bmad-plus 0.4.4 → 0.5.0

package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md

@@ -0,0 +1,297 @@
+# DORA — Incident Management, Classification and Reporting Reference
+
+Chapter III, Articles 17–23, Regulation (EU) 2022/2554.
+Key implementing measures: CDR (EU) 2024/1772, CDR (EU) 2025/301, CIR (EU) 2025/302.
+
+---
+
+## Art. 17 — ICT-Related Incident Management Process
+
+Financial entities must establish and implement a **documented ICT-related incident
+management process** as part of their overall ICT risk management framework.
+
+### Minimum elements (Art. 17(1)):
+- **(a)** Procedures for detecting, managing, and notifying ICT-related incidents
+- **(b)** Criteria and thresholds for classifying incidents as major (aligned
+  with CDR (EU) 2024/1772)
+- **(c)** Escalation procedures — who is notified when, including senior management
+  and the board
+- **(d)** Roles and responsibilities of ICT incident response staff
+- **(e)** Communication procedures for internal escalation and external reporting
+
+### Senior management involvement (Art. 17(3)):
+- Major ICT-related incidents must be reported to **senior management**
+- The management body (board) must be **informed** of major incidents
+- The board must have oversight of the entity's exposure to ICT risks
+
+### Customer communication (Art. 17(4)):
+- Financial entities must promptly communicate to clients about major ICT incidents
+  that may affect their financial interests
+- Must include details of measures taken and, where known, estimated recovery time
+
+---
+
+## Art. 18 — Classification of ICT-Related Incidents
+
+### Step 1: Is the incident ICT-related?
+
+An **ICT-related incident** is any unplanned event that compromises the security
+of network and information systems, and has an adverse impact on the availability,
+authenticity, integrity or confidentiality of data, or on the services provided
+by the financial entity.
+
+A **cyber threat** is any potential circumstance, event or action that could harm
+systems, data, or services (even without having materialized yet).
+
+### Step 2: Apply the classification criteria (Art. 18(1))
+
+| Criterion | Description | Materiality threshold (CDR 2024/1772) |
+|-----------|-------------|--------------------------------------|
+| (a) Clients and transactions | Number of clients affected; value of impacted transactions | ≥ 10% of clients OR > 5,000 clients; value thresholds by entity type |
+| (b) Reputational impact | Public media coverage; regulatory attention; reputational damage | Significant negative press coverage likely; regulatory inquiry expected |
+| (c) Duration and geographic spread | Hours/days of disruption; number of Member States affected | ≥ 2 hours for critical services; multi-Member State impact |
+| (d) Data losses | Loss of availability, authenticity, integrity or confidentiality | Any loss of client data integrity or confidentiality; availability loss ≥ 2h |
+| (e) Criticality of services | Impact on critical or important functions | Critical function impacted |
+| (f) Economic impact | Direct and indirect financial losses | To be set by ESAs per entity type and size |
+
+**Classification logic:** An incident is **major** if it meets or exceeds
+**any single threshold** from CDR (EU) 2024/1772 (OR logic, not AND logic).
+
+### Step 3: Major or non-major?
+
+| Classification | Consequence |
+|----------------|-------------|
+| **Major ICT-related incident** | Three-stage regulatory reporting to competent authority (Art. 19) + internal escalation to board |
+| **Non-major ICT-related incident** | Internal incident management process only; no regulatory reporting obligation |
+| **Significant cyber threat** | Voluntary notification to competent authority under Art. 19(2) encouraged |
+
+---
+
+## Art. 19 — Reporting of Major ICT-Related Incidents
+
+### Three-Stage Reporting Timeline
+
+| Stage | Deadline | Trigger | Key Content |
+|-------|----------|---------|-------------|
+| **Initial notification** | Within **4 hours** of classification as major | From the moment the entity classifies the incident as major | Incident type; initial impact; functions affected; preliminary recovery estimate |
+| **Intermediate report** | Within **72 hours** of classification | From the same moment as the 4h clock | Updated impact; root cause indications; measures taken; updated recovery estimate |
+| **Final report** | Within **1 month** of the initial notification | One month after the initial report | Root cause analysis; full impact; lessons learned; measures implemented or planned |
+
+**Time counting:** The clocks start when the incident is **classified as major**,
+not when it is first detected. Entities must establish clear classification criteria
+to avoid uncertainty about when the clock starts.
