, alerting)
- Generalized MFA implementation
- Improved network segmentation
- Patch management program
☑️ Audits & Tests:
- Internal DORA compliance audits
- Annual pentests
- BCP/DRP tests

Phase 4: LONG TERM (2027-2028) - 🟢 NORMAL

☑️ TLPT (if significant entity):
- Start planning 18 months before (mid-2026)
- Selection of TIBER-EU providers (Q3-Q4 2026)
- Test execution (2027)
- Completion before 17 January 2028
☑️ Continuous Improvement:
- Integration of lessons learned from incidents
- Process optimization
- Annual review of all DORA elements

📁 Index of Available PDF Documents

⚠️ Absolute Deadlines Not to Miss

Date	Obligation	Concerns	Penalty if Non-Compliant
17 Jan. 2025	Full application of DORA	All EU financial entities	General non-compliance = penalties up to 2% of global turnover
30 April 2025	First transmission of ICT provider register	All entities (via supervisor)	Fines + remediation order
Ongoing from Jan 2025	Major incident reporting (4h/72h/1 month)	All entities	Non-notification: up to 2% turnover \| Delay: up to 1% turnover
17 Jan. 2028	First mandatory TLPT cycle	Significant entities only (~250 in EU)	Penalties + enhanced oversight
Annual (every 30 April)	ICT provider register update	All entities	Proportional fines
Every 3 years	TLPT (after the first)	Significant entities	Penalties + in-depth audit

🔗 Links and Official Resources

Official EUR-Lex Texts

DORA Regulation (EU) 2022/2554: eur-lex.europa.eu/eli/reg/2022/2554
RTS 2024/1774 (Risk Management): eur-lex.europa.eu/eli/reg_del/2024/1774
RTS 2024/1772 (Incident Classification): eur-lex.europa.eu/eli/reg_del/2024/1772
RTS 2025/301 (Incident Reporting): eur-lex.europa.eu/eli/reg_del/2025/301

Supervisory Authorities

European Banking Authority (EBA): eba.europa.eu/regulation-and-policy/digital-operational-resilience-act-dora
EIOPA (Insurance): eiopa.europa.eu/digital-operational-resilience-act-dora_en
ESMA (Securities): esma.europa.eu/esmas-activities/digital-operational-resilience-act-dora
European Central Bank (TIBER-EU): ecb.europa.eu/tiber-eu

European Commission

Official DORA page: finance.ec.europa.eu/regulation-and-supervision/financial-services-legislation/implementing-and-delegated-acts/digital-operational-resilience-regulation_en

💡 Practical Advice for Compliance

1. Pillar-by-Pillar Approach

Don't do everything at once. Prioritize:

Pillar 3 (Incidents): Immediate risk if incident occurs from January 2025
Pillar 4 (Third-Party): Register deadline 30 April 2025
Pillar 1 (Risk Management): Foundation for everything else
Pillar 2 (Testing): Longer timeline (TLPT 2028)
Pillar 5 (Sharing): Voluntary, consider later

2. Internal Resources

Build a cross-functional team:

🏢 Executive sponsor: Board member (DORA mandatory)
👤 DORA project leader: Centralized coordination
🔐 CISO / IT Security: Technical aspects
⚖️ Compliance / Legal: Regulatory interpretation
📊 Risk Management: Risk assessments
💻 IT Operations: Practical implementation
🤝 Procurement: Vendor contract management

3. Budgeting

Ballpark figures for average entity:

💰 External consultants: €200k - €500k (gap analysis, support)
💰 Technology tools: €100k - €300k/year (SIEM, GRC platform, monitoring)
💰 Contract renegotiations: €50k - €200k (legal resources)
💰 TLPT (if applicable): €150k - €500k every 3 years
💰 Staff training: €50k - €100k
TOTAL first year: €500k - €1.5M
Annual run rate: €200k - €500k

4. Points of Vigilance

⚠️ Don't underestimate timelines: Contract renegotiations can take 6-12 months
⚠️ Hyperscaler resistance: AWS/Azure/GCP have their own timelines, anticipate
⚠️ Exhaustive documentation required: Plan resources for writing/maintenance
⚠️ Ongoing operational burden: DORA is not a one-shot project but a permanent change

📚 DORA RTS & ITS

📊 Summary Table of All RTS & ITS

📅 Chronological Timeline of Publications

2024

2025

2026-2028

🏛️ The 5 DORA Pillars and Their RTS/ITS

Pillar 1 ICT Risk Management

Pillar 2 Digital Operational Resilience Testing

Pillar 3 ICT-related Incident Management & Reporting

Pillar 4 Third-Party Risk Management

Pillar 5 Information Sharing

🎯 Priorities by Compliance Phase

Phase 1: IMMEDIATE (January-April 2025) - ⚠️ URGENT

Phase 2: SHORT TERM (Q2-Q3 2025) - 🔴 HIGH PRIORITY

Phase 3: MEDIUM TERM (Q4 2025 - 2026) - 🟡 MEDIUM PRIORITY

Phase 4: LONG TERM (2027-2028) - 🟢 NORMAL

📁 Index of Available PDF Documents

⚠️ Absolute Deadlines Not to Miss

🔗 Links and Official Resources

Official EUR-Lex Texts

Supervisory Authorities

European Commission

💡 Practical Advice for Compliance

1. Pillar-by-Pillar Approach

2. Internal Resources

3. Budgeting

4. Points of Vigilance

📚 DORA RTS & ITS

📊 Summary Table of All RTS & ITS

📅 Chronological Timeline of Publications

2024

2025

2026-2028

🏛️ The 5 DORA Pillars and Their RTS/ITS

Pillar 1 ICT Risk Management

Pillar 2 Digital Operational Resilience Testing

Pillar 3 ICT-related Incident Management & Reporting

Pillar 4 Third-Party Risk Management

Pillar 5 Information Sharing

🎯 Priorities by Compliance Phase

Phase 1: IMMEDIATE (January-April 2025) - ⚠️ URGENT

Phase 2: SHORT TERM (Q2-Q3 2025) - 🔴 HIGH PRIORITY

Phase 3: MEDIUM TERM (Q4 2025 - 2026) - 🟡 MEDIUM PRIORITY

Phase 4: LONG TERM (2027-2028) - 🟢 NORMAL

📁 Index of Available PDF Documents

1. RTS ICT Risk Management (2024/1774)

2. RTS Incident Classification (2024/1772)

3. RTS Incident Reporting (2025/301)

4. RTS Third-Party Risk Management (2024/1773 + 2025/532)

5. TLPT Complete Guide (TIBER-EU)

6. Complete Overview (this document)

⚠️ Absolute Deadlines Not to Miss

🔗 Links and Official Resources

Official EUR-Lex Texts

Supervisory Authorities

European Commission

💡 Practical Advice for Compliance

1. Pillar-by-Pillar Approach

2. Internal Resources

3. Budgeting

4. Points of Vigilance