On 17 July 2024, the Joint Committee of the European Supervisory Authorities (ESAs) published their second batch of policy materials under the Regulation on digital operational resilience for the financial sector ((EU) 2022/2554) (DORA), consisting of the following:

• Final report on draft regulatory technical standards (RTS) and implementing technical standards (ITS) on the content, format, templates and timelines for reporting major information and communication technology (ICT) related incidents and significant cyber threats under Article 20 of DORA (JC 2024 33).
• Final report on draft RTS on the harmonisation of conditions enabling the conduct of the oversight activities under Article 41(1)(c) of DORA (JC 2024 54). These RTS relate to the criteria for determining the composition of the joint examination team (JET).
• Final report on draft RTS on the harmonisation of conditions enabling the conduct of the oversight activities under Article 41(1) of DORA (JC 2024 35).
• Final report on draft RTS specifying elements related to threat-led penetration tests (TLPT) under Article 26(11) of DORA (JC 2024 29).
• Final report on joint guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents under Article 11(11) of DORA (JC 2024 34).
• Final report on joint guidelines on the oversight co-operation and information exchange between the ESAs and the competent authorities under Article 32(7) of DORA (JC 2024 36).

The guidelines have been adopted by the Boards of Supervisors of the three ESAs and the final draft technical standards have been submitted to the European Commission for adoption. The expected date of application of the technical standards and guidelines is 17 January 2025.

The ESAs state that the remaining RTS on subcontracting will be published in due course.