DORA level 2 measures - overview PDF
Mapa consolidado de actos de nivel 2 publicados bajo DORA.
- Regulación: DORA
- Emisor: European Commission
- Fuente oficial: https://finance.ec.europa.eu/document/download/7a2d42d8-4b48-4e2e-9b4c-c4e9107686d1_en?filename=dora-level-2-measures-full_en.pdf
Implementing and Delegated Acts on Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance)
| Legal basis | Type of act | List of acts |
|---|---|---|
| Art.15(4), Art.16(3)(4) | RTS | Commission Delegated Regulation(EU)2024/1774 of 13 March 2024 supplementing Regulation(EU)2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying ICT risk management tools, methods, processes,and policies and the simplified ICT risk management framework |
| Art.18(4)(3) | RTS | Commission Delegated Regulation(EU)2024/1772 of 13 March 2024 supplementing Regulation(EU)2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification ofICT-related incidents and cyber threats,setting out materiality thresholds and specifying the details of reports of major incidents |
| Art.20(3) | RTS | Commission Delegated Regulation(EU)2025/301 of 23 October 2024 supplementing Regulation(EU)2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the content and time limits for the initial notification of,and intermediate and final report on,major ICT-related incidents,and the content of the |
| voluntary notification for significant cyber threats | ||
|---|---|---|
| Art.20(4) | ITS | Commission Implementing Regulation(EU)2025/302 of 23 October 2024 laying down implementing technical standards for the application of Regulation (EU)2022/2554 of the European Parliament and of the Council with regard to the standard forms, templates,and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat |
| Art.26(11)(4) | RTS | Commission Delegated Regulation(EU)2025/1190 of 13 February 2025 supplementing Regulation (EU)2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria used for identifying financial entities required to perform threat-led penetration testing,the requirements and standards governing the use of internal testers,the requirements in relation to the scope,testing methodology and approach for each phase of the testing,results,closure and remediation stages and the type of supervisory and other relevant cooperation needed for the implementation of TLPT and for the facilitation of mutual recognition |
| Art.28(9) | ITS | Commission Implementing Regulation(EU)2024/2956 of 29 November 2024 laying down implementing technical standards for the application of Regulation (EU)2022/2554 of the European Parliament and of the Council with regard to standard templates for the register of information |
| Art.28(10)(3) | RTS | Commission Delegated Regulation(EU)2024/1773 of 13 March 2024 supplementing Regulation (EU)2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services |
Commission Implementing Regulation (EU) 2025/302 of 23 October 2024 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to the standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat
Commission Delegated Regulation (EU) 2025/1190 of 13 February 2025 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria used for identifying financial entities required to perform threat-led penetration testing, the requirements and standards governing the use of internal testers, the requirements in relation to the scope, testing methodology and approach for each phase of the testing, results, closure and remediation stages and the type of supervisory and other relevant cooperation needed for the implementation of TLPT and for the facilitation of mutual recognition
| supporting critical or important functions provided by ICT third-party service providers | ||
|---|---|---|
| Art.30(5)(4) | RTS | Commission Delegated Regulation(EU)2025/532 of 24 March 2025 supplementing Regulation(EU)2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions |
| Art.31(6) | DAC | Commission Delegated Regulation(EU)2024/1502 of 22 February 2024 supplementing Regulation(EU)2022/2554 of the European Parliament and of the Council by specifying the criteria for the designation of ICT third-party service providers as critical for financial entities |
| Art.41(2)(2) | RTS | Commission Delegated Regulation(EU)2025/295 of 24 October 2024 supplementing Regulation(EU)2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards on harmonisation of conditions enabling the conduct of the oversight activities |
| Art.41(2)(2) | RTS | Commission Delegated Regulation(EU)2025/420 of 16 December 2024 supplementing Regulation(EU)2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards to specify the criteria for determining the composition of the joint examination team ensuring a balanced participation of staff members from the ESAs and from the relevant competent authorities, their designation, tasks and working arrangements |
| Art.43(2) | DAC | Commission Delegated Regulation(EU)2024/1505 of 22 February 2024 supplementing Regulation(EU)2022/2554 of the European Parliament and of the |
supporting critical or important functions provided by ICT third-party service providers
Council by determining the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third- party service providers and the way in which those fees are to be paid
Legend: DAC = Delegated Act, IAC = Implementing Act, ITS = Implementing Technical Standard, RPS = Regulatory Procedure with Scrutiny, RTS = Regulatory Technical Standard