DORA’s latest RST draft: What we know now and what we can expect looking forward

The Digital Operational Resilience Act or DORA, is a European Union regulation.

The opinions expressed here are those of the authors. They do not necessarily reflect the views or positions of UK Finance or its members.

You likely have the January DORA implementation deadline highlighted in your calendar, but now that we are less than six months away from go-time, the spotlight turns to its Regulatory Technical Standards (RTS) drafts. These drafts are pivotal in staying ahead of the detailed requirements of DORA while reducing the administrative burden of compliance. 

So, where do we stand today and what do we know so far about the newest RTS draft under DORA? Let’s dive into its key components, implications, and how businesses can leverage technology to remain robust and resilient. 

DORA’s latest RTS draft: Overview and implications

Published July 17 2024, DORA’s latest RTS update includes the following that build upon the first release:

  • RTS on:
    • Reporting major ICT-related incidents and significant cyber threats
    • Harmonization of oversight activities
    • The composition of the Joint Examination Team
    • Threat-led penetration testing (TLPT)
  • ITS to establish the templates for major ICT related incident reporting
  • Guidelines on:
    • Estimating aggregated cost/losses caused by major ICT related incidents
    • Oversight cooperation

Compared to the consultation papers from 8 December, 2023, there are several major changes within these updates relating to: 

  1. ICT-related incident reporting, including: 
  • Extended reporting timelines
  • Fewer fields to report
  • Relaxed weekend and public holiday reporting requirements for smaller entities
  • Single aggregated report allowed for entities supervised by one authority
  • Annual costs and losses reporting:
    • Reporting limited to estimated annual gross costs and losses
    • Flexible reference year for financial entities
  1. Threat-led penetration testing, including: 
  • Increased transparency and higher thresholds for selecting TLPT entities 
  • Clarified processes for cooperation in pooled and joint TLPTs
  • More flexibility for requirements on external/internal testers and threat intelligence providers
  • Extended submission timelines for blue team testing reports

What’s next for financial institutions? 

The final RTS drafts and DORA updates won’t be officially released until December 2024, leaving teams a one-month turnaround time to meet the 17 January, 2025 deadline. Luckily, financial institutions can start preparing now with gap identification, gap analysis, and proactive mapping of RTS drafts. 

DORA mandates that financial entities ensure the operational resilience for all of their IT systems, which includes the resilience of third-party services. With six months to go a focus on ensuring the transparency DORA mandates around third-party’s will be critical. Companies can get ahead by: 

  1. Identifying and assessing those critical functions (BIA/PNA)
  2. Engaging in third-party mapping (ie. understanding the role each third-party plays in your business)
  3. Creating a register of information

It can be a lot to keep track of, which is where automated compliance technology steps in to help relieve some stress, automating updates and ensuring adherence to new regulatory requirements. Some platforms even have the RTS draft content pre-configured into the platform so teams can start mapping today. 

Ensuring DORA compliance ahead of the deadline 

Leveraging technology to start on your control mapping today can be the difference between meeting the tight turnaround times to guarantee compliance and avoiding penalties and falling short. Significantly reducing the manual effort required, an automated system can also automatically track changes in DORA’s RTS drafts as they are published and integrate into your existing processes. Not only does this speed up your compliance process, but also minimizes the possibility of human error and provides consistent monitoring and implementation. 

Want to continue the conversation on which tools and strategies you should have in place to ensure DORA compliance? Join Mitratech’s upcoming webinar, “Ensuring Compliance and Operational Resilience Ahead of the January 2025 DORA Deadline with KPMG,” to master the intricacies of business impact and vendor risk management. 

Further reading:

  1. What is DORA and How Will It Impact You?
  2. 10 FAQ About DORA
  3. Your DORA Checklist
  4. Third-Party Risk Management Checklist