+
+> **Critical interpretive point:** The 4-hour deadline runs from the moment of
+> **classification as major** (CDR (EU) 2025/301, Art. 3), NOT from the moment of
+> detection. However, entities must not use this to game the timeline — extended
+> triage that delays classification is itself a supervisory risk. The obligation
+> is to classify promptly and report within 4 hours of that classification.
+> Competent authorities may scrutinise delayed classification as evidence of an
+> inadequate incident management process (Art. 17(1)).
+
+### How to Count the 4-Hour Deadline
+
+1. **Detection:** ICT monitoring tools detect anomalous activity
+2. **Triage:** Incident response team investigates — is this an ICT-related incident?
+3. **Classification:** Against CDR 2024/1772 thresholds — major or non-major?
+   — Classification must be made **promptly**; triage should not extend beyond
+   what is operationally necessary to apply the thresholds
+4. **Clock starts:** From the moment of classification as major
+5. **Initial notification:** Must reach competent authority within 4 hours
+
+**Practical implication:** If classification occurs at 22:00 on a Friday, the
+initial notification must still be submitted by 02:00 Saturday. DORA does not
+provide for weekend/business hours exceptions in the 4-hour initial notification.
+
+### Reporting Channel
+
+Reports are submitted to the **home Member State competent authority** using the
+standard templates from **CIR (EU) 2025/302**. The competent authority is:
+
+| Entity type | Competent authority |
+|-------------|-------------------|
+| Credit institutions | National banking supervisory authority (e.g., ECB/SSM for significant institutions; national NCA for less significant) |
+| Investment firms | National securities market authority |
+| Insurance undertakings | National insurance supervisor |
+| Payment institutions / E-money institutions | National payment supervisor |
+| Crypto-asset service providers | National authority per MiCA |
+
+### Cross-Border Incidents
+
+For entities operating in multiple Member States:
+- Report to the **home state** competent authority (Art. 19(1))
+- The home state authority is responsible for forwarding to host state authorities
+  where relevant (Art. 19(5))
+- No obligation to report directly to host state authorities
+
+### Voluntary Notification of Significant Cyber Threats (Art. 19(2))
+
+Financial entities **may voluntarily notify** competent authorities of:
+- Significant cyber threats that have not (yet) materialized into an incident
+- Threats that the entity believes could be of relevance to the financial system
+
+This is encouraged but not mandatory. CDR (EU) 2025/301 and CIR (EU) 2025/302
+provide templates for voluntary notifications.
+
+---
+
+## Art. 20 — Harmonisation of Reporting Content, Timelines and Templates
+
+ESAs adopted two measures:
+
+- **CDR (EU) 2025/301:** Specifies the mandatory content of each report stage
+  and the exact time limits
+- **CIR (EU) 2025/302:** Provides the standard forms and electronic templates
+
+### Content Requirements per Stage (CDR (EU) 2025/301)
+
+**Initial notification (4h report):**
+- Unique incident reference number
+- Reporting entity details (LEI, entity name, entity type)
+- Date and time of incident detection
+- Date and time of classification as major
+- Nature of the incident (cyber attack, system failure, third-party failure, etc.)
