DORA Compliance

DORA RTS and ITS Requirements: A Practical Guide to Operationalizing Compliance Across Your Organization

Updated 2026-05-18
Key Takeaways: Priverion is a Swiss-hosted GRC platform that maps, tracks, and recertifies every DORA RTS/ITS requirement alongside your existing privacy program.

You've mapped DORA at the regulation level. Now the ESAs have published 20+ RTS and ITS documents with hundreds of granular requirements — and your team is drowning in spreadsheets trying to track them across entities. There's a better way.

DORA's Regulatory Technical Standards and Implementing Technical Standards translate high-level obligations into precise, auditable controls covering ICT risk management, incident reporting, third-party oversight, threat-led penetration testing, and information sharing. For organizations managing compliance across multiple subsidiaries and jurisdictions, the operational complexity is exponential. Priverion gives you one platform to map, assign, track, and recertify every DORA RTS/ITS requirement alongside your existing privacy program — no new tool, no migration, no learning curve.

See How It Works — Book a 15-Minute Walkthrough

Trusted by compliance teams across regulated industries

Swiss-hosted · GDPR-compliant · Enterprise-grade encryption · No customer data used for AI training

Trusted by 50+ privacy teams across 14 countries
Healthcare
Aviation
Energy
Legal
Technology
Zurzach logo
AXA logo
Open Medical logo
Glencore logo
Pilatus logo
Liferay logo
CareerFairy logo
Voicepoint logo
Kellerhals Carrard logo
Aclaris logo
Avantec logo
Diakonie Bethanien logo
Liferay logo
CareerFairy logo
Zurzach logo
Voicepoint logo
Open Medical logo
Kellerhals Carrard logo
AXA logo
Aclaris logo
Avantec logo
Diakonie Bethanien logo
Why Teams Are Struggling

The Regulation Was Just the Beginning. The RTS and ITS Are Where Compliance Gets Real.

DORA established the framework, but the real operational burden lives in the delegated and implementing acts. The ESAs have finalized two batches of technical standards specifying exact requirements for ICT risk management frameworks, incident classification and reporting timelines, registers of third-party ICT providers, contractual provisions, and more. For a group entity operating across multiple subsidiaries, each standard must be interpreted, mapped to controls, assigned to owners, and recertified continuously.

Over 20 RTS and ITS documents published

RTS/ITS documents published by the ESAs (EBA, ESMA, EIOPA) as of January 2025

Volume and Granularity

Twenty-plus RTS and ITS documents contain hundreds of individual requirements, each with different compliance timelines and reporting formats. No single document gives you a consolidated checklist. Your team is synthesizing regulatory PDFs into operational tasks — manually — across every entity in your group.

How Priverion helps:

Pre-mapped RTS/ITS requirements organized by DORA pillar, assigned to owners across entities, with automated recertification tracking — eliminating the need to build your own consolidated checklist.

Based on ESA Final Reports on DORA technical standards, Batch 1 (Jan 2024) and Batch 2 (Jul 2024)

47 spreadsheets replaced

Spreadsheets used by one 12-subsidiary enterprise before switching to Priverion

Multi-Entity Complexity

Each subsidiary may have different ICT infrastructure, different third-party providers, and different risk profiles — but the parent entity needs a consolidated view for supervisory reporting. When the ITS on the register of third-party ICT providers requires a group-wide view, fragmented tools and spreadsheets become a liability, not a workaround.

How Priverion helps:

Cross-entity data mapping and group-wide dashboards give parent companies consolidated supervisory reporting while preserving subsidiary-level granularity. One platform, complete visibility.

Priverion founding origin story — Swiss enterprise managing GDPR across 12 subsidiaries

60 percent reduction in compliance admin time

Reduction in compliance admin time achieved by Aircraft manufacturer in their first 6 months

Overlap with Existing Obligations

Many DORA RTS/ITS requirements intersect directly with GDPR — data processing records, DPIAs for ICT systems, third-party processor oversight. Managing them in separate tools creates duplication, inconsistency, and audit risk. Your vendor assessments for GDPR Article 28 and your DORA Chapter V third-party register are assessing the same providers through different lenses.

How Priverion helps:

Your existing ROPA, DPIA/TIA, and vendor risk assessments feed directly into DORA compliance workflows. One assessment, multiple regulatory obligations satisfied — no duplication.

