Comprehensive guide to DORA's Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS). Download the complete PDF documentation and understand all compliance requirements.
DORA RTS/ITS Complete Package
Get instant access to all 6 Regulatory Technical Standards & Implementing Technical Standards documents
Secure payment via Stripe. Instant delivery by email.
What are DORA RTS and ITS?
The Digital Operational Resilience Act (DORA) is supplemented by detailed Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) developed by the European Supervisory Authorities (ESAs) - EBA, EIOPA, and ESMA. New to the regulation? Start with our complete guide to what DORA is, then return here for the technical detail.
Key Difference
RTS (Regulatory Technical Standards): Define detailed technical requirements and regulatory standards that financial entities must comply with.
ITS (Implementing Technical Standards): Provide practical implementation details, templates, and formats for reporting and compliance.
Implementing the standards with ISO 27001?
If you already run an ISO 27001 ISMS, it is the fastest roadmap to these standards. Read our ISO 27001 → DORA mapping guide — what maps cleanly, the regulatory delta, and the quick wins — or learn the full control mapping in the DORA Programme Manager certification.
Key Areas Covered by DORA RTS
ICT Risk Management
Governance arrangements and frameworks
Risk identification and assessment methodologies
ICT systems classification criteria
Documentation requirements
Internal audit procedures
Incident Reporting
Major incident classification criteria
Reporting timelines and templates
Notification thresholds
Root cause analysis requirements
Significant cyber threat reporting
Resilience Testing
Advanced testing methodologies (TLPT)
Testing frequency and scope
Threat-Led Penetration Testing (TLPT) framework
Test execution and reporting
Remediation action plans
Third-Party Risk
Critical ICT service provider criteria
Contractual arrangements requirements
Exit strategies and transition plans
Sub-outsourcing oversight
Register of information requirements
Information Sharing
Cyber threat intelligence sharing arrangements
Data protection and confidentiality
Trusted information sharing frameworks
Cross-border cooperation mechanisms
Oversight Framework
Designation criteria for critical providers
Oversight tools and powers
Inspection procedures
Enforcement mechanisms
Cooperation between authorities
DORA RTS Implementation Timeline
Important Deadline
January 17, 2025: DORA regulation becomes fully applicable across all EU member states. Financial entities must comply with all RTS and ITS requirements.
January 16, 2023
DORA Entry into Force: Regulation (EU) 2022/2554 entered into force, giving entities 24 months to prepare.
2023-2024
RTS & ITS Development: ESAs developed and finalized technical standards through public consultations.
July-December 2024
Final RTS Adoption: European Commission adopted final RTS packages covering all DORA pillars.
January 17, 2025
Full Application: All DORA requirements, including RTS and ITS, become fully applicable.
The Complete RTS & ITS Catalogue (13 Standards)
DORA is supplemented by 13 binding technical standards developed jointly by the EBA, ESMA and EIOPA (the European Supervisory Authorities, or ESAs). The standards were delivered in two batches: the "first batch" submitted to the European Commission in January 2024, and the "second batch" finalised mid-2024. Once adopted by the Commission as Delegated Regulations or Implementing Regulations, the standards are directly applicable across all 27 Member States — no national transposition required.
First batch RTS (January 2024)
RTS on ICT risk management framework (Article 15) — Commission Delegated Regulation (EU) 2024/1774 — comprehensive minimum content for security policies, access management, encryption, cryptography, network segmentation, ICT change management, business continuity policy and crisis communication.
RTS on simplified ICT risk management framework (Article 16(3)) — proportionate framework for entities qualifying as small and non-interconnected. Reduced requirements but core principles (board accountability, incident management, third-party rules) preserved.
RTS on classification of major ICT-related incidents and significant cyber threats (Article 18(3)) — six primary criteria + three secondary criteria for "major" classification, plus criteria for "significant cyber threat" reporting. Defines the thresholds that determine whether the 4h/72h/1m clock starts.
RTS on policy on ICT services performed by ICT third-party service providers (Article 28(10)) — what the third-party policy must contain, board ownership, integration with overall risk management.
ITS on Register of Information (Article 28(9)) — XBRL/XML template, taxonomy of ICT services, mandatory fields, submission cadence and quality expectations.
Second batch RTS & ITS (mid-to-late 2024)
RTS on subcontracting of critical or important functions (Article 30(5)) — final version published Q3 2024 after extended consultation. Covers conditions under which financial entities allow ICT third-party providers to subcontract, including notification, sub-outsourcing register, concentration risk, data location transparency.
RTS on threat-led penetration testing (Article 26(11)) — TIBER-EU-aligned methodology: threat intelligence, red teaming, scope definition, white team/blue team controls, reporting to NCAs, supervisory attestation.
RTS on harmonisation of conditions enabling the conduct of oversight activities (Article 41(1)) — operational rules for the Lead Overseer regime: how the ESAs supervise designated CTPPs, joint examination teams, information requests, recommendations.