+- Affected ICT systems and functions
+- Initial client impact estimate
+- Initial financial impact estimate
+- Measures immediately taken
+
+**Intermediate report (72h report):**
+- Updated version of all initial notification fields
+- Updated root cause assessment (hypothesis or confirmed)
+- Updated client and financial impact
+- Response and recovery measures taken since initial notification
+- Revised recovery time estimate
+- Whether the incident is contained or ongoing
+
+**Final report (1-month report):**
+- Confirmed root cause analysis
+- Final client and financial impact assessment
+- Total duration of the incident (from detection to resolution)
+- Complete timeline of events
+- Description of all response and recovery measures implemented
+- Preventive measures adopted or planned
+- Lessons learned
+- Whether the incident was caused by an ICT third-party service provider
+  (and if so, identification of the TPSP where permitted)
+
+---
+
+## Art. 21 — Centralisation of Reporting
+
+- ESAs are tasked with assessing the feasibility of a **single EU reporting hub**
+  for major ICT incident reports
+- Pending a centralised hub, financial entities report to their national competent
+  authority which coordinates with other authorities
+- Supervisors share incident report information with other relevant authorities
+  (e.g., ECB, ENISA, CERT-EU) where appropriate under Art. 21(3)
+
+---
+
+## Art. 22 — Supervisory Feedback
+
+After receiving a major incident report (any stage), competent authorities:
+- May provide **feedback** to the financial entity, including:
+  - Indicative impact assessment of the incident for the financial system
+  - Relevant anonymised cyber threat intelligence from other entities
+  - Suggested preventive measures or recommendations
+- This is at the supervisor's discretion; financial entities cannot compel
+  supervisory feedback
+
+---
+
+## Art. 23 — Payment-Related Major Incidents
+
+**Applies to:**
+- Credit institutions (for payment services)
+- Payment institutions
+- E-money institutions
+- Account information service providers
+
+**Integration with PSD2:** Art. 23 DORA replaces the pre-DORA payment incident
+reporting obligation under PSD2 Art. 96 for incidents that qualify as **major**
+under DORA. For non-major payment incidents that would previously have triggered
+PSD2 Art. 96 reporting: PSD2 obligations may still apply for those incidents below
+the DORA major threshold — consult your national competent authority on whether
+PSD2 reporting continues for sub-threshold payment incidents.
+
+**Dual-licensed entities:** Credit institutions that also hold payment institution
+authorisation must clarify with their competent authority whether payment-related
+major incidents require reporting to both the banking supervisor (as competent
+authority under DORA) and the payment supervisor. In most Member States, the
+banking supervisor is the single point of receipt and distributes to other
+authorities as needed — but this should be confirmed before an incident occurs.
+
+**Reporting to payment authorities:** For payment-related major incidents, the
+entity reports to its **home payment supervisor** using the DORA templates, which
+include payment-specific fields per CIR (EU) 2025/302 — the ITS provides a
+dedicated payment-incident reporting template aligned with legacy PSD2 Art. 96
+reporting formats.
+
+---
+
+## Incident Management Policy — Minimum Required Elements
+
+A DORA-compliant incident management policy (Art. 17(1)) must include:
+
+1. **Scope:** What constitutes an ICT-related incident for this entity
+2. **Detection procedures:** How incidents are identified (monitoring tools, alerts,
+   staff reports, third-party notifications)
+3. **Triage and classification:** Step-by-step process to assess against CDR
+   2024/1772 criteria; who makes the major/non-major determination
+4. **Escalation matrix:**
+   - Level 1 (non-major): ICT operations team
+   - Level 2 (potential major): CISO and incident commander
+   - Level 3 (confirmed major): Senior management (CEO/CRO) and board notification
+5. **Reporting obligations:** Who is responsible for filing the 4h/72h/1-month
+   reports; templates to use; competent authority contact details
+6. **Client communication:** Timing, channel, and content of client notifications
+7. **Post-incident review:** Trigger criteria; who conducts the review; output
+   requirements (lessons learned, preventive measures)
+8. **Testing:** How and when the incident management process is tested (tabletop
+   exercises, simulations)
+9. **Record retention:** How long incident records are retained (minimum
+   recommended: 5 years)
+
+---
+
+## Incident Classification Decision Tree
+
+```
+Is the event an ICT-related incident?
