Official DORA Technical Standards

DORA RTS & ITS: Regulatory Technical Standards

Comprehensive guide to DORA's Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS). Download the complete PDF documentation and understand all compliance requirements.

Download DORA RTS PDF

Get the complete official documentation of DORA Regulatory Technical Standards in PDF format

Download RTS/ITS PDF Request Expert Guidance

What are DORA RTS and ITS?

The Digital Operational Resilience Act (DORA) is supplemented by detailed Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) developed by the European Supervisory Authorities (ESAs) - EBA, EIOPA, and ESMA.

Key Difference

RTS (Regulatory Technical Standards): Define detailed technical requirements and regulatory standards that financial entities must comply with.

ITS (Implementing Technical Standards): Provide practical implementation details, templates, and formats for reporting and compliance.

Key Areas Covered by DORA RTS

ICT Risk Management

  • Governance arrangements and frameworks
  • Risk identification and assessment methodologies
  • ICT systems classification criteria
  • Documentation requirements
  • Internal audit procedures

Incident Reporting

  • Major incident classification criteria
  • Reporting timelines and templates
  • Notification thresholds
  • Root cause analysis requirements
  • Significant cyber threat reporting

Resilience Testing

  • Advanced testing methodologies (TLPT)
  • Testing frequency and scope
  • Threat-Led Penetration Testing (TLPT) framework
  • Test execution and reporting
  • Remediation action plans

Third-Party Risk

  • Critical ICT service provider criteria
  • Contractual arrangements requirements
  • Exit strategies and transition plans
  • Sub-outsourcing oversight
  • Register of information requirements

Information Sharing

  • Cyber threat intelligence sharing arrangements
  • Data protection and confidentiality
  • Trusted information sharing frameworks
  • Cross-border cooperation mechanisms

Oversight Framework

  • Designation criteria for critical providers
  • Oversight tools and powers
  • Inspection procedures
  • Enforcement mechanisms
  • Cooperation between authorities

DORA RTS Implementation Timeline

Important Deadline

January 17, 2025: DORA regulation becomes fully applicable across all EU member states. Financial entities must comply with all RTS and ITS requirements.

January 16, 2023

DORA Entry into Force: Regulation (EU) 2022/2554 entered into force, giving entities 24 months to prepare.

2023-2024

RTS & ITS Development: ESAs developed and finalized technical standards through public consultations.

July-December 2024

Final RTS Adoption: European Commission adopted final RTS packages covering all DORA pillars.

January 17, 2025

Full Application: All DORA requirements, including RTS and ITS, become fully applicable.

Detailed RTS Requirements by Pillar

1. ICT Risk Management RTS

Requirement Area Key Provisions
Governance Management body responsibilities, ICT risk management function, three lines of defense
Risk Assessment Comprehensive ICT risk assessment at least annually, documenting critical/important functions
Protection & Prevention Security policies, access controls, change management, network security
Detection Continuous monitoring, anomaly detection, logging and correlation mechanisms
Response & Recovery Business continuity plans, disaster recovery, backup strategies, crisis communication

2. Incident Reporting RTS

Financial entities must classify ICT-related incidents based on specific criteria:

Classification Criteria

Incidents are classified as "major" based on:

  • Number of clients/financial counterparties affected (thresholds vary by entity type)
  • Duration of downtime
  • Geographical spread
  • Data losses
  • Criticality of services affected
  • Economic impact

3. TLPT (Threat-Led Penetration Testing) RTS

Advanced testing framework for entities identified as significant:

4. Third-Party Oversight RTS

Detailed requirements for managing ICT third-party service providers:

Stage Requirements
Pre-Contracting Due diligence, risk assessment, alternative provider analysis
Contractual Mandatory contract clauses, SLAs, audit rights, termination rights, data access
Monitoring Continuous oversight, performance monitoring, incident reporting from providers
Exit Exit strategies, transition plans, data retrieval procedures

Official RTS/ITS Resources

Access authoritative sources for DORA technical standards:

European Supervisory Authorities

Official Texts

Need Help with DORA RTS Compliance?

Implementing DORA RTS requirements can be complex. Our experts can help you:

Gap Assessment

Identify gaps between your current state and DORA RTS requirements

Implementation Roadmap

Develop a structured implementation plan with timelines and priorities

Policy & Documentation

Create compliant policies, procedures, and documentation

Training & Support

Train your teams on DORA RTS requirements and best practices

Contact Our DORA Experts

Related Resources

DORA Compliance Assessment

Take our free 5-minute assessment to evaluate your DORA readiness

Banking Sector Guide

Sector-specific guidance for banking institutions

Insurance Sector Guide

Implementation guidance for insurance companies

DORA FAQ

Frequently asked questions about DORA compliance