DORA Regulatory Technical Standards (RTS) on ICT Risk
01 Executive Summary
The European Supervisory Authorities (ESAs) have published the final Regulatory Technical Standards (RTS) under the Digital Operational Resilience Act (DORA). This paper provides a detailed technical analysis of the RTS, focusing on the specific requirements for ICT risk management frameworks, incident classification thresholds, and third-party contract clauses.
We evaluate the operational challenges of aligning existing security architectures with the RTS criteria. We conclude that implementing automated logging, developing standardized incident reporting workflows, and auditing cloud and blockchain infrastructure providers are critical steps for compliance.
02 Problem Statement
Financial entities face a rapid increase in cyber-attacks and operational disruptions, yet ICT risk management remains fragmented. Traditional risk frameworks lack specific guidelines for evaluating the resilience of modern digital systems, such as cloud hosting platforms and distributed database networks.
Furthermore, classifying major ICT incidents under the RTS requires analyzing multiple criteria simultaneously (such as data loss, service downtime, and geographic impact) within short timeframes, creating operational bottlenecks for compliance teams.
03 Policy Context
Under DORA, the ESAs (EBA, EIOPA, and ESMA) are mandated to develop technical standards that specify the operational requirements for financial entities. The final RTS packages clarify the rules for ICT risk management systems, incident classification, and registers of information for third-party ICT service providers.
These standards establish a harmonized compliance template across the EU, ensuring that banks, insurance companies, and critical service providers follow the same technical guidelines, enhancing the overall resilience of the EU financial system.
04 Analysis & Operational Impact
The RTS imposes detailed requirements on ICT risk management frameworks. Financial entities must document all ICT assets, map their interdependencies, and perform regular vulnerability assessments. For complex systems, this requires automated discovery and logging tools to maintain an up-to-date asset register.
In addition, the incident reporting standards define specific thresholds for major incidents. An incident is classified as major if it affects critical services, causes data corruption, or impacts more than 10% of customers. Once classified, entities must submit initial reports to regulators within 4 hours, requiring predefined escalation playbooks.
Finally, third-party risk management rules mandate that contracts with ICT service providers include specific clauses on access rights, audit permissions, and service level agreements. This requirement forces financial institutions to audit their current cloud, custody, and software vendors for compliance.
05 Policy Recommendations
To align corporate ICT governance with the DORA RTS and ensure operational compliance before audit deadlines, we recommend the following measures:
ICT Resilience Guidelines:
- Integrate automated asset-discovery and vulnerability-scanning tools to maintain an auditable register of all IT and DLT components.
- Build standardized incident classification templates that calculate severity scores automatically based on the RTS criteria.
- Perform regular mock exercises simulating cloud outages and blockchain consensus partitions to test incident response and failover protocols.
06 References & Citations
- ESAs (2024). Final Draft Regulatory Technical Standards on ICT risk management framework and simplified ICT risk management framework.
- European Commission (2023). Delegated Regulation supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards.
- DCM Core Compliance Guide (2025). Technical Implementation of DORA RTS Incident Classification Frameworks.