Digital Operational Resilience Act

Level 2

Further harmonisation of ICT risk management tools, methods, processes and policies

ESAs to develop draft regulatory technical standards, in consultation with the European Union Agency on Cybersecurity (ENISA), in order to:

• specify further elements to be included in the ICT security policies, procedures, protocols and tools referred to in Article 9(2) (Protection and prevention), with a view to ensuring the security of networks, enabling adequate safeguards against intrusions and data misuse, preserving the availability, authenticity, integrity and confidentiality of data, including cryptographic techniques, and guaranteeing an accurate and prompt data transmission without major disruptions and undue delays;
• develop further components of the controls of access management rights referred to in Article 9(4)(c) (Protection and prevention) and associated human resource policy specifying access rights, procedures for granting and revoking rights, monitoring anomalous behaviour in relation to ICT risk through appropriate indicators, including for network use patterns, hours, IT activity and unknown devices;
• develop further the mechanisms specified in Article 10(1) (Detection) enabling a prompt detection of anomalous activities and the criteria set out in Article 10(2) (Detection) triggering ICT-related incident detection and response processes;
• specify further the components of the ICT business continuity policy referred to in Article 11(1) (Response and recovery);
• specify further the testing of ICT business continuity plans referred to in Article 11(6) (Response and recovery) to ensure that such testing duly takes into account scenarios in which the quality of the provision of a critical or important function deteriorates to an unacceptable level or fails, and duly considers the potential impact of the insolvency, or other failures, of any relevant ICT third-party service provider and, where relevant, the political risks in the respective providers’ jurisdictions;
• specify further the components of the ICT response and recovery plans referred to in Article 11(3) (Response and recovery);
• specify further the content and format of the report on the review of the ICT risk management framework referred to in Article 6(5) (ICT risk management framework).

DORA: first set of final level 2 rules for ICT and third-party risk management and incident reporting frameworks (26 January 2024)

Update 25 June 2024: Commission Delegated Regulation (EU) 2024/1774 with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework was published in the Official Journal of the EU. In force.

Update 15 May 2025: Corrigendum to Commission Delegated Regulation (EU) 2024/1774 was published in the Official Journal of the EU. The corrigendum modifies Article 22 (ICT-related incident management policy), first subparagraph, point (d), by replacing the reference to Article 15 of Commission Delegated Regulation (EU) 2024/1774 with a reference to Article 8(2) of Commission Delegated Regulation (EU) 2024/1774.

Level 2

Simplified ICT risk management framework

ESAs to develop draft regulatory technical standards, in consultation with the European Union Agency on Cybersecurity (ENISA), in order to:

• specify further the elements to be included in the ICT risk management framework referred to in Article 16(1)(a) (Simplified ICT risk management framework);
• specify further the elements in relation to systems, protocols and tools to minimise the impact of ICT risk referred to in Article 16(1)(c) (Simplified ICT risk management framework), with a view to ensuring the security of networks, enabling adequate safeguards against intrusions and data misuse and preserving the availability, authenticity, integrity and confidentiality of data;
• specify further the components of the ICT business continuity plans referred to in Article 16(1)(f) (Simplified ICT risk management framework);
• specify further the rules on the testing of business continuity plans and ensure the effectiveness of the controls referred to in Article 16(1)(g) (Simplified ICT risk management framework), and ensure that such testing duly takes into account scenarios in which the quality of the provision of a critical or important function deteriorates to an unacceptable level or fails;
• specify further the content and format of the report on the review of the ICT risk management framework referred to in Article 16(2) (Simplified ICT risk management framework).

DORA: first set of final level 2 rules for ICT and third-party risk management and incident reporting frameworks (26 January 2024)

Update 25 June 2024: Commission Delegated Regulation (EU) 2024/1774 with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework was published in the Official Journal of the EU. In force.

