DORA Library
All DORA regulatory documents in one place. For GRC & DORA program owners: write controls, policies, and audit evidence with defensible citations.
28 regulatory documents
6 thematic pillars
Updated February 2026
Pillars
28 results
General Framework & Governance
2
Foundation of DORA. Establishes scope, definitions, responsibilities, and mandates for digital operational resilience across EU financial entities. Sets legal authority and supervisory mechanics.
⌄
EU
In Force
1.0
DORA Amending Directive – (EU) 2022/2556
This Directive amends multiple EU financial-services directives to ensure legal clarity and consistency with the digital operational resilience requirements set out in Regulation (EU) 2022/2554 (DORA).
EU
In Force
1.0
DORA Regulation – (EU) 2022/2554
The primary legislative act establishing a unified framework for digital operational resilience across the EU financial sector, aiming to mitigate ICT risks and ensure continuity of critical functions.
ICT Risk Management
2
Defines mandatory ICT risk management framework, controls, governance structures, policies, asset management, and simplified regime for smaller entities.
⌄
EU
In Force
Final
ICT Risk Management – RTS (EU) 2024/1774
Regulatory Technical Standards under DORA specifying detailed ICT risk management tools, methods, processes and policies, including ICT security governance, asset management, encryption, operations security, vulnerability and patch management.
EU
Final Draft
Final Report
RTS on ICT Risk Management (Final)
Final draft Regulatory Technical Standards specifying detailed and harmonised requirements for ICT risk management frameworks under DORA, including ICT security policies, access controls, detection and response mechanisms.
ICT Incident Management & Reporting
7
Standardizes classification, reporting timelines, templates, and cost estimation for major ICT incidents and cyber threats across the EU.
⌄
EU
In Force
Final
RTS on ICT Incident Reporting Content & Timelines
Regulatory Technical Standards under DORA specifying the harmonised content and reporting timelines for initial notifications, intermediate reports, and final reports of major ICT-related incidents.
EU
In Force
Final
ITS on Incident Reporting Templates
Implementing Technical Standards under Regulation (EU) 2022/2554 (DORA) specifying harmonised templates, data fields, procedures, and secure channels for financial entities to submit reports for major ICT-related incidents.
EU
Final Draft
Final Report
RTS/ITS on Major Incident & Cyber Threat Reporting
Final draft Regulatory and Implementing Technical Standards under DORA specifying harmonised requirements for reporting major ICT-related incidents and notifying significant cyber threats.
EU
Final
GL on Cost & Loss Estimation
Joint Guidelines specifying methodologies and reporting templates for estimating aggregated annual costs and losses caused by major ICT-related incidents under Regulation (EU) 2022/2554.
EU
In Force
Final
RTS on ICT Incident Classification & Reporting
Regulatory Technical Standards under DORA defining harmonised criteria for classifying ICT-related incidents and cyber threats, setting quantitative and qualitative materiality thresholds for determining major incidents.
EU
Final Draft
Draft RTS
RTS on ICT Incident Classification & Major Incident Thresholds (Final Report)
Final draft Regulatory Technical Standards under DORA specifying harmonised criteria and materiality thresholds for classifying ICT-related incidents, defining major incidents, recurring incidents, and significant cyber threats.
EU
Final
EU Hub Incident Reporting Feasibility Report
Joint feasibility study assessing options for further centralisation of major ICT-related incident reporting under DORA, including baseline, data-sharing, and fully centralised EU Hub scenarios.
Digital Operational Resilience Testing
5
Requirements for threat-led penetration testing (TLPT), including TIBER-EU alignment, tester procurement, purple teaming, and control team governance.
⌄
EU
In Force
Final
RTS on Threat-Led Penetration Testing (TLPT)
Regulatory Technical Standards under DORA establishing detailed rules for threat-led penetration testing (TLPT), including criteria for identifying entities subject to testing, governance and organisational requirements.
EU
In Force
TIBER-EU Service Provider Procurement Guidance
Guidance under the TIBER-EU framework describing requirements, selection criteria, and governance considerations for procuring Threat Intelligence Providers and Red Team Testers.