+(Unplanned event compromising NIS with adverse impact on operations/data)
+│
+├─ NO → Standard IT issue; handle via normal IT operations; no DORA reporting
+│
+└─ YES → Apply CDR 2024/1772 classification criteria
+         │
+         ├─ Does it meet or exceed ANY threshold in CDR 2024/1772?
+         │   (clients affected / transaction value / service duration /
+         │    data loss / critical function impact / economic impact)
+         │
+         ├─ NO → Non-major incident
+         │        → Internal incident management process only
+         │        → No Art. 19 regulatory reporting
+         │        → Document in incident log
+         │
+         └─ YES → Major ICT-related incident
+                  → Escalate to senior management immediately
+                  → Notify board (Art. 17(3))
+                  → Initial report to competent authority within 4 HOURS
+                  → Intermediate report within 72 HOURS
+                  → Final report within 1 MONTH
+                  → Notify affected clients (Art. 17(4))
+```
+
+---
+
+## Common Classification Mistakes
+
+| Mistake | Correct Approach |
+|---------|-----------------|
+| Waiting for root cause before classifying | Classify as major the moment any threshold is met; root cause analysis follows |
+| Treating the 4h clock as a business hours deadline | The 4h deadline runs 24/7/365 |
+| Not classifying a third-party outage as a DORA incident | If a TPSP outage causes an ICT-related incident for the financial entity, the entity must classify and report — it is not the TPSP's obligation to report on the entity's behalf |
+| Only reporting when the incident is resolved | DORA requires reporting while the incident is ongoing; the intermediate and final reports update as information becomes available |
+| Treating a significant cyber threat as non-reportable | Voluntary notification under Art. 19(2) is encouraged |
+| Confusing Art. 17 (process) with Art. 18 (classification) | Art. 17 = the ongoing process; Art. 18 = how to classify a specific event |

package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md

@@ -0,0 +1,306 @@
+# DORA — Adopted RTS and ITS Reference Guide
+
+All Level 2 measures adopted under Regulation (EU) 2022/2554 (DORA).
+Last updated: April 2026.
+
+---
+
+## Overview
+
+DORA empowers the European Supervisory Authorities (EBA, ESMA, EIOPA — collectively
+the ESAs) to develop binding Regulatory Technical Standards (RTS) and Implementing
+Technical Standards (ITS) under Articles 15, 16, 18, 20, 26, 28, 29, 30, 31, 32,
+41, and 43. All key standards were adopted before the DORA application date of
+17 January 2025.
+
+---
+
+## Complete List of Adopted RTS and ITS
+
+### 1. CDR (EU) 2024/1772 — RTS on ICT Incident Classification
+
+| Field | Detail |
+|-------|--------|
+| Full title | Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 |
+| DORA basis | Art. 18(3) — classification criteria and materiality thresholds |
+| Published | OJ L, 25 June 2024 |
+| Applies from | 17 January 2025 |
+
+**Key content:**
+- Defines materiality thresholds for each Art. 18(1) criterion (clients affected,
+  transaction value, data loss, service unavailability, geographic spread)
+- An incident is classified as **major** if any single threshold is met (OR logic)
+- Sets minimum thresholds for "significant cyber threats" that may trigger voluntary
+  reporting under Art. 19(2)
+- Includes specific rules for payment-related incidents (Art. 23)
+
+**Thresholds (indicative — consult the CDR for exact values):**
+- Client impact: ≥ 10% of clients (or >5,000 clients for large entities)
+- Transaction value: depending on institution type and size
+- Service unavailability: ≥ 2 hours for critical services
+- Data integrity/confidentiality: any breach affecting core banking data
+
+---
+
+### 2. CDR (EU) 2024/1773 — RTS on ICT Third-Party Risk Policy
+
+| Field | Detail |
+|-------|--------|
+| Full title | Commission Delegated Regulation (EU) 2024/1773 of 13 March 2024 |
+| DORA basis | Art. 28(10) — content of the ICT third-party risk policy; Art. 30(5) — contractual provisions |
+| Published | OJ L, 25 June 2024 |
+| Applies from | 17 January 2025 |
+
+**Key content:**
+- Minimum elements of the ICT third-party risk policy (Art. 28(1) policy)
+- Criteria for distinguishing critical/important functions from non-critical
+- Due diligence requirements before entering ICT service arrangements
+- Detailed requirements for contractual provisions under Art. 30(2):
+  - Service level descriptions and measurable KPIs
+  - Provisions on data location, portability, and return on exit
