Interactive Single Rulebook - DORA
- Alan Barry
- Feb 28
- 3 min read
On 20th February, 2025 the Regulatory Technical Standard (RTS) on Major Incident Reporting [EU 2025/301] and the Implementing Technical Standard (ITS) on Major Incident Reporting [EU 2025/302] were published in the Official Journal of the EU.
Earlier this week, both of these legal texts were added to Compliance By Design's Interactive Single Rulebook for DORA.
Compliance By Design's Rulebook now has 9 documents, with a total of 236 pages and 4,211 lines of legal text. The interactive functionality includes the line by line analysis required for Compliance Lineage.
REGULATORY THEME: Digital Operational Resilience
The Digital Operational Resilience Act (DORA) [EU 2022/2554] was the first legal text in the EU's Digital Operational Resilience Regulatory Theme. It is a Regulation (DORA Regulation) which is a Level 1 Legal Text in the EU Single Rulebook.
The DORA Regulation empowered the European Supervisory Authorities (ESAs) to develop 12 Level 2 Legal Texts. In the structure of the EU Single Rulebook, the RTS on Major Incident Reporting is a Level 2 Legal Text, a Commission Delegated Regulation. The ITS on Major Incident Reporting is also a Level 2 Legal Text, a Commission Implementing Regulation.
The 9 Legal Texts, in the DORA Single Rulebook consists of the DORA Regulation (Level 1), 6 Commission Delegated Regulations (Level 2) and 2 Commission Implementing Regulations (Level 2).
There are a further 4 Commission Delegated Regulations in development:
JC 2024 29 Threat Lead Penetration Testing (Article 26(11))
JC 2024 53 Subcontracting (Article 30(5))
JC 2024 35 Harmonising Conditions for Oversight Activities (Article 42(1))
JC 2024 54 Joint Examination Teams (Article 41(1)(c))
The list above includes the Article in the DORA Regulation, that establishes the scope and gives power to the EU Commission, to adopt a Level 2 Commission Delegated Regulation.
A Level 1 Legal Text, in this case the DORA Regulation, is signed by The President of the European Parliament and the President of Council. A Level 2 Legal Text is signed The President of the Commission, after the draft legal text submitted by the ESAs has been reviewed.
In February, the RTS on Threat Lead Penetration Testing was adopted by the EU Commission and is now awaiting publication in the Official Journal, at which point a number will be assigned (EU 2025/####).
The draft RTS on Subcontracting has been rejected by the EU Commission and returned to the ESAs as it went beyond the scope set down in Article 30(5). The ESAs have been asked to resubmit a revised draft within 6 weeks.
NOTE: In addition to the Level 1 and 2 legal texts outlined above that are within the scope of the DORA, there are legal texts required to implement changes to existing EU and Member State laws that require a Directive (a EU Level 1 legal text) and Member State Statutory Instruments (in the case of Ireland). These legal texts are included in Compliance By Design's Rulebook for completeness.
DORA: Completing the Single Rulebook
The DORA Regulation, provided a two year window for the development of the Level 2 legal texts. This work is nearing completion.
The Compliance By Design Rulebook is updated immediately after the publication of the legal text in the EU Official Journal. Based on the drafts for the 4 remaining legal text, it is estimated that there will be 311 pages and in excess of 5,500 lines of text across DORA's 12 legal texts.
Comments