Final draft of DORA’s second batch of RTS published

At a glance

On 17 July 2024, the three European Supervisory Authorities (ESAs) – comprising the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA) – released the second batch of the final draft of technical standards under the Digital Operational Resilience Act (DORA).  

The second batch includes four Regulatory Technical Standards (RTSs), one Implementing Technical Standard (ITS)  and two guidelines. Financial entities must comply with the requirements introduced by 17 January 2025.

A closer look

The joint final draft of technical standards include:

• RTS on reporting major ICT-related incidents and significant cyber threats
• RTS on harmonization of oversight activities
• RTS on the composition of the Joint Examination Team (JET)
• RTS on threat-led penetration testing (TLPT)
• ITS to establish the templates for major ICT related incident reporting
• Guidelines on estimating aggregated cost/losses caused by major ICT related Incidents
• Guidelines on oversight cooperation

Comparing this set of requirements for financial entities with the consultation papers published on 8 December 2023, the final draft of RTS reflects the following major changes.

For ICT-related incident reporting:

• Extending the incident reporting timelines
• Reduction in number of fields to be reported
• Relaxing the reporting requirements on weekends and public holidays for smaller financial entities
• Allowing the submission of a single aggregated report for financial entities supervised by a single competent authority
• For the annual costs and losses reporting:
  • Limiting the reporting to the estimation of annual gross costs and losses
  • Bringing flexibility to financial entities in setting the reference year

For Threat-led penetration testing (TLPT):

• Increasing transparency in the criteria and raising thresholds used for selecting certain entities to perform TLPT by default
• Clarifying processes that require extended cooperation between the involved TLPT authorities, in pooled and joint TLPTs
• Introducing flexibility in the requirements for both external and internal testers and threat intelligence providers
• Extending the submission timelines for blue team testing reports

Next steps for financial institutions

Financial institutions should start performing a gap assessment against this final draft set, which is under the European Commission’s review, or revise their implementation design based on the updated requirements.

Next steps for the European Commission

The European Commission will now review the submitted final draft of the technical standards, aiming to adopt these in the coming months.

How Deloitte can help

Whether you need individual solutions or a comprehensive resilience program, we will guide you through every step of your DORA journey.

Our support includes designing and implementing a Digital Operational Resilience Strategy, ICT Risk Management Framework, ICT Third Party Risk Management Framework, TLPT Framework, Digital Operational Resilience Testing Program, Training Program, and Methodology to Identify Critical or Important Function.

Discover how we can support your organization here: Exploring DORA | Deloitte Luxembourg