Update 15 May 2025: Corrigendum to Commission Delegated Regulation (EU) 2024/1774 was published in the Official Journal of the EU. The corrigendum modifies Article 22(d) (ICT-related incident management policy) by replacing the reference to Article 15 of Commission Delegated Regulation (EU) 2024/1774 with a reference to Article 8(2) of Commission Delegated Regulation (EU) 2024/1774.

Level 2

Classification of ICT-related incidents and cyber threats

ESAs to develop draft regulatory technical standards, in consultation with the ECB and the European Union Agency on Cybersecurity (ENISA), further specifying:

• the criteria set out in Article 18(1) (Classification of ICT-related incidents and cyber threats), including materiality thresholds for determining major ICT-related, operational or security payment-related incidents that are subject to the reporting obligation laid down in Article 19(1) (Reporting of major ICT-related incidents and voluntary notification of significant cyber threats);
• the criteria to be applied by competent authorities for the purpose of assessing the relevance of major ICT-related, operational or security payment-related incidents to relevant competent authorities in other Member States, and the details of reports of such incidents to be shared with other competent authorities pursuant to Article 19(6) and (7) (Reporting of major ICT-related incidents and voluntary notification of significant cyber threats);
• the criteria set out in Article 18(2) (Classification of ICT-related incidents and cyber threats), including high materiality thresholds for determining significant cyber threats.

DORA: first set of final level 2 rules for ICT and third-party risk management and incident reporting frameworks (26 January 2024)

Update 25 June 2024: Commission Delegated Regulation (EU) 2024/1772 supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents was published in the Official Journal of the EU. In force.

Level 2

Harmonisation of reporting content and templates

ESAs to develop draft regulatory technical standards, in consultation with the European Union Agency on Cybersecurity (ENISA) and the ECB, in order to:

• establish the content of the reports for major ICT-related incidents in order to reflect the criteria laid down in Article 18(1) (Classification of ICT-related incidents and cyber threats) and incorporate further elements, such as details for establishing the relevance of the reporting for other Member States and whether it constitutes a major operational or security payment-related incident or not;
• determine the time limits for the initial notification and for each report referred to in Article 19(4) (Reporting of major ICT-related incidents and voluntary notification of significant cyber threats);
• establish the content of the notification for significant cyber threats.

Update 20 February 2025: Commission Delegated Regulation (EU) 2025/301 supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats was published in the Official Journal of the EU. In force.

ESAs to develop draft implementing technical standards, in consultation with ENISA and the ECB, in order to establish the standard forms, templates and procedures for financial entities to report a major ICT-related incident and notify a significant cyber threat.

Update 20 February 2025: Commission Implementing Regulation (EU) 2025/302 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 with regard to the standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat was published in the Official Journal of the EU. In force.

Level 2

Managing of ICT third-party risk – general principles

ESAs to develop draft regulatory technical standards to further specify the detailed content of the policy referred to in Article 28(2) (Managing of ICT third-party risk – general principles) in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers.

DORA: first set of final level 2 rules for ICT and third-party risk management and incident reporting frameworks (26 January 2024)

Update 26 June 2024: Commission Delegated Regulation (EU) 2024/1773 supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers was published in the Official Journal of the EU. In force.

ESAs to develop draft implementing technical standards to establish the standard templates for the purposes of the register of information referred to in Article 28(3) (Managing of ICT third-party risk – general principles), including information common to all contractual arrangements on the use of ICT services.

DORA: first set of final level 2 rules for ICT and third-party risk management and incident reporting frameworks (26 January 2024)

Update 2 December 2024: Commission Implementing Regulation (EU) 2024/2956 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 with regard to standard templates for the register of information was published in the Official Journal of the EU. In force.

