EUR · Framework
DORA ICT RTS — DORA ICT Risk Management Technical Regulatory Standards
The DORA ICT RTS specify the technical requirements for ICT risk management, classification of ICT-related incidents, operational resilience testing, and ICT third-party risk management for financial entities.
What it is
The DORA ICT RTS specify the technical requirements for ICT risk management, classification of ICT-related incidents, operational resilience testing, and ICT third-party risk management for financial entities.
European Union · Applies since 17 January 2025
Who it binds
Financial entities in scope of the DORA main regulation (EU) 2022/2554, including banks, insurers and payment institutions.
Key obligations
- Detailed ICT risk-management framework requirements per asset category
- ICT incident classification thresholds and reporting formats
- Threat-led penetration testing (TLPT) programme
- Standardised due diligence for ICT third parties and outsourcing registers
How CCI addresses it
DORA-MAST is built on the RTS articles — every scenario, control mapping and resilience measurement traces back to the specific RTS obligation the supervisor expects.
Official source
Commission Delegated Regulation (EU) 2024/1774 and related RTS
https://eur-lex.europa.eu/eli/reg_del/2024/1774/oj
The linked text is the authoritative legal or standards source. CCI maps to it; it is not a CCI publication.