The three European Supervisory Authorities (RBA, EIOPA, and ESMA – the ESA) have published a new batch of policy products under the Digital Operational Resilience Act (DORA). The second batch consists of four final draft regulatory technical standards (RTS), a set of Implementing Technical Standards (ITS), as well as two guidelines.

Together, the new batch of policy products aims to boost the digital operational resilience of the EU’s financial sector. The ESAs published the following final draft technical standards: RTS and ITS on the content, format, templates, and timelines for reporting big ICT-related incidents and significant cyber threats;  RTS on the harmonisation of conditions enabling the conduct of the oversight activities; RTS specifying the criteria for determining the composition of the joint examination team;  RTS on threat-led penetration testing (TLPT). At the same time, the guidelines included discuss the estimation of aggregated costs/losses cause by big ICT-related incidents, and oversight cooperation.

What are the next steps for the ESAs? The final draft of the new technical standards and guidelines have been already adopted and submitted to the European Commission. Following this, the EC will start working on the review, and is expected to adopt the new policy products in the upcoming months of 2024. More about DORA The Digital Operational Resilience Act represents a EU regulation originally entered into force in mid-January 2023 and will apply as of mid-January 2025.

It aims to strengthen the IT security of financial entities, including banks, investment companies, and insurances, allowing Europe’s financial sector to remain stable, resilient, and safe in case of severe operational disruption. DORA is needed especially to provide the legal ground for companies to continue delivering financial services, even in the case of cyber attacks and other incidents. .