Second set of technical regulatory and implementing standards up for consultation

by Regulatory and implementing technical standards

Share this post

The upcoming arrival of the Digital Operational Resilience Act (DORA) on 17 January 2025 will end the fragmentation of legal obligations for ICT processes and security. By then, financial entities will be required to be fully compliant with both DORA and related regulatory technical standards. Some specific parts of DORA still need to be further developed in level 2 and level 3 legislation. These levels represent more detailed rules and elaborations of the obligations set out in the law.

On 8 December, the European regulators (EBA, ESMA, and EIOPA, collectively referred to as the ‘ESAs’) published the second set of draft implementing technical standards. This second set of standards includes four ‘Regulatory Technical Standards’ (RTS), which provide specific technical requirements, one ‘Implementing Technical Standard’ (ITS), aimed at practical implementation, and two ‘Guidelines’ (GL), which serve as interpretative guidance.”

This article zooms in on this second set of regulatory and implementing technical standards flesh out DORA, and have been submitted for consultation.

Regulatory and implementing technical standards

Incident reporting (art. 20 DORA)
RTS and ITS on content, timelines and templates for incident reporting.
The draft RTS regarding the reporting requirements of serious incidents, addresses three topics:

  1. The content of reporting;
  2. The timeframes within which reporting is required for initial, interim and final reports (within 4 hours of classification and less than 24 hours of discovery; within 72 hours of classification; and within 1 month of classification of the incident);
  3. The content of reporting to the regulator of significant cyber threats.

The draft ITS contains an elaboration of the standard forms for the generic reporting requirements and reporting for serious ICT incidents and significant cyber threats.

Cost reporting (art. 11 DORA)
Guidelines on reporting total costs and losses resulting from major incidents.

The draft Guidelines set out how to report on the estimation of total annual costs and losses caused by major ICT-related incidents. The Guidelines introduce reporting on gross costs and losses, financial recoveries and on net costs and losses.

Testing requirements (art. 26 DORA)

RTS on threat-based penetration testing (TLPT)
Art.26 of DORA requires financial entities to conduct advanced testing through TLPT at least every three years. These are the entities that are not covered by the simplified ICT Risk Framework (Art.16), micro enterprises are also excluded. This RTS describes the requirements for these tests.

Sub-outsourcing (art. 30 DORA)

RTS on the sub-outsourcing of critical or important functions
This draft RTS elaborates on the requirements of Art 30(2)(a) on what elements a financial entity should assess in case of sub-outsourcing of ICT services supporting critical or important functions.

Supervision (arts 41 and 32 DORA)

RTS on harmonisation of supervision
GL on supervisory cooperation between ESAs and competent authorities
These last two documents cover cooperation between ESAs and local supervisory authorities, division of tasks and exchange of information.


The publication of these implementing standards marks the start of a public consultation, during which market participants will have the opportunity to comment on the content of the documents until 4 March 2024. The consultation period allows the ESAs to gather and evaluate feedback from the market.

Regulatory Change

After the consultation period, the final versions will be published on 17 July 2024. When they are, they will be incorporated into the Regulatory Change module of our compliance software, Ruler. This new module assists financial organisations in implementing new laws and regulations and incorporates all the requirements of DORA in an accessible way.

The Regulatory Change module helps you to:

  • Identify the applicable DORA requirements;
  • Perform a gap analysis on these requirements;
  • Create action points that can be immediately deployed within the organisation;
  • Monitor your progress and level of compliance via your personal dashboard.

How can Projective Group help?

We help organisations meet the requirements of DORA. For example, by conducting a gap analysis and then helping to ‘close’ the gaps identified. We can also help you create, adapt or review the necessary policies and procedures. Need help becoming DORA compliant? Please feel free to contact us.

Article by Projective Group

More To Explore


Merchant Community Membership

Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.


Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?