"DORA" regulation: the first drafts of regulatory technical standards

Prepared by Fabrizio Cascinelli, Francesco Della Scala, Domenica Esposito

On June 19, 2023, the European Supervisory Authorities (EBA, ESMA, EIOPA, collectively the “ESAs“) launched a public consultation in order to develop a first set of regulatory technical standards under the DORA Regulation (Regulation (EU) 2022/2554, Digital Operational Resilience Act).

The DORA Regulation, published in the Official Journal of the European Union on December 27^th, 2022, and applicable starting from of January 17^th, 2025, creates an European regulatory framework on digital operational resilience in the financial sector in order to ensure the security of network and information systems supporting the business processes of regulated financial entities.

The ESAs are mandated to develop the draft of Regulatory Technical Standards (RTS) and of Implementing Technical Standards (ITS) that will details specific aspects; then, the technical standards will be adopted by the European Commission through delegated and implementing acts.

Specifically, the DORA Regulation provides that a first set of technical standards will be submitted to the European Commission by January 17^th 2024, and a second set of technical standards will be submitted to the European Commission by July 17^th 2024.

Therefore, the draft technical standards published by the ESAs on June 19^th 2023 represents the first set of technical standards to be developed and it covers:

RTS on ICT risk management framework (pursuant to Articles 15 and 16(3), DORA);
RTS on criteria for classification of ICT-related incidents (pursuant to Article 18, DORA);
ITS to establish templates for the information registry (pursuant to Article 28(9), DORA);
RTS to specify policy on ICT services provided by third-party ICT providers (pursuant to Art. 28(10), DORA).

In this respect, the ESAs have also published an “Introductory Note” explaining the content and expected timeline for the elaboration of such standards; the document shows that the ESAs will launch the public consultation for the second set of technical standards by the end of the year, between November and December 2023.

It’s possible to participate to the consultation by September 11st 2023.

Consultation paper on draft RTSs ICT risk management tools methods processes and policies

Consultation paper on draft RTS on classification of ICT incidents

Consultation paper on draft ITS on register of information

Consultation paper on draft RTS on policy on the use of ICT services regarding CI functions Introductory note. Digital Operational Resilience Act (DORA): public consultation on the first batch of policy products