ETSI TR 103 960 V1.1.1 (2025-05)

TECHNICAL REPORT
Cyber Security (CYBER);
Implementation of the
Digital Operational Resilience Act (DORA)

2 ETSI TR 103 960 V1.1.1 (2025-05)

Reference
DTR/CYBER-00110
Keywords
cyber security, resilience, risk management
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - APE 7112B
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° w061004871

Important notice
The present document can be downloaded from the
ETSI Search & Browse Standards application.
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the prevailing version of an ETSI
deliverable is the one made publicly available in PDF format on ETSI deliver repository.
Users should be aware that the present document may be revised or have its status changed,
this information is available in the Milestones listing.
If you find errors in the present document, please send your comments to
the relevant service listed under Committee Support Staff.
If you find a security vulnerability in the present document, please report it through our
Coordinated Vulnerability Disclosure (CVD) program.
Notice of disclaimer & limitation of liability
The information provided in the present deliverable is directed solely to professionals who have the appropriate degree of
experience to understand and interpret its content in accordance with generally accepted engineering or
other professional standard and applicable regulations.
No recommendation as to products and services or vendors is made or should be implied.
No representation or warranty is made that this deliverable is technically accurate or sufficient or conforms to any law
and/or governmental rule and/or regulation and further, no representation or warranty is made of merchantability or fitness
for any particular purpose or against infringement of intellectual property rights.
In no event shall ETSI be held liable for loss of profits or any other incidental or consequential damages.

Any software contained in this deliverable is provided "AS IS" with no warranties, express or implied, including but not
limited to, the warranties of merchantability, fitness for a particular purpose and non-infringement of intellectual property
rights and ETSI shall not be held liable in any event for any damages whatsoever (including, without limitation, damages
for loss of profits, business interruption, loss of information, or any other pecuniary loss) arising out of or related to the use
of or inability to use the software.
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and
microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© ETSI 2025.
All rights reserved.
ETSI
3 ETSI TR 103 960 V1.1.1 (2025-05)
Contents
Intellectual Property Rights . 4
Foreword . 4
Modal verbs terminology . 4
Executive summary . 4
Introduction . 5
1 Scope . 7
2 References . 7
2.1 Normative references . 7
2.2 Informative references . 7
3 Definition of terms, symbols and abbreviations . 10
3.1 Terms . 10
3.2 Symbols . 10
3.3 Abbreviations . 10
4 DORA Implementation . 11
4.0 Introduction . 11
4.1 Standards Requirements . 11
4.1.0 Organization and description of the requirements . 11
4.1.1 Proportionality . 11
4.1.2 ICT risk management. 11
4.1.3 Handling, classification and reporting of ICT-related incidents . 13
4.1.4 Digital operational resilience testing including threat-led penetration testing (TLPT) . 14
4.1.5 ICT third-party risk management . 15
4.1.6 Oversight of critical third-party providers (CTTP) . 17
4.1.7 Agreements on the exchange of information and cyber crisis and emergency exercises . 18
4.2 Available standards and tools . 18
4.3 Avoiding duplication . 18
4.3.1 Problem statement . 18
4.3.2 EBA recommendations . 18
4.4 Gaps . 19
4.5 Post-quantum safeguards . 19
4.6 European Commission implementing technical regulations . 19
Annex A: DORA Provisions . 20
A.1 Key Objectives . 20
A.2 Parties subject to DORA . 20
A.3 DORA treatment of standards . 21
A.4 DORA regulatory standards deliverables . 22
A.5 DORA treatment of encryption . 23
Annex B: Non-EU Cybersecurity Regulations for Financial Services . 24
B.1 FS-ISAC Financial Services Information Sharing and Analysis Center . 24
B.2 United States Cybersecurity Regulations for the Sector . 24
B.2.1 FDIC Banker Resource Center for Cybersecurity . 24
B.2.2 FINRA Cybersecurity . 24
B.3 Swiss Financial Sector Cyber Security Centre . 25
Annex C: Bibliography . 26
History . 27
ETSI
4 ETSI TR 103 960 V1.1.1 (2025-05)
Intellectual Property Rights
Essential patents
IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The declarations
pertaining to these essential IPRs, if any, are publicly available for ETSI members and non-members, and can be
found in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to
ETSI in respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the
ETSI IPR online database.
Pursuant to the ETSI Directives including the ETSI IPR Policy, no investigation regarding the essentiality of IPRs,
including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not
referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become,
essential to the present document.
Trademarks
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners.
ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no
right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does
not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
DECT™, PLUGTESTS™, UMTS™ and the ETSI logo are trademarks of ETSI registered for the benefit of its
Members. 3GPP™, LTE™ and 5G™ logo are trademarks of ETSI registered for the benefit of its Members and of the
3GPP Organizational Partners. oneM2M™ logo is a trademark of ETSI registered for the benefit of its Members and of ®
the oneM2M Partners. GSM and the GSM logo are trademarks registered and owned by the GSM Association.
Foreword
This Technical Report (TR) has been produced by ETSI Technical Committee Cyber Security (CYBER).
Modal verbs terminology
In the present document "should", "should not", "may", "need not", "will", "will not", "can" and "cannot" are to be
interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
Executive summary
The Digital Operational Resilience Act (DORA), came into effect on 16 January 2023, and focuses on the significant
economic and systemic risk posed by the potential disruption of critical ICT systems, e.g. due to technical faults,
operational error, or cybercrime, and becomes effective on 17 Jan 2025 [i.1]. It contains a broad range of measures
aimed at improving the robustness of financial-sector ICT infrastructures, covering both in-house systems and services
outsourced to third-party providers (TPPs). Twelve new mandates to issue eight technical standards, guidelines and
reports were required in 2024. [Annex A] Concurrently with DORA, the Directive on Network and Information
Security (NIS 2), the Directive on the Resilience of Critical Entities (CER) and several other instruments were adopted
and also apply to certain financial-sector entities, specifically credit institutions and operators of financial market
infrastructures, as well as to providers of digital infrastructure and ICT services who serve the financial sector [i.2] to
[i.9].
Responsibility for implementing the DORA, NIS 2 and CER frameworks is assigned to a number of different
authorities, both at member-state and Union level. [i.10] In addition, other countries with strong EU bindings have
instituted requirements similar to DORA and related harmonisation efforts exist. [Annex B] The present document
provides a comprehensive array of related information, including identification of related ETSI Technical Reports and
Specifications related to the eight technical standards.
ETSI
5 ETSI TR 103 960 V1.1.1 (2025-05)
Introduction
As noted by the European Banking Authority [i.11], the European Commission adopted a Digital Finance Package on
24 September 2020, which includes a proposal for a Regulation on "digital operational resilience for the financial
sector" (DORA), accompanied by a Directive [i.1]. The overall objective of the DORA legislative package is to make
sure the financial sector in Europe is able to effectively manage ICT and cybersecurity risk, including when arising
from a third-party provider, and to stay resilient through a severe operational disruption.
The DORA Regulation aims to streamline and upgrade existing rules on:
• ICT Governance and the management of ICT risks (Chapter II);
• the management, classification and reporting of ICT-related incidents (Chapter III);
and to introduce new requirements where gaps exist, particularly with respect to:
• digital operational resilience testing (Chapter IV);
• management of ICT third-party risks and regulation and oversight of 'critical third-party ICT service providers'
(CTPPs) (Chapter V);
• information sharing (Chapter VI); and
• the tools the financial supervisors need to fulfil their mandate to contain financial instability stemming from
those ICT vulnerabilities (Chapter VII).
The DORA Directive is then tasked with amendments to financial services directives to introduce cross-references to
the DORA Regulation and to update empowerments for technical standards. See Annex A.
The first set of final draft technical standards under DORA were released on 17 January 2024 and supplemented
throughout the year [i.34]. DORA came into effect on 17 January 2025. There are six major sets of requirements:
• ICT risk management. "Financial institutions must proactively manage risks associated with information
and communication technology (ICT)" (Chapter II, Articles 5 to 16).
• Handling, classification and reporting of ICT-related incidents. "Financial institutions must promptly
report significant cyber incidents to relevant authorities" (Chapter III, Articles 17 to 23).
• Digital operational resilience testing including threat-led penetration testing (TLPT). "Financial
institutions must regularly test their ICT systems to identify vulnerabilities and ensure preparedness for cyber
threats" (Chapter IV, Articles 24 to 27).