RTS specifying the criteria for the designation of CTPPs (Article 31(6)) — quantitative criteria for designation: aggregate value of services, number of financial entities served, systemic impact if disrupted, substitutability rating.
RTS on the content and format of the supervisory examination report on subcontracting arrangements — supporting the Lead Overseer regime.
ITS on incident reporting templates and procedures (Article 20) — harmonised template across all financial sectors, submission via NCA portals, fields, validation rules.
RTS on aggregated costs and losses from major ICT-related incidents (Article 11(11)) — methodology for aggregating direct and indirect costs of ICT incidents for supervisory and risk reporting purposes.
Joint Guidelines on cooperation between ESAs and NCAs — operational coordination for cross-border incidents and supervisory dialogue.
Quick reference
The complete cross-reference between each RTS, the underlying DORA article and the implementing Commission Regulation is available in our RTS & ITS Complete Overview.
Detailed RTS Requirements by Pillar
1. ICT Risk Management RTS
The RTS on ICT risk management framework (Commission Delegated Regulation 2024/1774) is the densest and most operationally significant of the technical standards. It runs to 70+ recitals and articles, covering the full ICT control surface a financial entity must maintain. Key chapters include security policies and procedures (governance level), human resources policy and security awareness, identity management and access control with multi-factor authentication for privileged access, cryptographic controls including key management, network security (segmentation, monitoring, secure configuration), ICT operations (change, capacity, vulnerability), ICT project management and acquisition, ICT business continuity policy with documented RTOs/RPOs, and crisis communication.
Requirement Area
Key Provisions
Governance
Management body responsibilities, ICT risk management function, three lines of defence
Risk Assessment
Comprehensive ICT risk assessment at least annually, documenting critical/important functions
Continuous oversight, performance monitoring, incident reporting from providers, register updates
Exit
Exit strategies tested annually, transition plans, data retrieval procedures, alternative provider identified
5. RTS on Subcontracting
The RTS on subcontracting is the late-2024 standard that operationalises Article 30 paragraphs on sub-outsourcing of critical or important functions. Key obligations:
Notification to the financial entity of any planned material change to the sub-outsourcing chain, with sufficient lead time to assess and object
Right of the financial entity to oppose specific subcontracting arrangements where they create unacceptable risk
Sub-outsourcing register maintained by the ICT third-party provider, available to the financial entity
Visibility down to all material sub-contractors performing parts of the service — typically Tier 3 or deeper
Concentration risk assessment at the chain level, not just at vendor level
Data location transparency throughout the chain, including processing, storage, support and back-up locations
How RTS & ITS Become Binding Law
One of the most misunderstood aspects of the DORA framework is the legal pathway by which the technical standards become binding obligations. Unlike Directives, which require national transposition, DORA itself is a Regulation under Article 288 TFEU — directly applicable in all Member States with no need for national legislation. The RTS and ITS follow a similar route but with one extra step:
Drafting: The ESAs (EBA, ESMA, EIOPA) draft the technical standards, often in joint mandate working groups, after public consultation.
Submission to the Commission: The draft standards are submitted to the European Commission for adoption.
Commission adoption: The Commission adopts the standards as Delegated Regulations (for RTS) or Implementing Regulations (for ITS), subject to a non-objection right by the European Parliament and Council.
Publication and entry into force: The Commission Regulation is published in the Official Journal of the European Union and enters into force on the specified date — typically 20 days after publication, with potential delayed application.
Direct effect: Once in force, the RTS/ITS are directly applicable in all Member States. Financial entities must comply without waiting for any national implementing legislation.
This means the question "is this RTS in force?" has a binary answer that you can verify on EUR-Lex. There is no national grace period, no transposition delay. The 17 January 2025 application date for DORA itself was the trigger — most RTS applied from that date or shortly after.
How RTS Interact with Existing Frameworks
For most financial entities, DORA RTS arrive in a regulatory landscape already shaped by sector-specific guidance from the ESAs, national supervisors, ENISA, NIS2 and global standards (ISO 27001, NIST CSF). Understanding the interaction matters for implementation efficiency.
EBA Guidelines on ICT and security risk management (EBA/GL/2019/04)
Largely superseded by the RTS on ICT risk management framework. The EBA opened a consultation in 2024 on repealing or amending these guidelines. In practice, banks should treat DORA + RTS 2024/1774 as authoritative; legacy EBA guidelines remain useful as implementation depth on specific topics (network segmentation, secure development) but no longer add binding obligations beyond what DORA mandates.
EBA Outsourcing Guidelines (EBA/GL/2019/02)
Partially superseded for ICT outsourcing by DORA Articles 28-30 plus the RTS on subcontracting. Non-ICT outsourcing (e.g., physical document management, certain operational outsourcing) continues to follow the EBA Outsourcing Guidelines. Banks need to maintain two parallel registers in many cases — DORA Register of Information for ICT and the EBA outsourcing register for non-ICT.