Aircraft manufacturer customer result — first 6 months on Priverion platform

100 percent ROPA recertification rate

ROPA recertification rate achieved by AXA through automated workflows

Recertification and Evidence

Regulators expect ongoing recertification and auditable evidence trails — not point-in-time snapshots. The RTS on ICT risk management frameworks requires documented policies, regular reviews, and evidence that controls are actively maintained. Spreadsheets cannot produce the audit-ready evidence packages supervisory authorities expect.

How Priverion helps:

Automated recertification workflows with complete audit trails. Generate evidence packages for supervisory authorities in minutes, not weeks — the same capability Medtec used to save 200+ hours in ISO 27001 preparation.

AXA customer result — fully automated recertification on Priverion

Over 200 hours saved

Hours saved by Medtec in ISO 27001 preparation using Priverion

Resource Constraints

Mid-market financial entities and ICT third-party providers do not have 50-person GRC teams. Yet the RTS and ITS demand the same level of documentation, testing, and oversight as the largest banks. Your compliance team needs a platform that multiplies their capacity — not another tool that adds to their workload.

How Priverion helps:

AI-assisted drafting for DPIAs, risk scoring, and regulatory mapping means your lean team operates at the capacity of a department three times its size. AI assists human decision-making — it never replaces it, and no customer data is used for model training.

Medtec customer result — ISO 27001 preparation on Priverion platform

Over 200 hours saved on ROPA management

Hours saved on ROPA management

Medtec saved 200+ hours preparing for ISO 27001 — time previously spent manually compiling processing activities across departments.

60 percent reduction in compliance admin time

Reduction in compliance admin time

Aircraft manufacturer achieved 60% reduction in compliance admin time in the first 6 months — without per-user or per-module pricing surprises.

3 months ahead of schedule on ISO 27001

Ahead of schedule on ISO 27001

Medtec accelerated their ISO 27001 certification timeline by 3 months using Priverion's audit-ready evidence packages and automated documentation.

Priverion vs. OneTrust

Enterprise-grade privacy management without the enterprise headache

Mid-market companies don't need a sprawling platform built for Fortune 100 procurement cycles. They need something that works across every subsidiary — on day one.

Priverion

Swiss data sovereignty — by default

Built and hosted in Switzerland. All data processing stays within Swiss infrastructure — no exceptions, no add-on pricing for European residency. In a post-Schrems II world, this isn't a feature. It's a legal foundation.

Operational in weeks, not quarters

A focused UX designed for DPOs and compliance leads who manage real privacy programs — not for consultants who configure platforms. Your team gets productive fast because the interface maps to how privacy work actually happens.

Predictable pricing that scales with you

Priced by number of entities and organizational size — not per user, not per module. Add team members without triggering a budget review. No expansion traps, no surprise invoices.

Everything in one platform

ROPA, DPIA/TIA, vendor risk, incident management, DSR handling, data mapping, AI register — all included. No separate modules to purchase, no feature gating. One login, complete group-wide visibility.

AI that assists, never decides

AI-assisted DPIA drafting, risk scoring, and regulatory mapping — all processed within Swiss infrastructure. Every AI output requires human review before becoming a compliance record. No customer data is used for model training.

Typical enterprise GRC platform

Data residency as an upsell

Most enterprise platforms are US-headquartered with US-primary hosting. European data residency — when available — comes as a premium tier or regional add-on. Your legal team spends cycles validating transfer mechanisms instead of focusing on the actual privacy program.

6-month implementation cycles

Complex platforms require dedicated implementation consultants, multi-phase rollouts, and extensive configuration before your first ROPA is live. For mid-market teams without a 10-person privacy office, that's a timeline — and a budget — that doesn't fit.

Per-user, per-module pricing

Enterprise GRC platforms charge per seat, per module, per capability. Need to add a business unit coordinator? That's another license. Want incident management alongside your ROPA? That's another module. Costs grow unpredictably as your program matures.

Breadth over depth

Many enterprise platforms span ESG, ethics, third-party risk, and more — which sounds impressive until you realize the privacy module is one of fifteen, developed with divided attention. You're paying for a GRC suite when you need a privacy program that actually works across your group.

Black-box automation

AI-powered features with limited transparency about where data is processed, how models are trained, or what level of human oversight exists. When a supervisory authority asks how you arrived at a risk assessment, "the AI decided" isn't an acceptable answer.

Comparison based on publicly available information and customer feedback as of 2024. We encourage you to evaluate both platforms directly.

Book a 30-min walkthrough
How It Works

From Regulatory Text to Operational Control — in One Platform

Priverion doesn't just store your compliance documentation. It structures DORA RTS and ITS requirements into workflows your team can assign, track, recertify, and evidence — across every entity in your group.

