Go to content

Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS)

Alongside the requirements set out in the Regulation, various topics are further elaborated in Regulatory Technical Standards (RTS). All DORA-related Regulatory Technical Standards (RTS) are listed below. This page further lists all available AFM templates with regard to the DORA-related application and reporting procedures.

ICT risk management


• RTS on ICT Risk Management framework and on simplified ICT Risk Management Framework (artikel 15 en 16(3))

ICT related incidents

RTS on criteria for the classification of ICT-related incidents (artikel 18(3));
RTS and ITS on major incidents reporting (artikel 20(a) en 20(b))

Testing of digital operational resilience

RTS on threat-led penetration testing (TLPT) (artikel 26(11))

Management of ICT risk for third-party providers

RTS to specify the policy on ICT services supporting critical or important functions (artikel 28(1));
ITS on the register of information (artikel 28(9));
RTS on subcontracting ICT services (artikel 30(5))