Helpful links

Popular Topics

Regulatory framework under DORA

Published
Updated

Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS)

DORA requirements are divided into five blocks and are specified in detail by Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS).

  • ICT Risk Management Framework (RTS 2024/1774) – establishes common requirements for developing and maintaining an ICT risk management system, including management oversight, ICT asset and incident registers, threat analysis, critical system identification, and resilience and recovery planning. The ITS 2024/2956 defines standard templates for the Register of Information (RoI) to ensure consistency across financial entities.
  • ICT Incident Reporting (RTS 2025/301; ITS 2025/302) – harmonises the classification and reporting of ICT-related incidents and cyber threats. The RTS sets materiality thresholds and reporting criteria, while the RTS 2025/301 and ITS 2025/302 specify the structure, templates, and procedures for initial, interim, and final incident reports.
  • Operational Resilience Testing (RTS on Operational Resilience Testing Framework) – establishes harmonised and standardised digital operational resilience testing requirements, following a risk-based approach. Entities must apply testing methodologies, assessments, and tools proportionate to their size, business, and risk profile, including threat-led penetration testing (TLPT) for significant institutions.
  • Risk Management of Third-Party ICT Providers (RTS 2024/1773; RTS 2024/1502) – defines the content of policies for contractual arrangements with ICT third-party service providers supporting critical or important functions and sets the criteria for designating critical third-party providers. These RTS strengthen oversight, risk control, and accountability in outsourcing arrangements.
  • European Supervisory Framework (RTS 2024/1505) – defines the EU-level supervisory mechanism for oversight of critical ICT third-party service providers and cooperation among competent authorities.

Requirements

RTS and ITS
ICT risk management framework RTS "Risk Management"
ICT incident reporting RTS "Incident Classification"
RTS "Reporting of Significant Incidents"
ITS "Content and Deadlines of Incident Reports"
Guidelines for Calculating ICT Losses
Digital resilience testing RTS "Threat-Driven Intrusion Testing"
Risk management of third-party ICT suppliers ITS " Register of Information"
RTS "Contractual Arrangements on the use of ICT services"
RTS "Requirements for Subcontracting"
Framework for the oversight of critical service providers RTS "Harmonization of Supervision Conditions"

Three European Supervisory Authorities – the European Banking Authority, the European Securities Market Authority and the European Insurance and Occupational Pensions Authority – are compiling questions and answers to support consistent and effective application of the European Union regulation in the area of financial services. The database of questions and answers regarding DORA is available on the website of the European Insurance and Occupational Pensions Authority (see Joint Q&As - EIOPA) and can be navigated by selecting appropriate filters.

The questions published there are the ones that market participants have most often found confusing. If you cannot find an answer to your question via the resources of the European Supervisory Authorities or Latvijas Banka, you can e-mail it to dora@bank.lv or submit your question via the EIOPA's web resource Joint Q&As – EIOPA.

How valuable was this information for you?
Not valuable Very valuable
How can we improve your experience in our site

This page is protected by Google’s reCAPTCHA and visitors are subject to Google Terms of Service and Google Privacy Policy