DORA – Legal Bases

Legal Bases

Regulation (EU) 2022/2554 covers the fundamental standards on digital operational resilience for the EU financial sector.

Directive (EU) 2022/2556 amends existing sectoral directives to ensure their consistency with DORA requirements.

The DORA Enforcement Act (DORA-VG) which was passed by the National Council on 03 July 2024 implements the DORA Regulation and amends other Regulations in Austria.

ICT risk management

Delegated Regulation (EU) 2024/1774: ICT risk management tools, methods, processes, and policies

Digital operational resilience testing

Delegated Regulation (EU) 2025/1190: threat-led penetration testing (TLPT)

ICT-related incidents

Guidelines: estimation of aggregated annual costs and losses caused by DORA incidents

Delegated Regulation (EU) 2024/1772: criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents

Delegated Regulation (EU) 2025/301: specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats

Implementing Regulation (EU) 2025/302: reporting details for ICT-related incidents

Report on centralisation of notifications

Managing of ICT third-party risk

Implementing Regulation (EU) 2024/2956: standard templates for the register of information
Delegated Regulation (EU) 2024/1773: content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers
Delegated Regulation (EU) 2025/532: specifying the elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions

Oversight framework of critical ICT third-party service providers

Delegated Regulation (EU) 2024/1502: criteria for designation as CTPPs
Guidelines JC/GL/2024/36 on oversight cooperation and information exchange between the ESAs and the competent authoritues
Delegated Regulation (EU) 2025/295: on harmonisation of conditions enabling the conduct of the oversight activities
Delegated Regulation (EU) 2025/420 on Joint Examination Teams
Delegated Regulation (EU) 2024/1505 on CTPP fees

Finals drafts in the second wave

The final ESA consultation drafts for the second wave of draft Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) as well as Guidelines were published on 17 July 2024:

Final report on GL on oversight cooperation and information exchange between ESAs and competent authorities (Format: pdf, Size: 606,1 KB, Language: English) 

Final report on GL on costs and losses caused by major ICT-related incidents (Format: pdf, Size: 540,9 KB, Language: English)

Final report draft RTS on joint examination teams (Format: pdf, Size: 545,1 KB, Language: English)

Final report draft RTS on harmonisation of conditions enabling the conduct of the oversight activities (Format: pdf, Size: 805,5 KB, Language: English)

Final report draft RTS and ITS on incident reporting (Format: pdf, Size: 1,4 MB, Language: English)

Final report draft RTS on threat led penetration tests (Format: pdf, Size: 2,8 MB, Language: English)

Final report DORA RTS on subcontracting (Format: pdf, Size: 745,5 KB, Language: English)

Second wave of consultations

The public consultations for the second wave of draft Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) as well as Guidelines ran until 04 March 2024:

CP on draft RTS subcontracting (Format: pdf, Size: 460,7 KB, Language: English)

CP on draft GL on costs and losses (Format: pdf, Size: 367,9 KB, Language: English)

CP on draft RTS on oversight harmonisation (Format: pdf, Size: 582,5 KB, Language: English)

CP on draft RTS and ITS on major incident reporting under DORA (Format: pdf, Size: 1,2 MB, Language: English)

CP on draft Guidelines on oversight cooperation (Format: pdf, Size: 504,2 KB, Language: English)

CP on draft RTS on TLPT (Format: pdf, Size: 703,0 KB, Language: English)

The contents on this website as well as hyperlinks to third party websites serve the purpose of providing general and non-binding information. These “Questions and Answers” do not constitute the FMA’s binding interpretation and in particular do not constitute interpretation within the scope of the question and answer processes (Q&As) of the three European Supervisory Authorities (EBA – European Banking Authority, ESMA – European Securities and Markets Authority, and EIOPA – European Insurance and Occupational Pensions Authority). All information on this website is provided without any guarantee, especially with regard to the up-to-dateness, completeness and correctness, and the FMA, including its employees or the persons responsible for this website, assume no liability whatsoever for the content; in addition, the FMA neither guarantees nor assumes liability for the use of hyperlinks or content that can be accessed via them.