DORA RTS PDF Download | Regulatory Technical Standards 2026

DORA RTS/ITS Complete Package

Get instant access to all 6 Regulatory Technical Standards & Implementing Technical Standards documents

29.99 EUR one-time payment

Complete RTS/ITS Requirements PDF
Incident Reporting Guide
ICT Risk Management Standards
Third-Party Risk Framework
TLPT Testing Guide
Incident Classification Standards
Lifetime access + future updates

Secure payment via Stripe. Instant delivery by email.

What are DORA RTS and ITS?

The Digital Operational Resilience Act (DORA) is supplemented by detailed Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) developed by the European Supervisory Authorities (ESAs) - EBA, EIOPA, and ESMA.

Key Difference

RTS (Regulatory Technical Standards): Define detailed technical requirements and regulatory standards that financial entities must comply with.

ITS (Implementing Technical Standards): Provide practical implementation details, templates, and formats for reporting and compliance.

Key Areas Covered by DORA RTS

ICT Risk Management

Governance arrangements and frameworks
Risk identification and assessment methodologies
ICT systems classification criteria
Documentation requirements
Internal audit procedures

Incident Reporting

Major incident classification criteria
Reporting timelines and templates
Notification thresholds
Root cause analysis requirements
Significant cyber threat reporting

Resilience Testing

Advanced testing methodologies (TLPT)
Testing frequency and scope
Threat-Led Penetration Testing (TLPT) framework
Test execution and reporting
Remediation action plans

Third-Party Risk

Critical ICT service provider criteria
Contractual arrangements requirements
Exit strategies and transition plans
Sub-outsourcing oversight
Register of information requirements

Information Sharing

Cyber threat intelligence sharing arrangements
Data protection and confidentiality
Trusted information sharing frameworks
Cross-border cooperation mechanisms

Oversight Framework

Designation criteria for critical providers
Oversight tools and powers
Inspection procedures
Enforcement mechanisms
Cooperation between authorities

DORA RTS Implementation Timeline

Important Deadline

January 17, 2025: DORA regulation becomes fully applicable across all EU member states. Financial entities must comply with all RTS and ITS requirements.

January 16, 2023

DORA Entry into Force: Regulation (EU) 2022/2554 entered into force, giving entities 24 months to prepare.

2023-2024

RTS & ITS Development: ESAs developed and finalized technical standards through public consultations.

July-December 2024

Final RTS Adoption: European Commission adopted final RTS packages covering all DORA pillars.

January 17, 2025

Full Application: All DORA requirements, including RTS and ITS, become fully applicable.

Detailed RTS Requirements by Pillar

1. ICT Risk Management RTS

Requirement Area	Key Provisions
Governance	Management body responsibilities, ICT risk management function, three lines of defense
Risk Assessment	Comprehensive ICT risk assessment at least annually, documenting critical/important functions
Protection & Prevention	Security policies, access controls, change management, network security
Detection	Continuous monitoring, anomaly detection, logging and correlation mechanisms
Response & Recovery	Business continuity plans, disaster recovery, backup strategies, crisis communication

2. Incident Reporting RTS

Financial entities must classify ICT-related incidents based on specific criteria:

Initial notification: Within 4 hours of detection for major incidents
Intermediate report: Within 72 hours with detailed impact assessment
Final report: Within one month including root cause analysis and remediation

Classification Criteria

Incidents are classified as "major" based on:

Number of clients/financial counterparties affected (thresholds vary by entity type)
Duration of downtime
Geographical spread
Data losses
Criticality of services affected
Economic impact

Complete Incident Reporting Guide

Access the full RTS on Incident Reporting with detailed timelines, requirements, and compliance checklists. Included in the RTS/ITS package.

Unlock All Documents — 29.99

3. TLPT (Threat-Led Penetration Testing) RTS

Advanced testing framework for entities identified as significant:

Testing must be performed at least every 3 years
Use of TIBER-EU framework or equivalent
Involvement of independent testers
Red team exercises simulating real attack scenarios
Comprehensive remediation plans post-testing

4. Third-Party Oversight RTS

Detailed requirements for managing ICT third-party service providers:

Stage	Requirements
Pre-Contracting	Due diligence, risk assessment, alternative provider analysis
Contractual	Mandatory contract clauses, SLAs, audit rights, termination rights, data access
Monitoring	Continuous oversight, performance monitoring, incident reporting from providers
Exit	Exit strategies, transition plans, data retrieval procedures

Official RTS/ITS Resources

Access authoritative sources for DORA technical standards:

European Supervisory Authorities

Official Texts

Need Help with DORA RTS Compliance?

Implementing DORA RTS requirements can be complex. Our experts can help you:

Gap Assessment

Identify gaps between your current state and DORA RTS requirements

Implementation Roadmap

Develop a structured implementation plan with timelines and priorities

Policy & Documentation

Create compliant policies, procedures, and documentation

Training & Support

Train your teams on DORA RTS requirements and best practices

Contact Our DORA Experts

DORA RTS & ITS: Regulatory Technical Standards