On 17 July 2024, the 3 European Supervisory Authorities (ESAs) (the European Banking Authority – EBA, European Insurance and Occupational Pensions Authority – EIOPA and European Securities and Markets Authority – ESMA) published the second batch of policy products under DORA which consists of 4 final draft RTS, one set of ITS and 2 GLs. One set of RTS and ITS specifies the content, format, templates and time limits for reporting major ICT-related incidents and significant cyber threats. The other 3 RTS deal with the harmonisation of conditions enabling the conduct of oversight activities, the criteria to determine the composition of the joint examination team (JET), and elements related to threat-led penetration testing (TLPT). The 2 GLs concern the estimation of aggregated costs/losses caused by major ICT-related incidents and oversight cooperation and information exchange respectively.
The ESAs will submit the final draft RTS to the Commission for adoption. Following their adoption, the RTS will be subject to scrutiny by the European Parliament and the Council and will then be published in the EU Official Journal. The expected date of application of the RTS on the conduct of oversight activities, the criteria to determine the composition of the JET, and elements related to TLPT is 17 January 2025. The Joint GLs will be translated into the official EU languages and published on the ESAs’ websites. The deadline for competent authorities (CAs) to notify whether they comply with the GLs will be 2 months after the publication of the translations. The GLs should apply from 17 January 2025.