• ICT Third-party risk management. "Financial institutions must conduct due diligence and ongoing
monitoring to ensure third-party compliance with cybersecurity standards" (Chapter V, Section I, Articles 28
to 30).
• Oversight of critical third-party providers (CTTP). "Service providers whose disruption could significantly
impact the financial sector's ability to deliver essential functions based on certain are subject to certain
requirements. CTTPs range from data centres and telecommunication providers to software vendors" (Chapter
V, Section II, Articles 31 to 44).
• Agreements on the exchange of information and cyber crisis and emergency exercises. "Financial
institutions should share insights, threat intelligence, and best practices with peers" (Chapter VI Article 45
and Chapter VII Articles 24 to 49).
Virtually all supervised institutions and companies in the European financial sector are covered by DORA. In addition,
DORA brings together various requirements for institutions and companies in terms of cybersecurity, ICT risks and
digital operational resilience. Entities such as BaFin and the Deutsche Bundesbank are also preparing for DORA - in
particular by adapting supervisory and administrative practices and implementing IT processes and systems within the
framework of DORA [i.54]. The EC also adopted revised rules for the electronic payment services sector [i.55].
ETSI
6 ETSI TR 103 960 V1.1.1 (2025-05)
In early 2025, the European Commission requested revision of a number of the Regulatory Technical Standards and
suggested amendments. The ESAs have undertaken a process of revising the RTS and ITS standards with a timeline
extending through 2025 [i.56].

ETSI
7 ETSI TR 103 960 V1.1.1 (2025-05)
1 Scope
The present document studies the requirements, available standards, tools, and gaps for implementing the DORA
(Regulation (EU) 2022/2554 [i.1]) together with guidance relating to the use of encryption and post-quantum
safeguards.
2 References
2.1 Normative references
Normative references are not applicable in the present document.
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee
their long-term validity.
The following referenced documents may be useful in implementing an ETSI deliverable or add to the reader's
understanding, but are not required for conformance to the present document.
[i.1] Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022
on digital operational resilience for the financial sector and amending Regulations (EC)
No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011
(Text with EEA relevance).
[i.2] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on
measures for a high common level of cybersecurity across the Union, amending Regulation (EU)
No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2
Directive) (Text with EEA relevance).
[i.3] 2020/0266 (COD), COM(2020) 595 final: "Proposal for a Regulation of the European Parliament
and of the Council on digital operational resilience for the financial sector and amending
Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014".
[i.4] Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on
the resilience of critical entities and repealing Council Directive 2008/114/EC (Text with EEA
relevance).
[i.5] Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on
ENISA (the European Union Agency for Cybersecurity) and on information and communications
technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity
Act) (Text with EEA relevance).
[i.6] Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of
European critical infrastructures and the assessment of the need to improve their protection (Text
with EEA relevance).
[i.7] Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on
a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act)
(Text with EEA relevance).
[i.8] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
(Text with EEA relevance).
ETSI
8 ETSI TR 103 960 V1.1.1 (2025-05)
[i.9] Resolution (EC) 13084/1/20: "Council Resolution on Encryption - Security through encryption
and security despite encryption".
[i.10] ESMA, European Securities and Markets Authority, Securities and Markets Stakeholder Group:
"Advice to ESMA, SMSG advice to ESMA on potential practical challenges regarding the
implementation of the Digital Operational Resilience Act".
[i.11] European Banking Authority, Banking Stakeholder Group, GSG own initiative paper on DORA.
[i.12] Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying
down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008,
(EU) No 167 /2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and
Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) (Text
with EEA relevance.
[i.13] Proposal for a Directive of the European Parliament and of the Council on adapting non-
contractual civil liability rules to artificial intelligence (AI Liability Directive).
[i.14] Opinion of the European Economic and Social Committee on 'Proposal for a Directive of the
European Parliament and of the Council on adapting non-contractual civil liability rules to
artificial intelligence (AI Liability Directive)'.
[i.15] Digital Services Act: Commission designates first set of Very Large Online Platforms and Search
Engines.
[i.16] ESMA: Consultation on the first batch of Digital Operational Resilience Act (DORA) policy
products.
[i.17] ESMA: Consultation Paper, Technical Standards specifying certain requirements of Markets in
Crypto Assets Regulation (MiCA), 5 October 2023.
