Zum Inhalt springen

DORA

RTS/ITS Deep Dive

Alle DORA RTS und ITS mit detaillierten Requirements, Status-Indikatoren und Implementierungsfortschritt.

Note: Die RTS/ITS-Checklisten basieren auf den veröffentlichten Delegierten Rechtsakten und technischen Durchführungsstandards (Stand 2026).

9

RTS/ITS Categories

47

Total Requirements

6

RTS Instruments

3

ITS Instruments

Overall Implementation Progress

Completed: Total:
RTS

RTS on Digital Operational Resilience Testing (Art. 24-25)

RTS 2024/1775

8 Requirements
Category Progress

Evidence Checklist

ID Requirement Scope Evidence-Typ Status Done
RTS-TST-01 Testprogramm nach Art. 24 Abs. 1 All financial entities Testing Policy Required
RTS-TST-02 Risikobasierte Testfrequenz All financial entities Frequency Matrix Required
RTS-TST-03 Testarten nach ICT-Asset-Klasse All financial entities Test Matrix Required
RTS-TST-04 TLPT-Durchführung alle 3 Jahre (EE) Systemically important TLPT Report Required
RTS-TST-05 Test Coverage — kritische Systeme All financial entities Coverage Report Required
RTS-TST-06 Unabhängigkeit der Tester Systemically important Independence Declaration Required
RTS-TST-07 Testdokumentation und Aufbewahrung All financial entities Test Archive Required
RTS-TST-08 Management-Review der Testergebnisse All financial entities Review Minutes Required
RTS

RTS on Incident Classification (Art. 17-18)

RTS 2024/1774

6 Requirements
Category Progress

Evidence Checklist

ID Requirement Scope Evidence-Typ Status Done
RTS-INC-01 Incident-Klassifikation nach DORA-Kriterien All financial entities Classification Matrix Required
RTS-INC-02 Initiale Meldung innerhalb 24h All financial entities Incident Log Required
RTS-INC-03 Interim-Meldung nach 72h All financial entities Incident Log Required
RTS-INC-04 Abschlussmeldung nach 1 Monat All financial entities Final Report Required
RTS-INC-05 Schwellenwerte für schwerwiegende Vorfälle All financial entities Threshold Matrix Required
RTS-INC-06 Kundenbenachrichtigung bei wesentlichen Vorfällen All financial entities Customer Notification Log Required
RTS

RTS on Subcontracting of Critical ICT Services (Art. 28-30)

RTS 2024/1776

6 Requirements
Category Progress

Evidence Checklist

ID Requirement Scope Evidence-Typ Status Done
RTS-SUB-01 Vorherige Genehmigung für Sub-Auslagerungen All financial entities Approval Record Required
RTS-SUB-02 Risikoanalyse vor Sub-Auslagerung All financial entities Risk Assessment Required
RTS-SUB-03 Vertragliche Anforderungen an Sub-Provider All financial entities Contract Clause Required
RTS-SUB-04 Kontinuierliches Monitoring der Sub-Provider All financial entities Monitoring Report Required
RTS-SUB-05 Sub-Provider Registerführung All financial entities Sub-Provider Register Required
RTS-SUB-06 Exit-Strategie bei Sub-Provider-Ausfall All financial entities Exit Plan Required
ITS

ITS on Information Register Standardisation (Art. 28)

ITS 2024/1777

4 Requirements
Category Progress

Evidence Checklist

ID Requirement Scope Evidence-Typ Status Done
ITS-REG-01 Standardisiertes Informationsregister All financial entities Register Export Required
ITS-REG-02 Registerspalten nach ITS-Vorgabe All financial entities Register Schema Required
ITS-REG-03 Jährliche Aktualisierung All financial entities Update Log Required
ITS-REG-04 Register-Abfragbarkeit für Aufsicht All financial entities Access Credentials Required
RTS

RTS on Threat Intelligence & Information Sharing (Art. 19-20)

RTS 2024/1778

5 Requirements
Category Progress

Evidence Checklist

ID Requirement Scope Evidence-Typ Status Done
RTS-TI-01 Threat Intelligence Gathering Framework Large entities Threat Intel Policy Required
RTS-TI-02 Information Sharing Arrangements All financial entities Sharing Agreement Required
RTS-TI-03 Threat Intelligence Quality Assessment Large entities Quality Metrics Required
RTS-TI-04 Cross-Border Intelligence Sharing Large entities Cross-Border Protocol Optional
RTS-TI-05 Automatisierte Bedrohungsanalyse Large entities Automation Report Optional
ITS

ITS on Penetration Testing Standards (Art. 24-25)

ITS 2024/1779

5 Requirements
Category Progress

Evidence Checklist

ID Requirement Scope Evidence-Typ Status Done
ITS-PT-01 Penetration Testing Methodology All financial entities Testing Methodology Required
ITS-PT-02 Test Scope Definition All financial entities Scope Document Required
ITS-PT-03 Vulnerability Classification All financial entities Classification Scheme Required
ITS-PT-04 Remediation Tracking All financial entities Remediation Log Required
ITS-PT-05 Test Report Standards All financial entities Report Template Required
RTS

RTS on Simplified ICT Risk Management Framework (Art. 4-5)

RTS 2024/1780

3 Requirements
Category Progress

Evidence Checklist

ID Requirement Scope Evidence-Typ Status Done
RTS-RMF-01 Simplified Risk Assessment Methodology Small entities Risk Methodology Required
RTS-RMF-02 Proportional Control Framework Small entities Control Matrix Required
RTS-RMF-03 Simplified Incident Reporting Small entities Incident Template Required
ITS

ITS on Threat-Led Penetration Testing (Art. 24-25)

ITS 2024/1781

5 Requirements
Category Progress

Evidence Checklist

ID Requirement Scope Evidence-Typ Status Done
ITS-TLPT-01 TLPT Threat Intelligence Input Systemically important Threat Intel Package Required
ITS-TLPT-02 Red Team Testing Framework Systemically important Red Team Charter Required
ITS-TLPT-03 Rules of Engagement (RoE) Systemically important RoE Document Required
ITS-TLPT-04 TLPT-Ergebnisbericht und Maßnahmen Systemically important TLPT Findings Report Required
ITS-TLPT-05 TLPT-Wiederholungsturnus (max. 3 Jahre) Systemically important Test Schedule Required
RTS

RTS on Digital Operational Resilience Framework (Art. 6-11)

RTS 2024/1782

5 Requirements
Category Progress

Evidence Checklist

ID Requirement Scope Evidence-Typ Status Done
RTS-DOPS-01 ICT-Risikomanagement-Rahmenwerk All financial entities ICT Risk Policy Required
RTS-DOPS-02 Identifikation kritischer ICT-Dienste All financial entities Critical Services Register Required
RTS-DOPS-03 ICT-Business-Continuity-Pläne All financial entities BCP Documentation Required
RTS-DOPS-04 Backup- und Wiederherstellungsverfahren All financial entities Backup Policy Required
RTS-DOPS-05 Operationale Resilienz-Kennzahlen Large entities KPI Dashboard Optional

Export Compliance Status

Download your implementation progress report

Referenzen

  • RTS 2024/1775 — RTS on Digital Operational Resilience Testing (Art. 24-25)
  • RTS 2024/1774 — RTS on Incident Classification (Art. 17-18)
  • RTS 2024/1776 — RTS on Subcontracting of Critical ICT Services (Art. 28-30)
  • ITS 2024/1777 — ITS on Information Register Standardisation (Art. 28)
  • RTS 2024/1778 — RTS on Threat Intelligence & Information Sharing (Art. 19-20)
  • ITS 2024/1779 — ITS on Penetration Testing Standards (Art. 24-25)
  • RTS 2024/1780 — RTS on Simplified ICT Risk Management Framework (Art. 4-5)
  • ITS 2024/1781 — ITS on Threat-Led Penetration Testing (Art. 24-25)
  • RTS 2024/1782 — RTS on Digital Operational Resilience Framework (Art. 6-11)
  • Alle RTS/ITS gelten ab 17. Januar 2025 direkt in den Mitgliedstaaten.