EU
In Force
1.0
TIBER-EU Purple Teaming Guidance
Guidance under the TIBER-EU framework describing requirements, roles, processes, and best practices for conducting purple teaming activities during threat-led penetration testing.
EU
In Force
1.0
TIBER-EU Control Team Guidance
Operational guidance under the TIBER-EU framework describing how financial entities should establish and operate a Control Team responsible for planning, managing, and overseeing TLPT.
EU
Final Draft
Final Report
RTS on TLPT (Final Report)
Final draft Regulatory Technical Standards under DORA specifying detailed requirements for threat-led penetration testing (TLPT), including criteria for identifying entities required to perform TLPT.
ICT Third-Party Risk Management
6
Governs contractual arrangements, due diligence, subcontracting, registers of information, and exit strategies for ICT service providers supporting critical functions.
⌄
EU
In Force
1.0
ECB Cloud Outsourcing Guide (2025)
Supervisory guidance from the ECB setting out expectations and observed good practices for banks when outsourcing cloud services, aligned with DORA and related EU prudential requirements.
EU
In Force
Final
RTS on Subcontracting (EU) 2025/532
Regulatory Technical Standards under DORA specifying the elements financial entities must consider when ICT third-party service providers subcontract ICT services supporting critical or important functions.
EU
In Force
Final
ITS Register of Information Templates – (EU) 2024/2956
Implementing Technical Standards under DORA specifying standard templates and completion instructions for the register of information on all contractual arrangements for ICT services.
EU
Final
ESAs Opinion on RoI ITS Rejection (JC 2024 75)
Opinion issued by the ESAs Joint Committee following the European Commission's rejection of the draft ITS on standard templates for the DORA register of information.
EU
In Force
Final
RTS on ICT Third-Party Policy
Regulatory Technical Standards under DORA specifying the detailed requirements for policies governing contractual arrangements with ICT third-party service providers supporting critical or important functions.
EU
Final Draft
Final
Register of Information Templates – ITS (Final Report, JC 2023 85)
Final Report containing draft Implementing Technical Standards under DORA specifying standard templates for the register of information on all contractual arrangements for ICT services.
Oversight Framework
6
Establishes the oversight regime for critical ICT third-party service providers (CTPPs), including designation criteria, fees, joint examination teams, and cooperation mechanisms.
⌄
EU
In Force
1.0
List of Designated CTPPs (Union Level) – 18 Nov 2025
Union-level list published in accordance with Article 31(9) of Regulation (EU) 2022/2554 (DORA), setting out the designated critical ICT third-party service providers (CTPPs).
EU
In Force
Final
RTS on Joint Examination Teams (EU) 2025/420
Regulatory Technical Standards under DORA establishing detailed rules for joint examination teams (JETs) supporting the Lead Overseer in the oversight of critical ICT third-party service providers.
EU
In Force
Final
RTS Oversight Harmonisation – (EU) 2025/295
Regulatory Technical Standards under DORA that harmonise the conditions for conducting oversight of critical ICT third-party service providers.
EU
Final
Oversight Cooperation & Information Exchange – JC/GL/2024/36
Joint Committee Guidelines establishing a common operational approach for cooperation and information exchange between the ESAs and competent authorities for the oversight framework of critical ICT TPPs.
EU
In Force
Final
CTPP Designation Criteria – RTS (EU) 2024/1502
Regulatory Technical Standards under DORA establishing the criteria and a two-step assessment approach for designating ICT third-party service providers as critical for financial entities.
EU
In Force
Final
Oversight Fees – RTS (EU) 2024/1505
Regulatory Technical Standards under DORA setting the annual oversight fee framework for critical ICT third-party service providers (CTPPs).
Need DORA-Aligned AI Architecture?
We build AI systems that satisfy DORA requirements from day one. Audit trails, governance, exit readiness - built in, not bolted on.
Schedule Architecture Review viktor@intellectumlab.com | Response within 24 hours