EU Commission Delegated Regulation 2024/1774 of 13 March 2024 supplements Regulation (EU) 2022/2554 (DORA) by specifying regulatory technical standards (RTS) that detail ICT risk management tools, methods, processes, and policies for financial entities. This Regulation harmonizes ICT risk management requirements across financial sectors by identifying key elements for both the standard ICT risk management framework and a simplified ICT risk management framework designed for smaller or less complex entities such as small investment firms and certain exempted payment and electronic money institutions. The simplified framework under Article 16 of DORA includes fewer and less detailed requirements but still mandates documented policies, periodic reviews, and controls to preserve data availability, integrity, and confidentiality proportionate to the entity’s risk profile, size, and complexity. The RTS integrates existing European and international ICT security standards to facilitate implementation and supervision, ensuring coherence between the full and simplified frameworks while maintaining operational resilience against ICT risks and cyber threats.
Publication's URL
https://eur-lex.europa.eu/eli/reg_del/2024/1774/oj/engAdditional documents on this topic
- EU Commission Delegated Regulation 2024/1773 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers
- EU Commission Delegated Regulation 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents
- EU Regulation 2022/2554 Digital Operational Resilience Act (DORA)
- EU Commission Implementing Regulation 2025/302 of 23 October 2024 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to the standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat
- EU Commission Delegated Regulation 2025/301 of 23 October 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats