DORA-bezogene delegierte Verordnungen und Richtlinien

As part of the DORA mandates to develop Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS), the three European Supervisory Authorities (ESAs), European Banking Authority (EBA), European Securities and Markets Authority (ESMA) and European Insurance and Occupational Pensions Authority (EIOPA) have developed the following documents. The documents were adopted by the European Parliament and published in the Official Journal of the EU.

Guidelines, implementing and delegated acts:

• Commission Delegated Regulation (EU) 2024/1774 of March 13, 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the tools, methodologies, processes and guidelines for ICT risk management and the simplified ICT risk management framework

• Commission Delegated Regulation (EU) 2024/1772 of March 13, 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, the materiality thresholds and the details of notifications of serious incidents

• Commission Delegated Regulation (EU) 2025/301 of 23 October 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the content and timelines for the initial, intermediate and final notification of serious ICT-related incidents and the content of the voluntary notification of significant cyber threats

• Commission Delegated Regulation (EU) 2024/1773 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of the Guideline on contractual arrangements for the use of ICT services in support of critical or important functions provided by third-party ICT service providers

• Commission Implementing Regulation (EU) 2024/2956 of 29 November 2024 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to standard templates for the information register

• Commission Delegated Regulation (EU) 2025/532 of 24 March 2025 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the aspects to be identified and assessed by a financial undertaking when subcontracting ICT services in support of critical or important functions

• Commission Delegated Regulation (EU) 2025/295 of 24 October 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards for the harmonization of the conditions for the performance of monitoring activities

• Commission Delegated Regulation (EU) 2025/1190 of 13 February 2025 supplementing Regulation (EU) No. Commission Delegated Regulation (EU) 2025/1190 of 13 February 2025 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for determining the financial entities required to carry out threat-based penetration testing, the requirements and standards for the use of internal testers, the requirements regarding the scope of testing the testing methodology and approach for each phase of the testing process, as well as the results, completion and remediation phases of the tests, and the type of supervisory and other relevant cooperation required for the implementation of threat-based penetration tests and the facilitation of mutual recognition of those tests

• Commission Delegated Regulation (EU) 2024/1502 of 22 February 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by establishing the criteria for the classification of third party ICT service providers as critical for financial entities

• Commission Delegated Regulation (EU) 2024/1505 of 22 February 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council by setting out the amount of supervisory fees to be levied by the lead supervisory authority on critical third party ICT service providers and the manner of payment of those fees

• Common guidelines on the estimation of aggregated annual costs and losses caused by serious ICT-related incidents in accordance with Regulation (EU) 2022/2554
• Joint guidelines on supervisory cooperation and information sharing between the European Supervisory Authorities (ESAs) and competent authorities under
  Regulation (EU) 2022/2554

Einen Überblick über die im EU Amtsblatt publizierten Dokumente in Zusammenhang mit DORA finden Sie hier.