Last month, the European Supervisory Authorities (ESAs) launched a consultation package on the first batch of certain draft regulatory technical standards (RTS) and draft implementing technical standards (ITS) on certain aspects of the EU’s Digital Operational Resilience Act, DORA.

You can find more detail in our alert here. The draft technical standards cover:

  • the risk management framework that financial institutions (FIs) are required to introduce
  • classification of ICT related incidents, and the test for classifying an incident as “major”
  • the content of an FI’s policy relating to the contractual arrangements on the use of ICT services supporting critical or important functions
  • ITS to establish the register of third party ICT services that that FIs are required to keep

The deadline for responses to this consultation package is 11 September 2023. The ESAs have made clear that all responses will be published unless requested otherwise. Following this, the final versions of these RTS and ITS are expected to be published in January 2024.

These standards, and the other obligations imposed by DORA, will be important both to FIs and their ICT providers; please contact our DORA leads below for further assistance.


Caitlin is a partner in Baker McKenzie’s Financial Services Regulatory practice group in the London office. Caitlin's practice focuses on advising a range of global financial institutions on complex and high value regulatory matters. She advises banks, major corporates, payment institutions and asset managers on navigating UK and EU financial services regulation. She has particular experience in advising clients on regulatory implementation projects, day-to-day compliance issues, and regulatory issues arising in the context of large-scale transactions. She also expertise in the areas of banking and wholesale financial markets regulation, in particular in the FX and fixed income space, alongside experience advising market infrastructure providers, including major international exchanges, trading platforms, clearing systems and payment services providers, on a variety of compliance issues.


Paul is head of cybersecurity in the UK and a key member of our wider data protection team. For 15 years, Paul has guided clients through all types of major data security incidents as well as complex technology and data disputes. Paul pioneered an award-winning data breach and dark web scanning tool which was the first product of its kind in the legal market.


Sue is a Partner in our Technology practice in London. Sue specialises in major technology deals including cloud, outsourcing, digital transformation and development and licensing. She also advises on a range of legal and regulatory issues relating to the development and roll-out of new technologies including AI, blockchain/DLT, metaverse and crypto-assets.