The Commission has recently adopted two additional Regulatory Technical Standards (RTS) in the form of Delegated Regulations, thus completing the process of adopting all eight RTS.
Technical standards will supplement and specify the rules of DORA (Regulation (EU) 2022/2554). From a regulatory perspective, these technical standards are complementary, providing more detailed specifications of specific requirements under DORA.
Delegated Regulation (EU) 2025/1190 details, inter alia, Article 26 of DORA regarding threat-led penetration testing (TLPT). It sets out the criteria for determining whether a financial entity is required to perform TLPT, as well as provisions on the selection of TLPT providers, the scope of testing, stages, and methodology. The Delegated Regulation will enter into force on 8 July 2025.
Delegated Regulation (EU) 2025/532 details, inter alia, the elements in Article 30 of DORA and establishes detailed requirements for financial entities when subcontracting information and communication technology (ICT) services that support critical or important functions. Key provisions include due diligence and risk assessment regarding the use of subcontractors, conditions for subcontracting, and procedures for changing and terminating contracts. The Delegated Regulation will enter into force on 22 July 2025.
The full list of adopted RTS and other DORA-related publications is available here.