Dejan KosuticThe text of the DORA regulation is pretty lengthy, but nevertheless it doesn’t specify all the requirements — it has prescribed that certain details will be further specified in regulatory technical standards, that are published in the form of Commission Delegated Regulations (CDRs) and Commission Implementing Regulations (CIRs).
Commission Delegated Regulations (CDRs) and Commission Implementing Regulations (CIRs) are regulatory technical standards that specify in more detail certain rules on how DORA will be applied, and can be considered as its appendices.
Commission Delegated Regulations and Commission Implementing Regulations (CIRs) are regulatory technical standards published by the EU Commission that further specify certain rules for DORA — they can be considered as appendices to DORA. Such CDRs and CIRs are proposed by European Supervisory Authorities, and then published by the EU Commission.
Which DORA CDRs and CIRs have been published?
At the time this article was written, the following CDRs and CIRs were published:
- CDR 2024/1502 – The criteria for the designation of ICT third-party service providers as critical for financial entities — related to DORA Article 31
- CDR 2024/1505 – The amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid — related to DORA Article 43
- CDR 2024/1772 – The criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents — related to DORA Article 18
- CDR 2024/1773 – Regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers — related to DORA Article 28
- CDR 2024/1774 – Regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework — related to DORA Article 15 and Article 16
- CIR 2024/2956 – Templates for the register of information for contractual arrangements — related to DORA Article 28(9)
- CDR 2025/295 – Information to be provided by ICT third-party service provider — related to DORA Article 41
- CDR 2025/301 – Content and time limits for the initial notification of major ICT-related incidents — related to DORA Article 20
Explanation of DORA CDRs and CIRs
Let’s analyze each of these regulations in more detail:
CDR 2024/1502 – The criteria for the designation of ICT third-party service providers as critical for financial entities specifies:
- European Supervisory Authorities must use a set of criteria to decide whether an ICT third-party service provider is critical.
- Those criteria include: systemic impact, systemic character and importance, criticality or importance of the functions, and degree of sustainability.
See also: Which IT companies need to comply with DORA, and how?
CDR 2024/1505 – The amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid specifies:
- Lead Overseers must calculate the oversight fees based on their overall cost of supervision.
- The minimum annual oversight fee is €50,000 per critical ICT third-party service provider.
- Oversight fees are paid once a year.
CDR 2024/1772 – The criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents specifies:
- Financial entities need to take into account various aspects of an incident when deciding if it is a major incident.
- Those aspects include: number of clients affected, number of financial counterparts affected, amount of transactions affected, reputational impact, duration and service downtime, geographical spread, data losses, criticality of services affected, and economic impact.
- Financial entities must classify threats, and decide if threats are significant based on several criteria.
CDR 2024/1773 – Regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers specifies:
- When creating the policy for contractual arrangements on the use of ICT services, financial entities must take into account overall risk profile and complexity, and include several elements in the policy.
- Elements that must be included in the policy are: governance arrangements, life cycle for the adoption and use of contractual arrangements, risk assessment, due diligence, conflicts of interest, contractual clauses, monitoring of the contractual arrangements, and exit from and termination of the contractual arrangements.
CDR 2024/1774 – Regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework specifies:
- A very detailed list of ICT security policies, procedures, protocols, and tools that financial entities need to establish.
- These must cover several areas, including ICT risk management, ICT asset management, encryption and cryptography, ICT operations security, network security, ICT project and change management, physical and environmental security, human resources policy, identity management, access control, ICT-related incident detection and response, ICT business continuity management, and report on the ICT risk management framework review.
- The CDR specifies separate rules for a simplified ICT risk management framework.
CIR 2024/2956 – Templates for the register of information for contractual arrangements specifies:
- How to rank suppliers in the supply chain
- Which information needs to be included in the register of suppliers
- In its annexes, detailed instructions on how to create the register of suppliers
CDR 2025/295 – Information to be provided by ICT third-party service provider specifies:
- Information to be submitted in the application to be designated as critical ICT supplier
- Information from critical ICT third-party service providers after the issuance of recommendations
- Template for providing information on subcontracting arrangements
CDR 2025/301 – Content and time limits for the initial notification of major ICT-related incidents specifies:
- Information to be provided in initial notifications and intermediate and final reports on major ICT-related incidents
- Time limits for the initial notification, and for the intermediate and final reports
- Content of the voluntary notification of significant cyber threats
Upcoming CDRs
Here are some of the CDRs that are in the process of being published:
- Guidelines on oversight cooperation
- Guidelines on the estimation of aggregated costs/losses caused by major ICT-related incidents
- Regulatory technical standards on the harmonization of conditions enabling the execution of the oversight activities
- Regulatory technical standards specifying elements related to threat-led penetration tests
- Regulatory technical standards on the criteria for determining the composition of the joint examination team
So, as you can see, DORA in itself is already pretty specific when it comes to cybersecurity rules, but together with these CDRs and CIRs it becomes very demanding with regard to how cybersecurity needs to be implemented.
To learn more about CDRs, CIRs, and other key aspects of DORA, sign up for free DORA Foundations Course that explains how these RTSs fit into DORA compliance program.
