In preparation for the entry into force of DORA, scheduled for 17 January 2025, the final pieces of EU legislation have now been published. These include the following:

1. Delegated and Implementing Regulations on notifications and reports of major ICT-related incidents and cyber threats under DORA

On 23 October 2024, the European Commission adopted the following Regulations supplementing DORA:

• The Commission Delegated Regulation supplements DORA by specifying the regulatory technical standards (RTS) for the initial notification, as well as intermediate and final reporting, of major ICT-related incidents. It also outlines the content for voluntary notifications of significant cyber threats, as mandated under Article 20(3) of DORA.
• The Commission Implementing Regulation sets out the implementing technical standards (ITS) for DORA, detailing the standard forms, templates, and procedures financial entities must use to report major ICT-related incidents and notify significant cyber threats. This is in line with the mandate under Article 20(4) of DORA, and the Annex to this Implementing Regulation is published separately.

The Delegated Regulation is currently under scrutiny by the Council of the EU and the European Parliament. If there are no objections, it will be published in the Official Journal of the European Union. The Implementing Regulation will be published in the Official Journal without any further scrutiny.

Both regulations will come into effect 20 days after their publication in the Official Journal of the European Union.

2. Delegated Regulation on harmonisation of conditions enabling conduct of oversight activities under DORA

On 25 October 2024, the European Commission adopted a Delegated Regulation supplementing DORA regarding RTS on the harmonisation of conditions enabling the conduct of oversight activities in the EU (C(2024)6913).

Under Article 41(1) of DORA, the ESAs have been tasked with developing the RTS, focusing on areas that significantly affect financial entities and ICT third-party service providers. The draft RTS addresses:

• The information that an ICT third-party service provider must provide when voluntarily applying to be recognised as critical.
• The necessary information that ICT third-party service providers must submit to enable the lead overseer to fulfil its responsibilities. This includes a template for critical ICT third-party service providers to report subcontracting arrangements to the lead overseer, which is available in the Annex to the RTS.
• The process by which competent authorities evaluate the actions taken by Critical Third-Party Providers (CTPPs), following the guidance of the lead overseer.

The RTS will enter into force 20 days after their publication in the Official Journal of the EU. According to the ESA's final report, the expected date of application of the technical standards is 17 January 2025.

3. Implementing Regulation on standard template for register of information under DORA

On 2 December 2024, Commission Implementing Regulation (EU) 2024/2956 laying down ITS with regard to standard templates for the register of information under Article 28(9) of DORA was published in the Official Journal of the European Union.

Under Article 28(3) of DORA, financial entities are obliged to keep a register that details all contractual arrangements with ICT third-party service providers, ensuring it is regularly updated. The European Supervisory Authorities (ESAs), including the EBA, ESMA, and EIOPA, were tasked with creating draft ITS for the templates of this register, which they submitted to the European Commission in January 2024. However, in September 2024, the Commission rejected these drafts, suggesting that financial entities should be able to use either EU unique identifiers (EUIDs) or legal entity identifiers (LEIs) within the register. Following this, in October 2024, the ESAs expressed their concerns regarding the Commission's proposal to include EUIDs as an identifier, highlighting potential issues with this approach.

The Regulation states that it is based on the draft ITS the ESAs submitted to the Commission. Among other things, the Regulation refers to financial entities using a valid and active LEI or EUID.
 
The Regulation enters into force on 22 December 2024 (that is, 20 days after publication in the Official Journal of the European Union).