The trio were issued as European Commission (EC) delegated regulations and published in the official journal EC on June 25. They enter into force on the twentieth day following their publication.

Here is a brief outline of what each of the RTSs cover.

The standard focusing on the contractual relationships with third-party service providers is particularly important in the short term as work on the policy, as well as any resulting negotiation with vendors, should already be under way at affected organizations.

The requirements of the standard helpfully organize what needs to be considered by firms to ensure that their contractual arrangements with vendors are DORA compliant throughout their lifecycle.

The classification of incidents will almost certainly not be anything new to entities in the financial space, but the finalization of the materiality thresholds is useful at this stage in order to begin to calibrate future reporting procedures.

The longest standard is significant to many practical aspects of DORA requirement implementation because it is focused on ICT risk management within financial institutions and covers key technical / technological details such as:

• ICT asset management;
• encryption and cryptographic controls;
• operations security including:
  • capacity and performance management;
  • vulnerability and patch management;
  • data and system security;
  • logging.
• network security;
• ICT project and change management including systems acquisition, development and maintenance.

It also delineates requirements for identity and access controls, incident detection and response as well as business continuity management.

The simplified ICT risk management framework aimed at small and exempt firms is intended to help ensure that these firms also bolster their resilience to potential disruption and cyber threats.

The coming into force of these technical standards is, of course, another signal of the imminent arrival of DORA as a regulatory regime.