The European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) launched today a public consultation on the second batch of policy mandates under the Digital Operational Resilience Act (DORA).
Today’s package includes four draft regulatory technical standards (RTS), one set of draft implementing technical standards (ITS) and two sets of guidelines (GL). These policy instruments aim to ensure a consistent and harmonised legal framework in the areas of major ICT-related incident reporting, digital operational resilience testing, ICT third-party risk management and oversight over critical ICT third-party providers. The consultation runs until 4 March 2024.
Through DORA the ESAs are mandated to jointly develop a total of 13 policy instruments, presented in two batches. This second batch comprises the following:
- RTS and ITS on content, timelines and templates on incident reporting
- GL on aggregated costs and losses from major incidents
- RTS on subcontracting of critical or important functions
- RTS on oversight harmonisation
- GL on oversight cooperation between ESAs and competent authorities
- RTS on threat-led penetration testing (TLPT)
Further information on the draft policy products can be found in the introductory note.
Comments on this consultation can be sent to the ESAs via the consultation page. Please note that the deadline for the submission for comments is 4 March 2024. All contributions received will be published following the end of the consultation, unless requested otherwise.
A public hearing will be organised in the form of a webinar on 23 January 2024 from 09:00 to 18:00 CET. The ESAs invite interested stakeholders to register using the Registration form by 16:00 CET on 19 January 2023. The dial-in details will be communicated to the registered participants in due time.
Legal basis, background and next steps
DORA, which entered into force on 16 January 2023 and will apply from 17 January 2025, aims to enhance the digital operational resilience of entities across the EU financial sector and to further harmonise key digital operational resilience requirements for all EU financial entities.
The ESAs expect to submit the draft technical standards to the European Commission and issue the guidelines by 17 July 2024.
- Publication date
- 8 December 2023