bmad-plus 0.7.4 → 0.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +450 -407
- package/LICENSE +21 -0
- package/README.md +555 -446
- package/osint-agent-package/README.md +88 -88
- package/osint-agent-package/SETUP_KEYS.md +108 -108
- package/osint-agent-package/agents/osint-investigator.md +80 -80
- package/osint-agent-package/install.ps1 +87 -87
- package/osint-agent-package/install.sh +76 -76
- package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
- package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
- package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
- package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
- package/package.json +62 -57
- package/readme-international/README.de.md +576 -426
- package/readme-international/README.es.md +578 -518
- package/readme-international/README.fr.md +576 -516
- package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
- package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
- package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
- package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
- package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
- package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
- package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/pack-animated/animated-website-agent.md +325 -325
- package/src/bmad-plus/agents/pack-animated/templates/animated-website-workflow.md +55 -55
- package/src/bmad-plus/agents/pack-backup/backup-agent.md +71 -71
- package/src/bmad-plus/agents/pack-backup/templates/backup-workflow.md +51 -51
- package/src/bmad-plus/agents/pack-seo/SKILL.md +171 -171
- package/src/bmad-plus/agents/pack-seo/checklist.md +140 -140
- package/src/bmad-plus/agents/pack-seo/pagespeed-playbook.md +320 -320
- package/src/bmad-plus/agents/pack-seo/ref/audit-schema.json +187 -187
- package/src/bmad-plus/agents/pack-seo/ref/cwv-thresholds.md +87 -87
- package/src/bmad-plus/agents/pack-seo/ref/eeat-criteria.md +123 -123
- package/src/bmad-plus/agents/pack-seo/ref/geo-signals.md +167 -167
- package/src/bmad-plus/agents/pack-seo/ref/hreflang-rules.md +153 -153
- package/src/bmad-plus/agents/pack-seo/ref/quality-gates.md +133 -133
- package/src/bmad-plus/agents/pack-seo/ref/schema-catalog.md +91 -91
- package/src/bmad-plus/agents/pack-seo/ref/schema-templates.json +356 -356
- package/src/bmad-plus/agents/pack-seo/seo-chief.md +294 -294
- package/src/bmad-plus/agents/pack-seo/seo-judge.md +241 -241
- package/src/bmad-plus/agents/pack-seo/seo-scout.md +171 -171
- package/src/bmad-plus/agents/pack-seo/templates/seo-audit-workflow.md +241 -241
- package/src/bmad-plus/data/role-triggers.yaml +209 -209
- package/src/bmad-plus/module-help.csv +10 -10
- package/src/bmad-plus/module.yaml +283 -280
- package/src/bmad-plus/packs/pack-animated/animated-website-agent.md +325 -0
- package/src/bmad-plus/packs/pack-animated/templates/animated-website-workflow.md +55 -0
- package/src/bmad-plus/packs/pack-backup/backup-agent.md +71 -0
- package/src/bmad-plus/packs/pack-backup/templates/backup-workflow.md +51 -0
- package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
- package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
- package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
- package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
- package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
- package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
- package/src/bmad-plus/packs/pack-memory/README.md +106 -106
- package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
- package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
- package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
- package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
- package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
- package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
- package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
- package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
- package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
- package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
- package/src/bmad-plus/packs/pack-seo/SKILL.md +171 -0
- package/src/bmad-plus/packs/pack-seo/checklist.md +140 -0
- package/src/bmad-plus/packs/pack-seo/pagespeed-playbook.md +320 -0
- package/src/bmad-plus/packs/pack-seo/ref/audit-schema.json +187 -0
- package/src/bmad-plus/packs/pack-seo/ref/cwv-thresholds.md +87 -0
- package/src/bmad-plus/packs/pack-seo/ref/eeat-criteria.md +123 -0
- package/src/bmad-plus/packs/pack-seo/ref/geo-signals.md +167 -0
- package/src/bmad-plus/packs/pack-seo/ref/hreflang-rules.md +153 -0
- package/src/bmad-plus/packs/pack-seo/ref/quality-gates.md +133 -0
- package/src/bmad-plus/packs/pack-seo/ref/schema-catalog.md +91 -0
- package/src/bmad-plus/packs/pack-seo/ref/schema-templates.json +356 -0
- package/src/bmad-plus/packs/pack-seo/seo-chief.md +294 -0
- package/src/bmad-plus/packs/pack-seo/seo-judge.md +241 -0
- package/src/bmad-plus/packs/pack-seo/seo-scout.md +171 -0
- package/src/bmad-plus/packs/pack-seo/templates/seo-audit-workflow.md +241 -0
- package/src/bmad-plus/packs/pack-shield/README.md +110 -110
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
- package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
- package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
- package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
- package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
- package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
- package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
- package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
- package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
- package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
- package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
- package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
- package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
- package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
- package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
- package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
- package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
- package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
- package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
- package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
- package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
- package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
- package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
- package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
- package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
- package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
- package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
- package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
- package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
- package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
- package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
- package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
- package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
- package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
- package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
- package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
- package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
- package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
- package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
- package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
- package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
- package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
- package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
- package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
- package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
- package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
- package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
- package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
- package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
- package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
- package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
- package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
- package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
- package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
- package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
- package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
- package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
- package/tools/cli/commands/autoconfig.js +498 -489
- package/tools/cli/commands/doctor.js +222 -175
- package/tools/cli/commands/install.js +739 -739
- package/tools/cli/commands/memory.js +194 -194
- package/tools/cli/commands/scan.js +360 -350
- package/tools/cli/commands/uninstall.js +96 -96
- package/tools/cli/commands/update.js +174 -174
- package/tools/cli/i18n.js +763 -763
|
@@ -1,306 +1,306 @@
|
|
|
1
|
-
# DORA — Adopted RTS and ITS Reference Guide
|
|
2
|
-
|
|
3
|
-
All Level 2 measures adopted under Regulation (EU) 2022/2554 (DORA).