Deadline confirmed for reporting DORA’s ICT register (11 December 2024)

Level 2

Advanced testing of ICT tools, systems and processes based on TLPT (threat-led penetration testing)

ESAs to develop draft regulatory technical standards, in agreement with the ECB and in accordance with the TIBER-EU framework, in order to specify:

• the criteria used for the purpose of the application of Article 26(8), second subparagraph (Advanced testing of ICT tools, systems and processes based on TLPT);
• the requirements and standards governing the use of internal testers;
• the requirements in relation to:
  • the scope of TLPT referred to in Article 26(2) (Advanced testing of ICT tools, systems and processes based on TLPT);
  • the testing methodology and approach to be followed for each specific phase of the testing process;
  • the results, closure and remediation stages of the testing;
• the type of supervisory and other relevant cooperation needed for the implementation of TLPT and for the facilitation of mutual recognition of that testing, in the context of financial entities that operate in more than one Member State, to allow an appropriate level of supervisory involvement and a flexible implementation to cater for specificities of financial sub-sectors or local financial markets.

Update 18 June 2025: Commission Delegated Regulation (EU) 2025/1190 supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards specifying the criteria used for identifying financial entities required to perform threat-led penetration testing, the requirements and standards governing the use of internal testers, the requirements in relation to the scope, testing methodology and approach for each phase of the testing, results, closure and remediation stages and the type of supervisory and other relevant cooperation needed for the implementation of TLPT and for the facilitation of mutual recognition was published in the Official Journal of the EU. In force.

Level 2

Managing of ICT third-party risk – key contractual provisions

ESAs to develop draft regulatory technical standards to specify further the elements referred to in Article 30(2)(a) (Managing of ICT third-party risk – key contractual provisions) which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions.

Update 2 July 2025: Commission Delegated Regulation (EU) 2025/532 supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards (RTS) specifying the elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions was published in the Official Journal of the EU. In force.

Level 2

Designation of critical ICT third-party service providers

EU Commission to adopt a delegated act by specifying further the criteria referred to in Article 31(2) (Designation of critical ICT third-party service providers).

Update 30 May 2024: Commission Delegated Regulation (EU) 2024/1502 supplementing Regulation (EU) 2022/2554 by specifying the criteria for the designation of ICT third-party service providers as critical for financial entities was published in the Official Journal of the EU. In force.

Level 2

Oversight framework for critical ICT third-party service providers – harmonisation of conditions enabling conduct of oversight activities

ESAs to develop draft regulatory technical standards to specify:

• the information to be provided by an ICT third-party service provider in the application for a voluntary request to be designated as critical under Article 31(11) (Designation of critical ICT third-party service providers);
• the content, structure and format of the information to be submitted, disclosed or reported by ICT third-party service providers pursuant to Article 35(1) (Powers of the Lead Overseer), including the template for providing information on subcontracting arrangements;
• the criteria for determining the composition of the joint examination team ensuring a balanced participation of staff members from the ESAs and from the relevant competent authorities, their designation, tasks, and working arrangements;
• the details of the competent authorities’ assessment of the measures taken by critical ICT third-party service providers based on the recommendations of the Lead Overseer pursuant to Article 42(3) (Follow-up by competent authorities).

Update 13 February 2025: Commission Delegated Regulation (EU) 2025/295 supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards on harmonisation of conditions enabling the conduct of the oversight activities was published in the Official Journal of the EU. In force.

Update 24 March 2025: Commission Delegated Regulation (EU) 2025/420 supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards to specify the criteria for determining the composition of the joint examination team ensuring a balanced participation of staff members from the ESAs and from the relevant competent authorities, their designation, tasks and working arrangements was published in the Official Journal of the EU. In force.

Update 15 July 2025: ESAs publish Guide on DORA oversight activities. The guide is not legally binding and does not replace the legal requirements laid down in the relevant applicable EU law.

ESAs release guide on DORA oversight of critical third-party providers (23 July 2025)

Level 2

Oversight fees

EU Commission to adopt a delegated act determining the amount of the fees and the way in which they are to be paid.

Update 30 May 2024: Commission Delegated Regulation (EU) 2024/1505 supplementing Regulation (EU) 2022/2554 by determining the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid was published in the Official Journal of the EU. In force.