+  - Audit and access rights (the auditor clause must be specific and exercisable)
+  - Exit strategy and minimum notice period requirements
+  - Sub-contracting provisions and prior consent requirements
+
+---
+
+### 3. CDR (EU) 2024/1774 — RTS on ICT Risk Management Framework
+
+| Field | Detail |
+|-------|--------|
+| Full title | Commission Delegated Regulation (EU) 2024/1774 of 13 March 2024 |
+| DORA basis | Art. 15 — elements of ICT RMF; Art. 16(3) — simplified framework |
+| Published | OJ L, 25 June 2024 |
+| Applies from | 17 January 2025 |
+
+**Key content:**
+- Chapter I: Detailed elements of the ICT risk management framework (Art. 6–14):
+  - ICT risk strategy requirements
+  - Minimum content of ICT security policies
+  - ICT asset identification and classification requirements
+  - Protection and prevention controls (logical and physical)
+  - Detection, response, recovery, and backup policy requirements
+  - Learning and communication requirements
+- Chapter II: Simplified ICT risk management framework (Art. 16):
+  - Entity types eligible for the simplified framework
+  - Minimum requirements for simplified framework entities
+  - How to document the simplified framework
+
+---
+
+### 4. CDR (EU) 2025/301 — RTS on Major Incident Reporting
+
+| Field | Detail |
+|-------|--------|
+| Full title | Commission Delegated Regulation (EU) 2025/301 of 18 October 2024 |
+| DORA basis | Art. 20(3) — content, timelines, and format of incident reports |
+| Published | OJ L, 14 February 2025 |
+| Applies from | 17 January 2025 (retroactively applicable) |
+
+**Key content:**
+- Mandatory content of each reporting stage:
+  - **Initial notification (within 4 hours):** Incident reference, entity details,
+    initial classification rationale, estimated client impact, nature of incident
+  - **Intermediate report (within 72 hours):** Updated impact assessment, root cause
+    indicators, response actions taken, recovery time estimate
+  - **Final report (within 1 month):** Root cause analysis, full impact assessment,
+    lessons learned, preventive measures implemented or planned
+- Rules on how to count the 4-hour and 72-hour timelines from classification
+- Provisions for voluntary reporting of significant cyber threats (Art. 19(2))
+
+---
+
+### 5. CIR (EU) 2025/302 — ITS on Incident Reporting Templates
+
+| Field | Detail |
+|-------|--------|
+| Full title | Commission Implementing Regulation (EU) 2025/302 of 18 October 2024 |
+| DORA basis | Art. 20(4) — standard forms and templates for incident reports |
+| Published | OJ L, 14 February 2025 |
+| Applies from | 17 January 2025 (retroactively applicable) |
+
+**Key content:**
+- Standard templates for all three reporting stages (initial, intermediate, final)
+- **Dedicated payment-incident template** per Art. 23 for credit institutions,
+  payment institutions, and e-money institutions — aligned with legacy PSD2 Art. 96
+  reporting fields
+- Separate template for voluntary cyber threat notifications (Art. 19(2))
+- Electronic submission format requirements
+- Competent authority designation — which authority receives reports for each
+  entity type (home state supervisor as a general rule)
+
+---
+
+### 6. CIR (EU) 2024/2956 — ITS on Register of Information
+
+| Field | Detail |
+|-------|--------|
+| Full title | Commission Implementing Regulation (EU) 2024/2956 of 20 September 2024 |
+| DORA basis | Art. 28(9) — templates for the Register of Information |
+| Published | OJ L, 11 December 2024 |
+| Applies from | 17 January 2025 |
+
+**Key content — mandatory Register fields:**
+
+The Register of Information (RoI) must capture, for each ICT service arrangement:
+
+| Field Group | Key Fields |
+|-------------|-----------|
+| Entity information | LEI of reporting entity, entity name, entity type |
+| TPSP identification | TPSP LEI, TPSP name, country of establishment |
+| Arrangement details | Unique arrangement reference, arrangement type |
+| Function classification | Critical or important function (Y/N), function description |
+| ICT service description | Type of service (IaaS/PaaS/SaaS/other), specific service description |
+| Data | Types of data processed, storage location (country/region) |
+| Sub-processors | Chain of sub-processors (name, LEI, country) |
+| Contractual terms | Contract start date, contract end date, notice period |
+| Substitutability | Assessment of ease of substitution (high/medium/low) |
+| Exit strategy | Reference to exit strategy document |
+
+**Annual submission:** The RoI is submitted to the competent authority at least
+annually (or upon request). The ESAs aggregate submissions for the oversight framework.