|
|
4
|
-
Last updated: April 2026.
|
|
5
|
-
|
|
6
|
-
---
|
|
7
|
-
|
|
8
|
-
## Overview
|
|
9
|
-
|
|
10
|
-
DORA empowers the European Supervisory Authorities (EBA, ESMA, EIOPA — collectively
|
|
11
|
-
the ESAs) to develop binding Regulatory Technical Standards (RTS) and Implementing
|
|
12
|
-
Technical Standards (ITS) under Articles 15, 16, 18, 20, 26, 28, 29, 30, 31, 32,
|
|
13
|
-
41, and 43. All key standards were adopted before the DORA application date of
|
|
14
|
-
17 January 2025.
|
|
15
|
-
|
|
16
|
-
---
|
|
17
|
-
|
|
18
|
-
## Complete List of Adopted RTS and ITS
|
|
19
|
-
|
|
20
|
-
### 1. CDR (EU) 2024/1772 — RTS on ICT Incident Classification
|
|
21
|
-
|
|
22
|
-
| Field | Detail |
|
|
23
|
-
|-------|--------|
|
|
24
|
-
| Full title | Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 |
|
|
25
|
-
| DORA basis | Art. 18(3) — classification criteria and materiality thresholds |
|
|
26
|
-
| Published | OJ L, 25 June 2024 |
|
|
27
|
-
| Applies from | 17 January 2025 |
|
|
28
|
-
|
|
29
|
-
**Key content:**
|
|
30
|
-
- Defines materiality thresholds for each Art. 18(1) criterion (clients affected,
|
|
31
|
-
transaction value, data loss, service unavailability, geographic spread)
|
|
32
|
-
- An incident is classified as **major** if any single threshold is met (OR logic)
|
|
33
|
-
- Sets minimum thresholds for "significant cyber threats" that may trigger voluntary
|
|
34
|
-
reporting under Art. 19(2)
|
|
35
|
-
- Includes specific rules for payment-related incidents (Art. 23)
|
|
36
|
-
|
|
37
|
-
**Thresholds (indicative — consult the CDR for exact values):**
|
|
38
|
-
- Client impact: ≥ 10% of clients (or >5,000 clients for large entities)
|
|
39
|
-
- Transaction value: depending on institution type and size
|
|
40
|
-
- Service unavailability: ≥ 2 hours for critical services
|
|
41
|
-
- Data integrity/confidentiality: any breach affecting core banking data
|
|
42
|
-
|
|
43
|
-
---
|
|
44
|
-
|
|
45
|
-
### 2. CDR (EU) 2024/1773 — RTS on ICT Third-Party Risk Policy
|
|
46
|
-
|
|
47
|
-
| Field | Detail |
|
|
48
|
-
|-------|--------|
|
|
49
|
-
| Full title | Commission Delegated Regulation (EU) 2024/1773 of 13 March 2024 |
|
|
50
|
-
| DORA basis | Art. 28(10) — content of the ICT third-party risk policy; Art. 30(5) — contractual provisions |
|
|
51
|
-
| Published | OJ L, 25 June 2024 |
|
|
52
|
-
| Applies from | 17 January 2025 |
|
|
53
|
-
|
|
54
|
-
**Key content:**
|
|
55
|
-
- Minimum elements of the ICT third-party risk policy (Art. 28(1) policy)
|
|
56
|
-
- Criteria for distinguishing critical/important functions from non-critical
|
|
57
|
-
- Due diligence requirements before entering ICT service arrangements
|
|
58
|
-
- Detailed requirements for contractual provisions under Art. 30(2):
|
|
59
|
-
- Service level descriptions and measurable KPIs
|
|
60
|
-
- Provisions on data location, portability, and return on exit
|
|
61
|
-
- Audit and access rights (the auditor clause must be specific and exercisable)
|
|
62
|
-
- Exit strategy and minimum notice period requirements
|
|
63
|
-
- Sub-contracting provisions and prior consent requirements
|
|
64
|
-
|
|
65
|
-
---
|
|
66
|
-
|
|
67
|
-
### 3. CDR (EU) 2024/1774 — RTS on ICT Risk Management Framework
|
|
68
|
-
|
|
69
|
-
| Field | Detail |
|
|
70
|
-
|-------|--------|
|
|
71
|
-
