ESAs launch joint consultation on second batch of policy mandates under the Digital Operational Resilience Act

The European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) launched today a public consultation on the second batch of policy mandates under the Digital Operational Resilience Act (DORA). Today’s package includes four draft regulatory technical standards (RTS), one set of draft implementing technical standards (ITS) and two sets of guidelines (GL). These policy instruments aim to ensure a consistent and harmonised legal framework in the areas of major ICT-related incident reporting, digital operational resilience testing, ICT third-party risk management and oversight over critical ICT third-party providers. The consultation runs until 4 March 2024.

Through DORA the ESAs are mandated to jointly develop a total of 13 policy instruments, presented in two batches. This second batch comprises the following:

• RTS and ITS on content, timelines and templates on incident reporting
• GL on aggregated costs and losses from major incidents
• RTS on subcontracting of critical or important functions
• RTS on oversight harmonisation
• GL on oversight cooperation between ESAs and competent authorities
• RTS on threat-led penetration testing (TLPT)

Further information on the draft policy products can be found in the introductory note.

Consultation process

Comments on this consultation can be sent to the ESAs via the consultation pages:

• Consultation on Joint draft technical standards on major incident reporting
• Consultation on Joint draft Guidelines on estimation of aggregated annual costs and losses caused by major ICT-related incidents
• Consultation on Joint draft RTS on subcontracting ICT services supporting critical or important functions
• Consultation on Joint draft RTS on the harmonisation of conditions enabling the conduct of the oversight activities
• Consultation on Joint draft guidelines on the oversight cooperation and information exchange between the ESAs and the competent authorities
• Consultation on Joint draft RTS specifying elements related to threat led penetration tests 

Please note that the deadline for the submission for comments is 4 March 2024. All contributions received will be published following the end of the consultation, unless requested otherwise.

Public hearing

A public hearing will be organised in the form of a webinar on 23 January 2024 from 09:00 to 18:00 CET. The ESAs invite interested stakeholders to register using the registration form by 16:00 CET on 19 January 2023. ​The dial-in details will be communicated to the registered participants in due time.

Legal basis, background and next steps

DORA, which entered into force on 16 January 2023 and will apply from 17 January 2025, aims to enhance the digital operational resilience of entities across the EU financial sector and to further harmonise key digital operational resilience requirements for all EU financial entities.

The ESAs expect to submit the draft technical standards to the European Commission and issue the guidelines by 17 July 2024.