The Evolution of DORA
On December 8, 2023, the European Supervisory Authorities (the ESAs) launched a public consultation on the second batch of policy mandates under the Digital Operational Resilience Act (DORA). On July 17, 2024, the ESAs published the final reports on these policy mandates. The most noteworthy changes for in-scope financial entities emerged across the following areas:
-
Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) on the content, format, templates and timelines for reporting major ICT-related incidents and significant cyber threats.
-
RTS on threat-led penetration testing (TLPT).
-
Guidelines on the estimation of aggregated costs/losses caused by major ICT-related incidents.