RTS & ITS – Complete Directory
Overview: 27 Legal Texts in the DORA Ecosystem
The DORA framework consists of the base legal act (Level 1), 12 delegated acts/technical standards (Level 2), and guidelines (Level 3).
Level 1 – Base Legal Acts
| Legal Act | Title | Status |
|---|---|---|
| (EU) 2022/2554 | Digital Operational Resilience Act (DORA) | Applicable since 17.01.2025 |
| (EU) 2022/2556 | DORA Directive (amending existing financial directives) | Applicable since 17.01.2025 |
Level 2 – Package 1 (published 25.06.2024)
| No. | Standard | DORA Article | Pillar | Topic | EUR-Lex |
|---|---|---|---|---|---|
| 1 | RTS (EU) 2024/1774 | Art. 15 | P1 | ICT risk management framework | Link |
| 2 | RTS (EU) 2024/1772 | Art. 18(3) | P2 | Classification of ICT incidents & cyber threats | Link |
| 3 | RTS (EU) 2024/1773 | Art. 28(10) | P4 | Contractual requirements for ICT service providers | Link |
Level 2 – Package 2 (published H2/2024 – H1/2025)
| No. | Standard | DORA Article | Pillar | Topic | EUR-Lex |
|---|---|---|---|---|---|
| 4 | RTS (EU) 2025/301 | Art. 20(1)(a) | P2 | Incident reporting: content & deadlines | Link |
| 5 | ITS (EU) 2025/302 | Art. 20(1)(b) | P2 | Incident reporting: templates & forms | Link |
| 6 | ITS (EU) 2024/2956 | Art. 28(9) | P4 | Information register templates | Link |
| 7 | RTS (EU) 2025/532 | Art. 30(5) | P4 | Subcontracting of critical ICT services | Link |
| 8 | RTS (EU) 2025/1190 | Art. 26(11) | P3 | TLPT requirements | Link |
Level 2 – Oversight Framework
| No. | Standard | DORA Article | Topic | EUR-Lex |
|---|---|---|---|---|
| 9 | Del. Reg. (EU) 2024/1502 | Art. 31(6) | CTPP designation criteria | Link |
| 10 | Del. Reg. (EU) 2024/1505 | Art. 43(2) | CTPP oversight fees | Link |
| 11 | RTS (EU) 2025/295 | Art. 41(1) | Harmonisation of oversight activities | Link |
| 12 | RTS (EU) 2025/420 | Art. 40(2) | JET composition & working arrangements | Link |
Level 3 – Guidelines (Joint Guidelines)
| Identifier | Date | Topic |
|---|---|---|
| JC/GL/2024/34 | 05.06.2024 | Estimation of aggregated costs & losses from ICT incidents |
| JC/GL/2024/36 | 17.07.2024 | ESA cooperation and information sharing in oversight |
Other Documents
| Document | Topic |
|---|---|
| ESA Final Report JC 2024-33 | Explanation of incident reporting RTS/ITS |
| ESA Final Report TLPT | Explanation of TLPT RTS |
| Joint ESA Report | Centralisation of reporting (feasibility study) |
| ESA Oversight Guide | CTPP oversight in JETs (July 2025) |
| CTPP List | 19 designated critical ICT third-party service providers (November 2025) |
Pillar Mapping
P1 (Art. 5-16) → RTS 2024/1774
P2 (Art. 17-23) → RTS 2024/1772 + RTS 2025/301 + ITS 2025/302
P3 (Art. 24-27) → RTS 2025/1190
P4 (Art. 28-44) → RTS 2024/1773 + ITS 2024/2956 + RTS 2025/532
+ Del. Reg. 2024/1502 + Del. Reg. 2024/1505
+ RTS 2025/295 + RTS 2025/420
P5 (Art. 45) → No dedicated RTS/ITSOfficial Sources
| Institution | URL | Topic |
|---|---|---|
| EUR-Lex | DORA Full Text | Base legal act |
| EU Commission | Delegated Acts | Level 2 acts |
| EBA | DORA Page | Banking |
| EIOPA | DORA Page | Insurance |
| ESMA | DORA Page | Securities |
| BaFin | DORA Node | DE supervision |
| ECB | TIBER-EU | Penetration testing |