+
+---
+
+### 7. CDR (EU) 2025/1190 — RTS on TLPT
+
+| Field | Detail |
+|-------|--------|
+| Full title | Commission Delegated Regulation (EU) 2025/1190 of 28 February 2025 |
+| DORA basis | Art. 26(11) and Art. 27(9) — TLPT requirements, tester qualifications |
+| Published | OJ L, 18 June 2025 |
+| Applies from | 8 July 2025 |
+
+**Key content:**
+- Criteria for identifying financial entities required to conduct TLPT (Art. 26(8))
+- Scope determination: which functions and ICT systems must be included
+- Role of competent authority in approving TLPT scope and methodology
+- Requirements for the **threat intelligence phase**: accreditation of threat
+  intelligence providers
+- Requirements for **red team testing**: methodology, documentation, attestation
+- **Mutual recognition:** TLPT results recognized across EU jurisdictions for
+  entities operating cross-border — only one test needed (Art. 26(5))
+- Tester qualification requirements per Art. 27:
+  - Independence from the tested entity
+  - Relevant professional certification
+  - Risk methodology capability
+- **TIBER-EU alignment:** The CDR aligns TLPT with the TIBER-EU framework;
+  TIBER-EU tests conducted under the TIBER-EU framework may satisfy DORA
+  TLPT requirements where conditions are met
+
+---
+
+### 8. CDR (EU) 2025/532 — RTS on Subcontracting of ICT Services
+
+| Field | Detail |
+|-------|--------|
+| Full title | Commission Delegated Regulation (EU) 2025/532 |
+| DORA basis | Art. 30(5) — subcontracting provisions |
+| Applies from | 17 January 2025 |
+
+**Key content:**
+- When a TPSP subcontracts ICT services supporting critical/important functions,
+  the financial entity must ensure the contract includes:
+  - Prior written consent of the financial entity for sub-contracting chains
+  - Equivalent contractual provisions at sub-processor level
+  - Right to audit the sub-processor (directly or via the TPSP)
+- Conditions under which financial entities may apply pre-approved sub-contracting
+  arrangements (framework sub-contracting clauses)
+- Notification requirements for changes in sub-processors
+
+---
+
+### 9. CDR (EU) 2024/1502 — Designation Criteria for Critical ICT TPSPs
+
+| Field | Detail |
+|-------|--------|
+| Full title | Commission Delegated Regulation (EU) 2024/1502 of 22 February 2024 |
+| DORA basis | Art. 31(6) — criteria for designation of critical ICT TPSPs |
+| Published | OJ L, 5 June 2024 |
+| Applies from | 17 January 2025 |
+
+**Key content — designation criteria:**
+- **Systemic impact:** Would failure or discontinuation of the TPSP's services
+  cause systemic disruption to the financial system?
+- **Scale:** Number and types of financial entities served; proportion of their
+  ICT needs
+- **Substitutability:** How easily could another TPSP replace the service?