[i.18] Commission Delegated Regulation (EU) 2024/1505 of 22 February 2024 supplementing
Regulation (EU) 2022/2554 of the European Parliament and of the Council by determining the
amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service
providers and the way in which those fees are to be paid.
[i.19] European Central Bank: "TIBER-EU Framework: How to implement the European framework for
Threat Intelligence-based Ethical Red Teaming".
[i.20] ESMA: "ESMA to put cyber risk as a new Union Strategic Supervisory Priority".
[i.21] ESMA: ESAs joint consultation on second batch of policy mandates under the Digital Operational
Resilience Act From 08 December 2023 to 04 March 2024.
[i.22] ETSI TR 103 305-1: "Cyber Security (CYBER); Critical Security Controls for Effective Cyber
Defence; Part 1: The Critical Security Controls".
[i.23] ETSI TR 103 305-4: "Cyber Security (CYBER); Critical Security Controls for Effective Cyber
Defence; Part 4: Facilitation Mechanisms".
[i.24] ETSI TR 103 305-5: "Cyber Security (CYBER); Critical Security Controls for Effective Cyber
Defence; Part 5: Privacy and personal data protection enhancement".
[i.25] ETSI TR 103 866: "Cyber Security (CYBER); Implementation of the Revised Network and
Information Security (NIS2) Directive applying Critical Security Controls".
[i.26] ETSI TS 103 523-3: "CYBER; Middlebox Security Protocol; Part 3: Enterprise Transport
Security".
[i.27] ETSI EG 203 310: "CYBER; Quantum Computing Impact on security of ICT Systems;
Recommendations on Business Continuity and Algorithm Selection".
[i.28] ETSI TR 103 619: "CYBER; Migration strategies and recommendations to Quantum Safe
schemes".
[i.29] ETSI GR ETI 001: "Encrypted Traffic Integration (ETI); Problem Statement".
ETSI
9 ETSI TR 103 960 V1.1.1 (2025-05)
[i.30] ETSI GR ETI 006: "Encrypted Traffic Integration (ETI); Implementation of the EU Council
Resolution on Encryption".
[i.31] FDIC Banker Resource Center Information Technology (IT) and Cybersecurity.
[i.32] FINA, Cybersecurity.
[i.33] FS-ISAC, Financial Services Information Sharing Analysis Center.
[i.34] EBA, EIOPA, ESMA Final Report JC 2023 83 describes the Draft Regulatory Technical
Standards specifying the criteria for the classification of ICT related incidents, materiality
thresholds for major incidents and significant cyber threats under Regulation (EU) 2022/2554.
[i.35] EBA, EIOPA, ESMA Final Report JC 2023 84 describes the Draft Regulatory Technical
Standards to specify the detailed content of the policy in relation to the contractual arrangements
on the use of ICT services supporting critical or important functions provided by ICT third-party
service providers as mandated by Regulation (EU) 2022/2554.
[i.36] EBA, EIOPA, ESMA Final Report JC 2023 85 describes the Draft Regulatory Technical
Standards on the standard templates for the purposes of the register of information in relation to all
contractual arrangements on the use of ICT services provided by ICT third-party service providers
under Article 28(9) of Regulation (EU) 2022/25544.
[i.37] EBA, EIOPA, ESMA Final Report JC 2023 86 describes the Draft Regulatory Technical
Standards to further harmonise ICT risk management tools, methods, processes and policies as
mandated under Articles 15 and 16(3) of Regulation (EU) 2022/2554.
[i.38] ETSI TR 103 959: "Cyber Security (CYBER); Critical Security Controls for Effective Cyber

Defence; Cloud sector".
[i.39] ETSI TR 103 331: "Cyber Security (CYBER); Structured threat information sharing".
[i.40] ETSI TR 104 034: "Cyber Security (CYBER); Software Bill of Materials (SBOM) Compendium".
[i.41] ESMA: ESAs joint consultation on second batch of policy mandates under the Digital Operational
Resilience Act.
[i.42] EBA: Consultation on Joint draft RTS specifying elements related to threat led penetration tests.
[i.43] FS-ISAC: Preparing for a Post-Quantum World by Managing Cryptographic Risk, March 2023.
[i.44] Cloud Security Alliance: "The State of Cyber Resiliency in Financial Services".
[i.45] EBA: "ESAs published second batch of policy products under DORA".