| Full title | Commission Delegated Regulation (EU) 2024/1774 of 13 March 2024 |
|
|
72
|
-
| DORA basis | Art. 15 — elements of ICT RMF; Art. 16(3) — simplified framework |
|
|
73
|
-
| Published | OJ L, 25 June 2024 |
|
|
74
|
-
| Applies from | 17 January 2025 |
|
|
75
|
-
|
|
76
|
-
**Key content:**
|
|
77
|
-
- Chapter I: Detailed elements of the ICT risk management framework (Art. 6–14):
|
|
78
|
-
- ICT risk strategy requirements
|
|
79
|
-
- Minimum content of ICT security policies
|
|
80
|
-
- ICT asset identification and classification requirements
|
|
81
|
-
- Protection and prevention controls (logical and physical)
|
|
82
|
-
- Detection, response, recovery, and backup policy requirements
|
|
83
|
-
- Learning and communication requirements
|
|
84
|
-
- Chapter II: Simplified ICT risk management framework (Art. 16):
|
|
85
|
-
- Entity types eligible for the simplified framework
|
|
86
|
-
- Minimum requirements for simplified framework entities
|
|
87
|
-
- How to document the simplified framework
|
|
88
|
-
|
|
89
|
-
---
|
|
90
|
-
|
|
91
|
-
### 4. CDR (EU) 2025/301 — RTS on Major Incident Reporting
|
|
92
|
-
|
|
93
|
-
| Field | Detail |
|
|
94
|
-
|-------|--------|
|
|
95
|
-
| Full title | Commission Delegated Regulation (EU) 2025/301 of 18 October 2024 |
|
|
96
|
-
| DORA basis | Art. 20(3) — content, timelines, and format of incident reports |
|
|
97
|
-
| Published | OJ L, 14 February 2025 |
|
|
98
|
-
| Applies from | 17 January 2025 (retroactively applicable) |
|
|
99
|
-
|
|
100
|
-
**Key content:**
|
|
101
|
-
- Mandatory content of each reporting stage:
|
|
102
|
-
- **Initial notification (within 4 hours):** Incident reference, entity details,
|
|
103
|
-
initial classification rationale, estimated client impact, nature of incident
|
|
104
|
-
- **Intermediate report (within 72 hours):** Updated impact assessment, root cause
|
|
105
|
-
indicators, response actions taken, recovery time estimate
|
|
106
|
-
- **Final report (within 1 month):** Root cause analysis, full impact assessment,
|
|
107
|
-
lessons learned, preventive measures implemented or planned
|
|
108
|
-
- Rules on how to count the 4-hour and 72-hour timelines from classification
|
|
109
|
-
- Provisions for voluntary reporting of significant cyber threats (Art. 19(2))
|
|
110
|
-
|
|
111
|
-
---
|
|
112
|
-
|
|
113
|
-
### 5. CIR (EU) 2025/302 — ITS on Incident Reporting Templates
|
|
114
|
-
|
|
115
|
-
| Field | Detail |
|
|
116
|
-
|-------|--------|
|
|
117
|
-
| Full title | Commission Implementing Regulation (EU) 2025/302 of 18 October 2024 |
|
|
118
|
-
| DORA basis | Art. 20(4) — standard forms and templates for incident reports |
|
|
119
|
-
| Published | OJ L, 14 February 2025 |
|
|
120
|
-
| Applies from | 17 January 2025 (retroactively applicable) |
|
|
121
|
-
|
|
122
|
-
**Key content:**
|
|
123
|
-
- Standard templates for all three reporting stages (initial, intermediate, final)
|
|
124
|
-
- **Dedicated payment-incident template** per Art. 23 for credit institutions,
|
|
125
|
-
payment institutions, and e-money institutions — aligned with legacy PSD2 Art. 96
|
|
126
|
-
reporting fields
|
|
127
|
-
- Separate template for voluntary cyber threat notifications (Art. 19(2))
|
|
128
|
-
- Electronic submission format requirements
|
|
129
|
-
- Competent authority designation — which authority receives reports for each
