Two delegated acts were published in the Official Journal of the European Union (OJ) in respect of the EU Digital Operational Resilience Act (DORA). These are:
- Commission Delegated Regulation (EU) 2025/301, which comprises regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats.
- Commission Implementing Regulation (EU) 2025/302, which comprises implementing technical standards for the standard forms, templates and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat.
Both sets of technical standards relate to ICT-related incident management, one of the key pillars of the DORA legislation, and are mandated by article 20 of DORA which seeks to harmonise reporting content and templates in relation to ICT-related incidents and cyber threats. The Delegated and Implementing Regulations will enter into force on the twentieth day following their publication in the OJ.
[View source.]
