Final pieces of DORA rulebook fall into place

In the last couple of years EU financial entities have been busy implementing the Digital Operational Resilience Act. DORA started to apply in January 2025 but detailed rules on subcontracting and threat-led penetration testing remained outstanding. Those technical standards have recently been made law, meaning that the DORA framework is now complete.

Subcontracting RTS

The regulatory technical standards on subcontracting are now on the Official Journal of the EU and take effect on 22 July 2025.

The text is unchanged from the version adopted by the European Commission earlier this year (see our blogpost: Subcontracting rule changes agreed, clearing path towards finalised DORA rulebook).

TLPT RTS

Regulatory technical standards on TLPT have also been added to the Official Journal and take effect on 8 July 2025. Again, the text is unchanged from the version that the Commission had previously adopted.

DORA goes on…

The DORA story is not over. Now that the rulebook is finalised, attention turns to:

• Embedding DORA as BAU, including reviewing contracts, updating registers and reporting ICT- and payments-related incidents to regulators
• Monitoring how DORA is supervised and enforced by different regulators
• Responding to the EBA’s consultation on guidelines for third party arrangements
• Engaging with ESMA’s principles on third party risks
• Awaiting the ECB’s final policy on cloud outsourcing
• Preparing for new UK rules on operational incident and third party reporting
• Designation of service providers as critical under the DORA oversight regime and the UK critical third parties regime