Pre-Mapped RTS/ITS Requirements

Every DORA technical standard is broken down into individual requirements, organized by pillar (ICT risk management, incident reporting, third-party oversight, TLPT, information sharing). No more synthesizing regulatory PDFs into spreadsheets. Requirements arrive structured, with plain-language guidance your business units can act on.

Cross-Entity Assignment and Tracking

Assign requirements to specific owners across subsidiaries. Each entity tracks its own compliance status while the parent company maintains a consolidated group-wide view. When a supervisory authority requests your third-party ICT provider register, you generate it from live data — not by chasing twelve business units.

Automated Recertification Cycles

DORA demands ongoing compliance, not one-time assessments. Priverion triggers recertification workflows automatically based on the timelines each RTS specifies. Control owners receive reminders, complete reviews, and the platform logs everything — creating the continuous audit trail regulators expect.

Audit-Ready Evidence Packages

Generate comprehensive evidence packages for supervisory authorities in minutes. Every control assessment, recertification, vendor review, and policy change is timestamped and version-controlled. The same capability that helped Medtec save 200+ hours in ISO 27001 preparation applies directly to DORA readiness.

GDPR and DORA in a Single Workflow

Your GDPR ROPA, DPIAs, and vendor risk assessments already cover significant ground that DORA requires. Priverion maps the overlap so one vendor assessment satisfies both GDPR Article 28 and DORA Chapter V obligations. No duplication, no conflicting records, no compliance silos.

AI-Assisted Regulatory Mapping

AI helps identify which RTS/ITS requirements apply to each entity based on its risk profile, ICT infrastructure, and third-party relationships. Every AI-generated suggestion requires human review before becoming a compliance record. No customer data is used for model training. All processing stays within Swiss infrastructure.

Customer Results

What Happens When Compliance Teams Stop Fighting Their Tools

These organizations replaced fragmented spreadsheets and overpriced platforms with a single privacy program management system. Here's what changed.

"We went from spending the majority of our compliance admin time chasing business units for ROPA updates across multiple subsidiaries to having fully automated recertification. Our DPO now focuses on strategic privacy work instead of spreadsheet maintenance."

60% reduction in compliance admin time — first 6 months

Aircraft manufacturer

Multi-subsidiary aviation manufacturer, Switzerland

"Achieving 100% ROPA recertification seemed impossible when we were managing it manually. With automated workflows, every processing activity is reviewed on schedule — and we have the audit trail to prove it."

100% ROPA recertification rate, fully automated

AXA

Automated recertification across all group entities

"We saved over 200 hours preparing for ISO 27001 — time that would have been spent manually compiling processing activities and generating evidence packages across departments. Priverion accelerated our certification by three months."

200+ hours saved, ISO 27001 certification 3 months ahead of schedule

Medtec

Healthcare technology, Switzerland

Free Download

DORA RTS/ITS Compliance Checklist for Multi-Entity Organizations

Stop cross-referencing regulatory texts across subsidiaries. This checklist maps every DORA RTS and ITS requirement to the privacy and risk workflows you're already managing — so your team knows exactly where the gaps are.

What's inside the checklist:

  • Complete mapping of all 13 RTS and 2 ITS requirements under DORA — plain-language summaries your business units will actually understand
  • Entity-by-entity gap assessment template designed for groups managing compliance across multiple subsidiaries and jurisdictions
  • Cross-reference guide showing where DORA requirements overlap with GDPR, ISO 27001, and NIST — so you're not duplicating work you've already done
  • ICT third-party risk assessment framework aligned with DORA's vendor oversight requirements — ready to plug into your existing vendor management workflow

Free PDF. No demo required. We'll send it to your inbox.

FAQ

Common Questions About DORA RTS/ITS Compliance

Answers for compliance leads evaluating how to operationalize DORA's technical standards across their organization.

What are DORA RTS and ITS requirements?

DORA's Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) are delegated acts published by the European Supervisory Authorities (EBA, ESMA, EIOPA) that translate DORA's high-level obligations into precise, auditable requirements. They cover ICT risk management frameworks, incident classification and reporting, third-party ICT provider registers, contractual provisions, threat-led penetration testing, and information sharing arrangements. As of January 2025, the ESAs have published 20+ RTS and ITS documents across two batches.

Who needs to comply with DORA RTS and ITS?

DORA applies to financial entities including credit institutions, investment firms, insurance undertakings,