Further harmonisation of ICT risk management tools, methods, processes and policies

Article 15 is a delegation article that empowers the European Supervisory Authorities — the EBA, EIOPA, and ESMA — to develop regulatory technical standards (RTS) that provide granular detail on how the ICT risk management framework requirements should be implemented. This two-tier approach (Level 1 regulation + Level 2 technical standards) is standard in EU financial regulation and allows technical requirements to be updated without amending the regulation itself.

The RTS developed under this article cover several critical areas: the specific elements to be included in ICT security policies and procedures, the detailed requirements for business continuity management including testing methodologies, and the standards for ICT audit reviews. These technical standards translate DORA's principle-based requirements into implementable specifications.

The development of RTS by the ESAs involves consultation with industry, which provides financial entities with an opportunity to influence the practical implementation details. However, once finalized, the RTS have the same binding force as the regulation itself and must be complied with within the specified timelines.

For financial entities, Article 15 means that compliance requires monitoring not just the Level 1 DORA text but also the evolving body of RTS. The technical standards may impose specific requirements regarding security control frameworks, testing frequencies, documentation formats, and reporting templates that go beyond what the regulation itself specifies.