|
|
130
|
-
entity type (home state supervisor as a general rule)
|
|
131
|
-
|
|
132
|
-
---
|
|
133
|
-
|
|
134
|
-
### 6. CIR (EU) 2024/2956 — ITS on Register of Information
|
|
135
|
-
|
|
136
|
-
| Field | Detail |
|
|
137
|
-
|-------|--------|
|
|
138
|
-
| Full title | Commission Implementing Regulation (EU) 2024/2956 of 20 September 2024 |
|
|
139
|
-
| DORA basis | Art. 28(9) — templates for the Register of Information |
|
|
140
|
-
| Published | OJ L, 11 December 2024 |
|
|
141
|
-
| Applies from | 17 January 2025 |
|
|
142
|
-
|
|
143
|
-
**Key content — mandatory Register fields:**
|
|
144
|
-
|
|
145
|
-
The Register of Information (RoI) must capture, for each ICT service arrangement:
|
|
146
|
-
|
|
147
|
-
| Field Group | Key Fields |
|
|
148
|
-
|-------------|-----------|
|
|
149
|
-
| Entity information | LEI of reporting entity, entity name, entity type |
|
|
150
|
-
| TPSP identification | TPSP LEI, TPSP name, country of establishment |
|
|
151
|
-
| Arrangement details | Unique arrangement reference, arrangement type |
|
|
152
|
-
| Function classification | Critical or important function (Y/N), function description |
|
|
153
|
-
| ICT service description | Type of service (IaaS/PaaS/SaaS/other), specific service description |
|
|
154
|
-
| Data | Types of data processed, storage location (country/region) |
|
|
155
|
-
| Sub-processors | Chain of sub-processors (name, LEI, country) |
|
|
156
|
-
| Contractual terms | Contract start date, contract end date, notice period |
|
|
157
|
-
| Substitutability | Assessment of ease of substitution (high/medium/low) |
|
|
158
|
-
| Exit strategy | Reference to exit strategy document |
|
|
159
|
-
|
|
160
|
-
**Annual submission:** The RoI is submitted to the competent authority at least
|
|
161
|
-
annually (or upon request). The ESAs aggregate submissions for the oversight framework.
|
|
162
|
-
|
|
163
|
-
---
|
|
164
|
-
|
|
165
|
-
### 7. CDR (EU) 2025/1190 — RTS on TLPT
|
|
166
|
-
|
|
167
|
-
| Field | Detail |
|
|
168
|
-
|-------|--------|
|
|
169
|
-
| Full title | Commission Delegated Regulation (EU) 2025/1190 of 28 February 2025 |
|
|
170
|
-
| DORA basis | Art. 26(11) and Art. 27(9) — TLPT requirements, tester qualifications |
|
|
171
|
-
| Published | OJ L, 18 June 2025 |
|
|
172
|
-
| Applies from | 8 July 2025 |
|
|
173
|
-
|
|
174
|
-
**Key content:**
|
|
175
|
-
- Criteria for identifying financial entities required to conduct TLPT (Art. 26(8))
|
|
176
|
-
- Scope determination: which functions and ICT systems must be included
|
|
177
|
-
- Role of competent authority in approving TLPT scope and methodology
|
|
178
|
-
- Requirements for the **threat intelligence phase**: accreditation of threat
|
|
179
|
-
intelligence providers
|
|
180
|
-
- Requirements for **red team testing**: methodology, documentation, attestation
|
|
181
|
-
- **Mutual recognition:** TLPT results recognized across EU jurisdictions for
|
|
182
|
-
entities operating cross-border — only one test needed (Art. 26(5))
|
|
183
|
-
- Tester qualification requirements per Art. 27:
|
|
184
|
-
- Independence from the tested entity
|
|
185
|
-
- Relevant professional certification
|
|
186
|
-
- Risk methodology capability
|
|
187
|
-
- **TIBER-EU alignment:** The CDR aligns TLPT with the TIBER-EU framework;
|
|
188
|
-
