ESAs launch joint consultation on second batch of policy mandates under the Digital Operational Resilience Act

08/12/2023

The European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) launched today a public consultation on the second batch of policy mandates under the Digital Operational Resilience Act (DORA).

Today’s package includes four draft regulatory technical standards (RTS), one set of draft implementing technical standards (ITS) and two sets of guidelines (GL). These policy instruments aim to ensure a consistent and harmonised legal framework in the areas of major ICT-related incident reporting, digital operational resilience testing, ICT third-party risk management and oversight over critical ICT third-party providers. The consultation runs until 4 March 2024.

Through DORA the ESAs are mandated to jointly develop a total of 13 policy instruments, presented in two batches. This second batch comprises the following:

RTS and ITS on content, timelines and templates on incident reporting
GL on aggregated costs and losses from major incidents
RTS on subcontracting of critical or important functions
RTS on oversight harmonisation
GL on oversight cooperation between ESAs and competent authorities
RTS on threat-led penetration testing (TLPT)

Further information on the draft policy products can be found in the introductory note .

Consultation process

Comments on this consultation can be sent to the ESAs via the consultation page . Please note that the deadline for the submission for comments is 4 March 2024. All contributions received will be published following the end of the consultation, unless requested otherwise.

Public hearing

A public hearing was organised in the form of a webinar on 23 January 2024 from 09:00 to 18:00 CET. The presentation from the webinar can be found here.

Legal basis, background and next steps

DORA, which entered into force on 16 January 2023 and will apply from 17 January 2025, aims to enhance the digital operational resilience of entities across the EU financial sector and to further harmonise key digital operational resilience requirements for all EU financial entities.

The ESAs expect to submit the draft technical standards to the European Commission and issue the guidelines by 17 July 2024.

Related Documents

Date	Reference	Title
08/12/2023	DORA CP	DORA public consultation on the second batch of policy products - overview document
08/12/2023	JC 2023 67	Consultation Paper on draft RTS subcontracting
08/12/2023	JC 2023 68	Consultation Paper on draft GL on costs and losses
08/12/2023	JC 2023 69	Consultation Paper on draft RTS on oversight harmonisation
08/12/2023	JC 2023 70	Consultation Paper on draft RTS and ITS on major incident reporting under DORA
08/12/2023	JC 2023 71	Consultation Paper on draft Guidelines on oversight cooperation
08/12/2023	JC 2023 72	Consultation Paper on draft RTS on TLPT