In reference to the earlier article titled “A Closer Look at DORA’s Regulatory and Implementing Technical Standards (RTS/ITS)” as part of our DORA Series, this publication shares the latest developments on the second wave of policy mandates.  



DORA, a comprehensive regulation, extends its scope across more than 20 various financial entities and encompasses a significantly larger number of competent authorities (CAs). Thus, to ensure a proportionate approach, the ESAs (EBA, EIOPA and ESMA) have established a Joint Committee on Digital Operational Resilience. Its purpose is to contribute and coordinate the ESAs' involvement in the EU regulatory procedures pertaining to digital operational resilience. Over 50 authorities, including national entities, the European Central Bank, and ENISA, actively engage in collaborative efforts to develop the policy products mandated by DORA. 

The first wave of technical standards, scheduled for delivery by January 2024, underwent public consultation between June and September 2023.  

In addition to the policy mandates granted to the ESAs through DORA, the ESAs provided technical advice to the European Commission on September 29, 2023. This advice was intended to respond to the request for guidance in aiding the creation of delegated acts that complement the DORA text. Specifically, it aimed to define the criteria essential for designating ICT third-party service providers as critical and establish the corresponding fees for their regulatory supervision. 


Continuing the Journey 

The ESAs launched a joint consultation on second batch of policy mandates on the 8th of December 2023, comprising of four preliminary regulatory technical standards (RTS), a set of initial implementing technical standards (ITS), and two collections of guidelines (GL). These are:  

  • RTS and ITS on content, timelines and templates on incident reporting (Article 20.1) 
  • GL on aggregated costs and losses from major incidents (Article 10) 
  • RTS on subcontracting of critical or important functions (Article 30) 
  • RTS on oversight harmonisation (Article 41) 
  • GL on oversight cooperation between ESAs and competent authorities (Article 32) 
  • RTS on threat-led penetration testing (TLPT) (Article 26) 

The period for the public consultation extends until March 4, 2024. Following this, the ESAs are expected to submit these draft technical standards to the European Commission and issue the final versions by 17 July 2024On January 23, 2024, a webinar formatted as a public hearing is slated to run from 09:00 to 18:00 CET. The ESAs are extending an invitation to interested stakeholders to enroll through registration before the deadline of 16:00 CET on January 19, 2024. 


Do not fall behind 

The deadline for compliance is rapidly approaching. Our advice to all companies in scope is that regardless of your current stage on digital and operational resilience maturity, DORA should encourage you to start or increase your efforts at handling ICT risks. GT can serve as your reliable ally in meeting DORA requirements before the January 2025 deadline.  

Beginning with an initial gap analysis and maturity assessment can serve as an effective starting point. Our DORA Understanding & Readiness Assessment is a service designed to provide your firm with a clear understanding of the requirements. Our team will provide targeted workshops and training to help you navigate the intricacies of the regulation and the technical standards. An assessment of your current operations based on guided interviews and document-based analysis will help our team to understand the key areas of improvement in your compliance journey.   

Based on the results of the readiness assessment, our team may offer recommendations for enhancing your operational resilience and tailoring your compliance roadmap to align with the DORA requirements.   

Whether its conducting thorough assessments aligned with these technical standards or offering continual assistance, we're equipped to steer your business toward adhering to the evolving best practices and regulatory demands of DORA. Let us streamline and enhance your financial entity's management of ICT and cyber risks.