TIBER-EU tests conducted under the TIBER-EU framework may satisfy DORA
|
|
189
|
-
TLPT requirements where conditions are met
|
|
190
|
-
|
|
191
|
-
---
|
|
192
|
-
|
|
193
|
-
### 8. CDR (EU) 2025/532 — RTS on Subcontracting of ICT Services
|
|
194
|
-
|
|
195
|
-
| Field | Detail |
|
|
196
|
-
|-------|--------|
|
|
197
|
-
| Full title | Commission Delegated Regulation (EU) 2025/532 |
|
|
198
|
-
| DORA basis | Art. 30(5) — subcontracting provisions |
|
|
199
|
-
| Applies from | 17 January 2025 |
|
|
200
|
-
|
|
201
|
-
**Key content:**
|
|
202
|
-
- When a TPSP subcontracts ICT services supporting critical/important functions,
|
|
203
|
-
the financial entity must ensure the contract includes:
|
|
204
|
-
- Prior written consent of the financial entity for sub-contracting chains
|
|
205
|
-
- Equivalent contractual provisions at sub-processor level
|
|
206
|
-
- Right to audit the sub-processor (directly or via the TPSP)
|
|
207
|
-
- Conditions under which financial entities may apply pre-approved sub-contracting
|
|
208
|
-
arrangements (framework sub-contracting clauses)
|
|
209
|
-
- Notification requirements for changes in sub-processors
|
|
210
|
-
|
|
211
|
-
---
|
|
212
|
-
|
|
213
|
-
### 9. CDR (EU) 2024/1502 — Designation Criteria for Critical ICT TPSPs
|
|
214
|
-
|
|
215
|
-
| Field | Detail |
|
|
216
|
-
|-------|--------|
|
|
217
|
-
| Full title | Commission Delegated Regulation (EU) 2024/1502 of 22 February 2024 |
|
|
218
|
-
| DORA basis | Art. 31(6) — criteria for designation of critical ICT TPSPs |
|
|
219
|
-
| Published | OJ L, 5 June 2024 |
|
|
220
|
-
| Applies from | 17 January 2025 |
|
|
221
|
-
|
|
222
|
-
**Key content — designation criteria:**
|
|
223
|
-
- **Systemic impact:** Would failure or discontinuation of the TPSP's services
|
|
224
|
-
cause systemic disruption to the financial system?
|
|
225
|
-
- **Scale:** Number and types of financial entities served; proportion of their
|
|
226
|
-
ICT needs
|
|
227
|
-
- **Substitutability:** How easily could another TPSP replace the service?
|
|
228
|
-
(Low substitutability → higher probability of designation)
|
|
229
|
-
- **Interconnectedness:** Does the TPSP's failure trigger cascading effects?
|
|
230
|
-
- **Concentration risk:** Does a large portion of EU financial entities rely
|
|
231
|
-
on this single TPSP for critical functions?
|
|
232
|
-
|
|
233
|
-
**Designation process:** ESAs assess all ICT TPSPs that provide services to
|
|
234
|
-
EU financial entities and publish a list of designated CTPPs. TPSPs not
|
|
235
|
-
established in the EU that provide services to EU financial entities must
|
|
236
|
-
designate an EU legal representative (Art. 31(11)).
|
|
237
|
-
|
|
238
|
-
---
|
|
239
|
-
|
|
240
|
-
### 10. CDR (EU) 2024/1505 — Oversight Fees for Critical ICT TPSPs
|
|
241
|
-
|
|
242
|
-
| Field | Detail |
|
|
243
|
-
|-------|--------|
|
|
244
|
-
| Full title | Commission Delegated Regulation (EU) 2024/1505 of 22 February 2024 |
|
|
245
|
-
| DORA basis | Art. 43(2) — methodology for calculating oversight fees |
|
|
246
|
-
| Published | OJ L, 5 June 2024 |
|
|
247
|
-
| Applies from | 17 January 2025 |
|
|
248
|
-
|
|
249
|
-
**Key content:**
|
|
250
|
-
- Fee methodology: annual oversight fee for designated CTPPs
|
|
251
|
-
- Based on: total worldwide annual net turnover of the CTPSP
|
|
252
|
-
- Fee caps and floors to ensure proportionality