EIOPA Guidelines on outsourcing to cloud service providers
Under consultation in 2024 for repeal or alignment with DORA. Practically replaced by DORA Articles 28-30 + RTS on subcontracting for cloud outsourcing.
NIS2 Directive (Directive (EU) 2022/2555)
NIS2 covers a broader universe (energy, transport, health, digital infrastructure, financial services, public administration) but for financial entities DORA acts as lex specialis under NIS2 Article 4(1) — DORA prevails over NIS2 obligations where they overlap. Financial entities subject to both DORA and NIS2 (e.g., a bank with a separately authorised data centre operator subsidiary) must navigate the dual framework carefully.
ISO 27001 and NIST CSF
Not binding under EU law but widely adopted. ISO 27001 controls map well to many DORA requirements; supervisors generally accept ISO 27001 certification as evidence of control design but require independent validation that DORA-specific requirements (e.g., incident classification, register of information) are met. NIST CSF provides a useful taxonomy but does not satisfy DORA on its own.
RTS & ITS FAQ
What is the difference between RTS and ITS?
RTS (Regulatory Technical Standards) define what financial entities must do — substantive technical requirements. ITS (Implementing Technical Standards) define how — templates, formats, procedural details. Both are binding directly applicable Commission Regulations once adopted, but RTS carry the substance, ITS the operational mechanics. For example, the RTS on classification defines the criteria for "major incident"; the ITS on incident reporting defines the template used to report it.
Are all 13 RTS and ITS already in force in 2026?
The first batch (5 standards including ICT risk management framework, classification, third-party policy, register template) is in force since 17 January 2025. The second batch (subcontracting, TLPT, oversight, CTPP designation criteria, aggregated costs methodology and others) was finalised in late 2024 and applies progressively through 2025-2026. Verify on EUR-Lex for any specific standard.
Can a financial entity be sanctioned for non-compliance with an RTS, or only with DORA itself?
Both. The RTS, once adopted as Commission Delegated/Implementing Regulations, become binding EU law on the same legal footing as the DORA Regulation. Article 50 sanctions apply to breaches of any DORA-related obligation, which includes RTS-based requirements. NCAs can sanction breaches at their full discretion within the maximum 2% of worldwide turnover (entity) or €1M (natural person).
What is the legal status of ESA Q&A documents on DORA?
ESA Q&A documents (Joint Committee Q&A on DORA) are non-binding interpretive guidance. They reflect the supervisory expectation but cannot create new obligations beyond what DORA and the RTS/ITS require. NCAs typically follow ESA Q&A in their supervisory practice; financial entities should treat them as authoritative interpretation in good faith but distinguish them from binding rules.
Does the RTS on simplified ICT risk framework reduce obligations significantly?
Yes for the entities that qualify. Simplified framework drops several documentation and process requirements (e.g., reduced testing programme, simpler ICT business continuity policy structure, lighter board reporting cadence). However, it preserves core principles: board accountability, incident management, third-party rules, register of information. Qualification is strict — small balance sheet, low complexity, no significant cross-border activity, no critical functions outsourced.
How do RTS interact with existing ISO 27001 / NIST CSF certifications?
ISO 27001 and NIST CSF are not equivalent to DORA RTS but the control overlap is significant. ISO 27001-certified entities typically meet 60-75% of the RTS on ICT risk management framework requirements out of the box. The remaining gap is mostly in DORA-specific items: incident classification per RTS thresholds, register of information format, third-party Article 30 clauses, board-level governance specifics. Supervisors accept ISO/NIST as evidence of design but require independent verification of DORA-specific delta.
What format is the Register of Information submitted in?
The ITS on Register of Information defines an XBRL/XML template with a structured taxonomy of ICT services. Submission is annual (by 30 April) via the national competent authority's portal. The 2025 first cycle revealed material data quality issues across the industry, with 35-50% of contracts having at least one missing or invalid mandatory field at most banks.
Does the TLPT RTS require strict TIBER-EU compliance?
It is aligned with TIBER-EU but not identical. The DORA TLPT RTS uses TIBER-EU as the methodological reference but adds specifics on supervisory attestation, NCA-coordination, white team/blue team protocols, and reporting. Entities already running TIBER-EU exercises typically meet the RTS with modest adaptation. New entrants treat the RTS as the primary reference and TIBER-EU implementation guidance as the operational handbook.
How often are RTS updated?
RTS are updated when the underlying DORA articles change, when ESAs identify implementation issues requiring clarification, or in response to evolving threat landscape and technology. The first major RTS review cycle is expected in 2027-2028, three years after initial application. In the interim, ESA Q&A documents provide interpretive updates without amending the RTS themselves.
Are RTS available in all EU languages?
Yes — once adopted as Commission Regulations, the RTS are published in all 24 official EU languages on EUR-Lex. The English version is typically the working version during ESA drafting; the legally binding version is each language version. Translation occasionally introduces interpretive nuances; cross-border groups typically work from the English text but verify alignment with local-language versions when supervisors raise specific points.
Official RTS/ITS Resources
Access authoritative sources for DORA technical standards: