The DORA requirements consist of 5 main pillars: ICT Risk Management, ICT-Related Incident Reporting, Digital Operational Resilience Testing, Management of ICT Third-Party Risk, Information and Intelligence Sharing.

The Regulatory Technical Standards (RTS) and the Implementing Technical Standards (ITS) provide companies with concrete assistance in implementing the requirements and provisions of the DORA Regulation. The RTS are binding technical standards. They specify the requirements set out in DORA and determine how these are to be implemented in practice. The ITS supplement the RTS by specifying detailed implementation instructions and necessary processes to meet the requirements of the RTS. Just like the RTS, compliance with the ITS is mandatory.

The European Supervisory Authorities (ESAs) are responsible for the design of the two standards, consisting of the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA).

The following RTS and ITS are published until now:

• ITS to establish the templates for the Register of information (Art. 28.9)
• RTS on ICT risk management framework (Art. 15)
• RTS on simplified ICT risk management framework (Art. 16)
• RTS on criteria for the classification of major ICT-related incidents (Art. 18.3)
• RTS to specify the policy on ICT services (Art. 28.10)
• ITS to establish the forms, templates and procedures for major ICT-related incident reporting (Art. 20.b)
• RTS on specifying the content and reporting timelines for major ICT-related incidents (Art. 20.a)
• RTS to specify threat led penetration testing (Art. 26.11)
• RTS to specify elements when sub-contracting critical or important functions (Art. 30.5)
• RTS to specify information on oversight conduct (Art. 41)

Register of Information: “The gathered information that documents to the authorities that the organization is in compliance with DORA."

The ROI requires information about: Business Functions (critical functions the financial entities provide), ICT Services (systems) that supports theses business functions, ICT Service Providers (Suppliers) that provide the services, Including their supply chain (Sub-Suppliers), Contractual Agreements (Contracts).

• Business Functions (critical functions the financial entities provide)
• ICT Services (systems) that supports these business functions
• ICT Service Providers (Suppliers) that provide the services
• Including their supply chain (Sub-Suppliers)
• Contractual Agreements (Contracts)

Formalize automates the reporting process, validating data at the time of entry to address common challenges such as missing mandatory fields and unique identifiers. By leveraging advanced validation and error detection tools, Formalize ensures your submissions meet regulatory standards without the pitfalls of manual processes. Furthermore, Formalize’s scalable platform is designed to adapt to evolving regulations, ensuring your compliance process remains future-proof. This flexibility is critical in meeting the iterative requirements set by the ESAs.