|
|
253
|
-
- Fee collection process via Lead Overseer
|
|
254
|
-
|
|
255
|
-
---
|
|
256
|
-
|
|
257
|
-
### 11. CDR (EU) 2025/295 — RTS on Oversight Activities Harmonisation
|
|
258
|
-
|
|
259
|
-
| Field | Detail |
|
|
260
|
-
|-------|--------|
|
|
261
|
-
| Full title | Commission Delegated Regulation (EU) 2025/295 |
|
|
262
|
-
| DORA basis | Art. 41(7) — harmonisation of oversight activities |
|
|
263
|
-
| Applies from | 17 January 2025 |
|
|
264
|
-
|
|
265
|
-
**Key content:**
|
|
266
|
-
- How Lead Overseers coordinate with Joint Oversight Network (JON)
|
|
267
|
-
- Information sharing between ESAs and national competent authorities
|
|
268
|
-
- Procedures for issuing oversight recommendations
|
|
269
|
-
- Follow-up process for non-compliance with recommendations
|
|
270
|
-
|
|
271
|
-
---
|
|
272
|
-
|
|
273
|
-
### 12. CDR (EU) 2025/420 — RTS on Joint Examination Teams (JETs)
|
|
274
|
-
|
|
275
|
-
| Field | Detail |
|
|
276
|
-
|-------|--------|
|
|
277
|
-
| Full title | Commission Delegated Regulation (EU) 2025/420 |
|
|
278
|
-
| DORA basis | Art. 32 — structure and operation of Joint Examination Teams |
|
|
279
|
-
| Applies from | 17 January 2025 |
|
|
280
|
-
|
|
281
|
-
**Key content:**
|
|
282
|
-
- Composition of JETs: lead overseer staff + national competent authority experts
|
|
283
|
-
- JET mandate: on-site and off-site examination of designated CTPPs
|
|
284
|
-
- Coordination between JET lead and national experts
|
|
285
|
-
- Reporting of JET findings to Lead Overseer
|
|
286
|
-
|
|
287
|
-
---
|
|
288
|
-
|
|
289
|
-
## Quick Reference: DORA Article → RTS/ITS
|
|
290
|
-
|
|
291
|
-
| DORA Article | Obligation | Implementing Measure |
|
|
292
|
-
|-------------|-----------|---------------------|
|
|
293
|
-
| Art. 15 | ICT RMF detailed elements | CDR (EU) 2024/1774 |
|
|
294
|
-
| Art. 16(3) | Simplified RMF | CDR (EU) 2024/1774 (Ch. II) |
|
|
295
|
-
| Art. 18(3) | Incident classification thresholds | CDR (EU) 2024/1772 |
|
|
296
|
-
| Art. 20(3) | Incident reporting content + timelines | CDR (EU) 2025/301 |
|
|
297
|
-
| Art. 20(4) | Incident reporting templates | CIR (EU) 2025/302 |
|
|
298
|
-
| Art. 26(11) | TLPT requirements | CDR (EU) 2025/1190 |
|
|
299
|
-
| Art. 27(9) | Tester qualifications | CDR (EU) 2025/1190 |
|
|
300
|
-
| Art. 28(9) | Register of Information templates | CIR (EU) 2024/2956 |
|
|
301
|
-
| Art. 28(10) + 30(5) | ICT third-party risk policy + contracts | CDR (EU) 2024/1773 |
|
|
302
|
-
| Art. 30(5) | Subcontracting provisions | CDR (EU) 2025/532 |
|
|
303
|
-
| Art. 31(6) | Critical TPSP designation criteria | CDR (EU) 2024/1502 |
|
|
304
|
-
| Art. 32 | Joint Examination Teams (JETs) | CDR (EU) 2025/420 |
|
|
305
|
-
| Art. 41(7) | Oversight activities harmonisation | CDR (EU) 2025/295 |
|
|
306
|
-
| Art. 43(2) | Oversight fees for CTPPs | CDR (EU) 2024/1505 |
|
|
1
|
+
# DORA — Adopted RTS and ITS Reference Guide
|
|
2
|
+
|
|
3
|
+
All Level 2 measures adopted under Regulation (EU) 2022/2554 (DORA).
|
|
4
|
+
Last updated: April 2026.
|
|
5
|
+
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
## Overview
|
|
9
|
+
|
|
10
|
+
DORA empowers the European Supervisory Authorities (EBA, ESMA, EIOPA — collectively
|
|
11
|
+
the ESAs) to develop binding Regulatory Technical Standards (RTS) and Implementing
