DORA Design Pack 1.0
Single
Rulebook
Release 1.0 will include all of the DORA Level 1 and Level 2 legal texts and is scheduled to coincide with the publication of the final regulation in the EU Official Journal
Digital
SOPs
SOP05: ICT Third-party Service Provider Lifecycle Management consisting of 208 Process Activities and 38 Documents connecting Governance Management and Operations
Compliance Matrix
A two-way report that shows every obligation in Articles 28 - 30 and the associated process activity for in SOP5: ICT Third-party Service Provider Lifecycle Management
Rules
Navigator
Dependency Tree for Article 28 - 30 that allows you to navigate from an obligation to view all of the connected resources in the Digital COE - process activities, documents and templates
DORA Interactive Single Rulebook
Digital Operational Resilience Act Regulation
[EU 2022/2554]
DORA Regulation with 64 Articles effective from arranged in 9 chapters effective from 17th January 2023, applicable from 17th January 2925.
Regulatory Technical Standard [EU 2024/1774]
Specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework.
Implementing Technical Standard
[EU 2025/302]
Laying down implementing technical standards for the application of [Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to the standard forms, templates and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat.
Commission Delegated Regulation
[EU 2024/1505]
Establishing the oversight fees to be charged to Critical ICT third-party service providers.
Regulatory Technical Standard
[EU 2025/295]
To harmonize the conditions enabling the conduct of the oversight activities.
Regulatory Technical Standard [EU 2024/1772]
Specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents.
Implementing Technical Standard
[EU 2024/2956]
Laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to standard templates for the register of information.
Regulatory Technical Standard
[EU 2025/420]
Specifying the criteria for determining the composition of the joint examination team ensuring a balanced participation of staff members from the ESAs and from the relevant competent authorities, their designation, tasks, and working arrangements
Commission Delegated Regulation
[EU 2024/1502]
Establishing the criteria for the designation of ICT third-party service providers as critical for financial entities.
Regulatory Technical Standard [EU 2024/1773]
Specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers.
Regulatory Technical Standard
[Final Report JC 2024 29]
Specifying the criteria used for identifying financial entities required to perform threat-led penetration testing, the requirements and standards governing the use of internal testers, the requirements in relation to scope, testing methodology and approach for each phase of the testing, results, closure and remediation stages and the type of supervisory and other relevant cooperation needed for the implementation of TLPT and for the facilitation of mutual recognition
Regulatory Technical Standard [Final Report JC 2024 53]
Specify the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions.
Regulatory Technical Standard
[EU 2025/301]
Specifying the content of the reports and notifications for major ICT-related incidents and significant cyber threats and the time limits for reporting of these incidents.