[i.46] C(2024) 6901 final: Commission Delegated Regulation (EU) …/. of 23.10.2024 supplementing
Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to
regulatory technical standards specifying the content and time limits for the initial notification of,
and intermediate and final report on, major ICT related incidents, and the content of the voluntary
notification for significant cyber threats (Text with EEA relevance).
[i.47] C(2024) 7277 final: Commission Implementing Regulation (EU) …/. of 23.10.2024 laying down
implementing technical standards for the application of Regulation (EU) 2022/2554 of the
European Parliament and of the Council with regard to the standard forms, templates, and
procedures for financial entities to report a major ICT-related incident and to notify a significant
cyber threat (Text with EEA relevance).
[i.48] C(2024) 6913 final: Commission Delegated Regulation (EU) …/. of 24.10.2024 supplementing
Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to
regulatory technical standards on harmonisation of conditions enabling the conduct of the
oversight activities (Text with EEA relevance).
[i.49] Directive 2014/53/EU of the European Parliament and of the Council of 16 April 2014 on the
harmonisation of the laws of the Member States relating to the making available on the market of
radio equipment and repealing Directive 1999/5/EC Text with EEA relevance.
ETSI
10 ETSI TR 103 960 V1.1.1 (2025-05)
[i.50] EN 18031-3: "Common security requirements for radio equipment - Part 3: Internet connected
radio equipment processing virtual money or monetary value" (produced by CEN).
[i.51] Payment Card Industry: Data Security Standard, Requirements and Testing Procedures.
[i.52] EBA, EIOPA, ESMA: Report on the feasibility for further centralisation of reporting of major
ICT-related incidents.
[i.53] EBA: The EBA repeals the Guidelines on major incident reporting under the revised Payment
Services Directive.
[i.54] Federal Financial Supervisory Authority (BaFin): DORA - Digital Operational Resilience Act.
[i.55] European Commission: Payment services: revised rules to improve consumer protection and
competition in electronic payments.
[i.56] Cyber Risk GmbH: DORA | Updates, Compliance.
[i.57] ETSI EN 319 401: "Electronic Signatures and Trust Infrastructures (ESI); General Policy
Requirements for Trust Service Providers".
[i.58] ETSI TR 103 990: "Cyber Security (CYBER); Standards mapping and gap analysis against
regulatory expectations".
[i.59] ETSI TS 103 963: "CYBER; Optical Network and Device Security; Security provisions in
transport network devices".
3 Definition of terms, symbols and abbreviations
3.1 Terms
Void.
3.2 Symbols
Void.
3.3 Abbreviations
For the purposes of the present document, the following abbreviations apply:
AI Artificial Intelligence
CER Critical Entities Resilience
DORA Digital Operational Resilience Act
EBA European Banking Authority
EC European Commission
ECB European Central Bank
EIOPA European Insurance and Occupational Pensions Authority
ENISA European Union Agency for Cybersecurity
ESA European Supervisory Agency
ESMA European Securities and Markets Authority
EU European Union
EuID European unique Identifier
FDIC Federal Deposit Insurance Corporation
ICT Information and Communication Technology
IT Information Technology
ITS Implementing Technical Standard
NIS2 Network and Information Security directive 2
PCI DSS Payment Card Industry Data Security Standard
ETSI
11 ETSI TR 103 960 V1.1.1 (2025-05)
RED Radio Equipment Directive
RTS Regulatory Technical Standard(s)
SBOM Software Bill Of Materials
TPP Third-Party Provider
VLOP Very Large Online Platform
4 DORA Implementation
4.0 Introduction
In June 2023, ESMA released a set of Consultation Papers establishing the requirements and related standards. The
consultation period ran to 11 September 2023 [i.16]. The consultation was finalized in 17 January 2024 with the release
of four standards-related reports discussed in clause 4.1 below, [i.34] to [i.37].
4.1 Standards Requirements
4.1.0 Organization and description of the requirements
The chapters are clustered into six groups described below that primarily describe the financial authority standards
developed pursuant to DORA. The considerable complexity of these requirements combined with variants for specific
financial sectors, other EU legislative instrument implementations and the transpositions into EU Member State
versions pose a significant continuing challenge to fully articulating the applicable standards.
In early 2025, the European Commission rejected a number of the Regulatory Technical Standards and suggested
amendments. The ESAs have undertaken a process of revising
...