|
|
12
|
+
Technical Standards (ITS) under Articles 15, 16, 18, 20, 26, 28, 29, 30, 31, 32,
|
|
13
|
+
41, and 43. All key standards were adopted before the DORA application date of
|
|
14
|
+
17 January 2025.
|
|
15
|
+
|
|
16
|
+
---
|
|
17
|
+
|
|
18
|
+
## Complete List of Adopted RTS and ITS
|
|
19
|
+
|
|
20
|
+
### 1. CDR (EU) 2024/1772 — RTS on ICT Incident Classification
|
|
21
|
+
|
|
22
|
+
| Field | Detail |
|
|
23
|
+
|-------|--------|
|
|
24
|
+
| Full title | Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 |
|
|
25
|
+
| DORA basis | Art. 18(3) — classification criteria and materiality thresholds |
|
|
26
|
+
| Published | OJ L, 25 June 2024 |
|
|
27
|
+
| Applies from | 17 January 2025 |
|
|
28
|
+
|
|
29
|
+
**Key content:**
|
|
30
|
+
- Defines materiality thresholds for each Art. 18(1) criterion (clients affected,
|
|
31
|
+
transaction value, data loss, service unavailability, geographic spread)
|
|
32
|
+
- An incident is classified as **major** if any single threshold is met (OR logic)
|
|
33
|
+
- Sets minimum thresholds for "significant cyber threats" that may trigger voluntary
|
|
34
|
+
reporting under Art. 19(2)
|
|
35
|
+
- Includes specific rules for payment-related incidents (Art. 23)
|
|
36
|
+
|
|
37
|
+
**Thresholds (indicative — consult the CDR for exact values):**
|
|
38
|
+
- Client impact: ≥ 10% of clients (or >5,000 clients for large entities)
|
|
39
|
+
- Transaction value: depending on institution type and size
|
|
40
|
+
- Service unavailability: ≥ 2 hours for critical services
|
|
41
|
+
- Data integrity/confidentiality: any breach affecting core banking data
|
|
42
|
+
|
|
43
|
+
---
|
|
44
|
+
|
|
45
|
+
### 2. CDR (EU) 2024/1773 — RTS on ICT Third-Party Risk Policy
|
|
46
|
+
|
|
47
|
+
| Field | Detail |
|
|
48
|
+
|-------|--------|
|
|
49
|
+
| Full title | Commission Delegated Regulation (EU) 2024/1773 of 13 March 2024 |
|
|
50
|
+
| DORA basis | Art. 28(10) — content of the ICT third-party risk policy; Art. 30(5) — contractual provisions |
|
|
51
|
+
| Published | OJ L, 25 June 2024 |
|
|
52
|
+
| Applies from | 17 January 2025 |
|
|
53
|
+
|
|
54
|
+
**Key content:**
|
|
55
|
+
- Minimum elements of the ICT third-party risk policy (Art. 28(1) policy)
|
|
56
|
+
- Criteria for distinguishing critical/important functions from non-critical
|
|
57
|
+
- Due diligence requirements before entering ICT service arrangements
|
|
58
|
+
- Detailed requirements for contractual provisions under Art. 30(2):
|
|
59
|
+
- Service level descriptions and measurable KPIs
|
|
60
|
+
- Provisions on data location, portability, and return on exit
|
|
61
|
+
- Audit and access rights (the auditor clause must be specific and exercisable)
|
|
62
|
+
- Exit strategy and minimum notice period requirements
|
|
63
|
+
- Sub-contracting provisions and prior consent requirements
|
|
64
|
+
|
|
65
|
+
---
|
|
66
|
+
|
|
67
|
+
### 3. CDR (EU) 2024/1774 — RTS on ICT Risk Management Framework
|
|
68
|
+
|
|
69
|
+
| Field | Detail |
|
|
70
|
+
|-------|--------|
|
|
71
|
+
| Full title | Commission Delegated Regulation (EU) 2024/1774 of 13 March 2024 |
|
|
72
|
+
| DORA basis | Art. 15 — elements of ICT RMF; Art. 16(3) — simplified framework |
|
|
73
|
+
| Published | OJ L, 25 June 2024 |
|
|
74
|
+
| Applies from | 17 January 2025 |
|
|
75
|
+
|
|
76
|
+
**Key content:**
|
|
77
|
+
- Chapter I: Detailed elements of the ICT risk management framework (Art. 6–14):
|
|
78
|
+
- ICT risk strategy requirements
|
|
79
|
+
- Minimum content of ICT security policies
|
|
80
|
+
- ICT asset identification and classification requirements
|
|
81
|
+
- Protection and prevention controls (logical and physical)
|
|
82
|
+
- Detection, response, recovery, and backup policy requirements
|
|
83
|
+
- Learning and communication requirements
|
|
84
|
+
- Chapter II: Simplified ICT risk management framework (Art. 16):
|
|
85
|
+
- Entity types eligible for the simplified framework
|
|
86
|
+
- Minimum requirements for simplified framework entities
|
|
87
|
+
- How to document the simplified framework
|
|
88
|
+
|
|
89
|
+
---
|
|
90
|
+
|
|
91
|
+
### 4. CDR (EU) 2025/301 — RTS on Major Incident Reporting
|
|
92
|
+
|
|
93
|
+
| Field | Detail |
|
|
94
|
+
|-------|--------|