+  (Low substitutability → higher probability of designation)
+- **Interconnectedness:** Does the TPSP's failure trigger cascading effects?
+- **Concentration risk:** Does a large portion of EU financial entities rely
+  on this single TPSP for critical functions?
+
+**Designation process:** ESAs assess all ICT TPSPs that provide services to
+EU financial entities and publish a list of designated CTPPs. TPSPs not
+established in the EU that provide services to EU financial entities must
+designate an EU legal representative (Art. 31(11)).
+
+---
+
+### 10. CDR (EU) 2024/1505 — Oversight Fees for Critical ICT TPSPs
+
+| Field | Detail |
+|-------|--------|
+| Full title | Commission Delegated Regulation (EU) 2024/1505 of 22 February 2024 |
+| DORA basis | Art. 43(2) — methodology for calculating oversight fees |
+| Published | OJ L, 5 June 2024 |
+| Applies from | 17 January 2025 |
+
+**Key content:**
+- Fee methodology: annual oversight fee for designated CTPPs
+- Based on: total worldwide annual net turnover of the CTPSP
+- Fee caps and floors to ensure proportionality
+- Fee collection process via Lead Overseer
+
+---
+
+### 11. CDR (EU) 2025/295 — RTS on Oversight Activities Harmonisation
+
+| Field | Detail |
+|-------|--------|
+| Full title | Commission Delegated Regulation (EU) 2025/295 |
+| DORA basis | Art. 41(7) — harmonisation of oversight activities |
+| Applies from | 17 January 2025 |
+
+**Key content:**
+- How Lead Overseers coordinate with Joint Oversight Network (JON)
+- Information sharing between ESAs and national competent authorities
+- Procedures for issuing oversight recommendations
+- Follow-up process for non-compliance with recommendations
+
+---
+
+### 12. CDR (EU) 2025/420 — RTS on Joint Examination Teams (JETs)
+
+| Field | Detail |
+|-------|--------|
+| Full title | Commission Delegated Regulation (EU) 2025/420 |
+| DORA basis | Art. 32 — structure and operation of Joint Examination Teams |
+| Applies from | 17 January 2025 |
+
+**Key content:**
+- Composition of JETs: lead overseer staff + national competent authority experts
+- JET mandate: on-site and off-site examination of designated CTPPs
+- Coordination between JET lead and national experts
+- Reporting of JET findings to Lead Overseer
+
+---
+
+## Quick Reference: DORA Article → RTS/ITS
+
+| DORA Article | Obligation | Implementing Measure |
+|-------------|-----------|---------------------|
+| Art. 15 | ICT RMF detailed elements | CDR (EU) 2024/1774 |
+| Art. 16(3) | Simplified RMF | CDR (EU) 2024/1774 (Ch. II) |
+| Art. 18(3) | Incident classification thresholds | CDR (EU) 2024/1772 |
+| Art. 20(3) | Incident reporting content + timelines | CDR (EU) 2025/301 |
+| Art. 20(4) | Incident reporting templates | CIR (EU) 2025/302 |
+| Art. 26(11) | TLPT requirements | CDR (EU) 2025/1190 |
+| Art. 27(9) | Tester qualifications | CDR (EU) 2025/1190 |
+| Art. 28(9) | Register of Information templates | CIR (EU) 2024/2956 |
+| Art. 28(10) + 30(5) | ICT third-party risk policy + contracts | CDR (EU) 2024/1773 |
+| Art. 30(5) | Subcontracting provisions | CDR (EU) 2025/532 |
+| Art. 31(6) | Critical TPSP designation criteria | CDR (EU) 2024/1502 |
+| Art. 32 | Joint Examination Teams (JETs) | CDR (EU) 2025/420 |
+| Art. 41(7) | Oversight activities harmonisation | CDR (EU) 2025/295 |
+| Art. 43(2) | Oversight fees for CTPPs | CDR (EU) 2024/1505 |