ESAs consult on the first batch of DORA policy products

  • Press Release
  • 19 June 2023

The European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) launched today a public consultation on the first batch of policy products under the Digital Operational Resilience Act (DORA). This includes four draft regulatory technical standards (RTS) and one set of draft implementing technical standards (ITS). These technical standards aim to ensure a consistent and harmonised legal framework in the areas of ICT risk management, major ICT-related incident reporting and ICT third-party risk management. The consultation runs until 11 September 2023.

The Digital Operational Resilience Act (DORA), which entered into force on 16 January 2023 and will apply from 17 January 2025, aims to enhance the digital operational resilience of entities across the EU financial sector and to further harmonise key digital operational resilience requirements for all EU financial entities. This regulatory framework covers key areas such as ICT risk management, ICT-related incident management and reporting, digital operational resilience testing and the management of ICT third-party risk.

DORA has mandated the ESAs to jointly develop altogether 13 policy instruments in two batches. The first batch of technical standards, on which the ESAs launched a public consultation today and which are to be submitted by 17 January 2024, are the following:

  • RTS on ICT risk management framework and RTS on simplified ICT risk management framework;
  • RTS on criteria for the classification of ICT-related incidents;
  • ITS to establish the templates for the register of information;
  • RTS to specify the policy on ICT services performed by ICT third-party providers.

Further information on the draft technical standards can be found in the introductory note.

Consultation process

Comments to this consultation can be sent to the ESAs by clicking on the "send your comments" button on the consultation page. Please note that the deadline for the submission of comments is 11 September 2023. All contributions received will be published following the end of the consultation, unless requested otherwise. 

A public hearing will be organised in the form of a webinar on 13 July 2023 from 09:00 to 18:00 CET. The ESAs invite interested stakeholders to register using the Registration form by 16:00 CET on 10 July 2023. ​The dial-in details will be communicated to the registered participants in due time. 

Legal basis and next steps

These draft technical standards have been developed in accordance with Articles 15, 16(3), 18(3), 28(9) and 28(10) of DORA (Regulation (EU) 2022/2554). The ESAs expect to submit these draft technical standards to the European Commission by 17 January 2024. 


Introductory note

(221.71 KB - PDF) Last update 29 June 2023

Consultation paper on draft RTSs ICT risk management tools methods processes and policies

(1003.19 KB - PDF) Last update 19 June 2023

Consultation paper on draft RTS on classification of ICT incidents

(828.24 KB - PDF) Last update 19 June 2023

Consultation paper on draft ITS on register of information

(1.76 MB - PDF) Last update 19 June 2023

Consultation paper on draft RTS on policy on the use of ICT services regarding CI functions

(567.38 KB - PDF) Last update 19 June 2023

Press contacts

Franca Rosa Congiu