Why does RTS matter? Well, as you know, in January 2025, the Digital Operational Resilience Act (DORA) officially took effect, changing how European financial institutions manage ICT risk, incidents, and third-party oversight.
While DORA sets the principles, the real work happens in the Regulatory Technical Standards (RTS). These RTS documents, created by the European Supervisory Authorities (ESAs), provide the detailed rules every financial firm must follow.
Think of it this way: DORA tells you what needs to be achieved. The RTS explains how to achieve it.
Understanding the timeline
The rollout of DORA RTS is happening in two waves, each introducing specific obligations.
| Phase | Focus areas | Timeline |
| Batch 1 | Incident reporting, ICT risk management, subcontracting, and register of information | Adopted early 2025 |
| Batch 2 | Resilience testing, information sharing, and additional technical details | Expected late 2025 |
Batch 1 sets the foundation for compliance, while Batch 2 focuses on testing and maturity. The best approach is to treat RTS compliance as a continuous process rather than a one-time task.
RTS on subcontracting
Outsourcing ICT services no longer means outsourcing responsibility.
The DORA RTS on subcontracting requires institutions to define who does what, monitor key dependencies, and prepare for the unexpected.
In practice, you will need to:
- Define clear contractual responsibilities with ICT providers
- Identify which subcontractors are critical
- Establish exit strategies for essential services
The final RTS text is more pragmatic than early drafts, but the core idea remains: every financial institution must maintain full visibility of its vendor chain.
At Copla, we built the DORA Register Handler precisely for this. It automates vendor registers, classifications, and regulator-ready XML or CSV exports, making it easier to meet these RTS obligations efficiently.
Incident reporting RTS
The RTS on incident reporting aims to unify how financial entities report ICT disruptions.
Here’s what this means for you:
- Classify incidents by severity and impact
- Report within strict deadlines, sometimes as fast as four hours
- Use standardized templates across the EU
This standardization helps eliminate inconsistencies between member states and gives regulators a clear picture of regional cyber risks.
Copla’s automated workflows pre-fill these reports and align them with the official templates, reducing stress when incidents happen.
Risk management RTS
The RTS on ICT risk management make one point crystal clear: ICT risk is not only a technical issue, but a governance responsibility.
Boards and senior management must:
- Identify and monitor ICT risks continuously
- Test resilience regularly
- Oversee ICT controls at the highest level
This shifts compliance away from annual audits toward continuous oversight. If you already use Copla, the AI CoPilot delivers small weekly tasks to help teams translate policy into consistent action, making resilience part of the company’s rhythm.
Register of information
The Register of Information is often underestimated, but it is central to RTS compliance.
Every financial institution must maintain a comprehensive, standardized record of ICT systems, providers, and subcontractors. The RTS specifies how this register must be formatted and maintained.
You will need to:
- Use standard formats like XML or CSV
- Include all ICT dependencies, including indirect ones
- Keep the register updated and available to regulators on request
Doing this manually is almost impossible. Automation is key. Copla’s register module connects vendor data from multiple systems into a single, real-time view that remains compliant and always ready for inspection.
Accessing the RTS documents
Each RTS is published as a PDF on the websites of the European Commission and the ESAs. They are the reference point for all compliance work.
To stay aligned:
- Bookmark the official ESMA RTS page.
- Review new releases every month.
- Integrate RTS requirements into your governance and vendor playbooks.
Automation can help by syncing the latest obligations directly into your compliance workflows, so your teams don’t have to track changes manually.
Why compliance goes beyond documentation
RTS compliance isn’t just about ticking boxes. It’s about operational strength.
When properly implemented, these standards create real-world resilience by embedding structured routines into daily operations.
The results are tangible:
- Less downtime during ICT incidents
- Better vendor accountability
- More trust from regulators, investors, and customers
In other words, RTS compliance is not bureaucracy. It’s business continuity.
Final thoughts: turning RTS into resilience
The DORA RTS bridges the gap between principle and practice. They define what resilience looks like in action: from subcontractor control to real-time reporting.
At Copla, we’ve built tools that make this translation simple. Our DORA Register Handler, automated reporting, and workflow modules are designed to make compliance an invisible part of your operations.
If you’re still figuring out how to start, remember this: you don’t need a legal degree to handle DORA. You just need the right system that does the heavy lifting while you focus on running your business.