|
|
95
|
+
| Full title | Commission Delegated Regulation (EU) 2025/301 of 18 October 2024 |
|
|
96
|
+
| DORA basis | Art. 20(3) — content, timelines, and format of incident reports |
|
|
97
|
+
| Published | OJ L, 14 February 2025 |
|
|
98
|
+
| Applies from | 17 January 2025 (retroactively applicable) |
|
|
99
|
+
|
|
100
|
+
**Key content:**
|
|
101
|
+
- Mandatory content of each reporting stage:
|
|
102
|
+
- **Initial notification (within 4 hours):** Incident reference, entity details,
|
|
103
|
+
initial classification rationale, estimated client impact, nature of incident
|
|
104
|
+
- **Intermediate report (within 72 hours):** Updated impact assessment, root cause
|
|
105
|
+
indicators, response actions taken, recovery time estimate
|
|
106
|
+
- **Final report (within 1 month):** Root cause analysis, full impact assessment,
|
|
107
|
+
lessons learned, preventive measures implemented or planned
|
|
108
|
+
- Rules on how to count the 4-hour and 72-hour timelines from classification
|
|
109
|
+
- Provisions for voluntary reporting of significant cyber threats (Art. 19(2))
|
|
110
|
+
|
|
111
|
+
---
|
|
112
|
+
|
|
113
|
+
### 5. CIR (EU) 2025/302 — ITS on Incident Reporting Templates
|
|
114
|
+
|
|
115
|
+
| Field | Detail |
|
|
116
|
+
|-------|--------|
|
|
117
|
+
| Full title | Commission Implementing Regulation (EU) 2025/302 of 18 October 2024 |
|
|
118
|
+
| DORA basis | Art. 20(4) — standard forms and templates for incident reports |
|
|
119
|
+
| Published | OJ L, 14 February 2025 |
|
|
120
|
+
| Applies from | 17 January 2025 (retroactively applicable) |
|
|
121
|
+
|
|
122
|
+
**Key content:**
|
|
123
|
+
- Standard templates for all three reporting stages (initial, intermediate, final)
|
|
124
|
+
- **Dedicated payment-incident template** per Art. 23 for credit institutions,
|
|
125
|
+
payment institutions, and e-money institutions — aligned with legacy PSD2 Art. 96
|
|
126
|
+
reporting fields
|
|
127
|
+
- Separate template for voluntary cyber threat notifications (Art. 19(2))
|
|
128
|
+
- Electronic submission format requirements
|
|
129
|
+
- Competent authority designation — which authority receives reports for each
|
|
130
|
+
entity type (home state supervisor as a general rule)
|
|
131
|
+
|
|
132
|
+
---
|
|
133
|
+
|
|
134
|
+
### 6. CIR (EU) 2024/2956 — ITS on Register of Information
|
|
135
|
+
|
|
136
|
+
| Field | Detail |
|
|
137
|
+
|-------|--------|
|
|
138
|
+
| Full title | Commission Implementing Regulation (EU) 2024/2956 of 20 September 2024 |
|
|
139
|
+
| DORA basis | Art. 28(9) — templates for the Register of Information |
|
|
140
|
+
| Published | OJ L, 11 December 2024 |
|
|
141
|
+
| Applies from | 17 January 2025 |
|
|
142
|
+
|
|
143
|
+
**Key content — mandatory Register fields:**
|
|
144
|
+
|
|
145
|
+
The Register of Information (RoI) must capture, for each ICT service arrangement:
|
|
146
|
+
|
|
147
|
+
| Field Group | Key Fields |
|
|
148
|
+
|-------------|-----------|
|
|
149
|
+
| Entity information | LEI of reporting entity, entity name, entity type |
|
|
150
|
+
| TPSP identification | TPSP LEI, TPSP name, country of establishment |
|
|
151
|
+
| Arrangement details | Unique arrangement reference, arrangement type |
|
|
152
|
+
| Function classification | Critical or important function (Y/N), function description |
|
|
153
|
+
| ICT service description | Type of service (IaaS/PaaS/SaaS/other), specific service description |
|
|
154
|
+
| Data | Types of data processed, storage location (country/region) |
|
|
155
|
+
| Sub-processors | Chain of sub-processors (name, LEI, country) |
|
|
156
|
+
| Contractual terms | Contract start date, contract end date, notice period |
|
|
157
|
+
| Substitutability | Assessment of ease of substitution (high/medium/low) |
|
|
158
|
+
| Exit strategy | Reference to exit strategy document |
|
|
159
|
+
|
|
160
|
+
**Annual submission:** The RoI is submitted to the competent authority at least
|
|
161
|
+
annually (or upon request). The ESAs aggregate submissions for the oversight framework.
|
|
162
|
+
|
|
163
|
+
---
|
|
164
|
+
|
|
165
|
+
### 7. CDR (EU) 2025/1190 — RTS on TLPT
|
|
166
|
+
|
|
167
|
+
| Field | Detail |
|
|
168
|
+
|-------|--------|
|
|
169
|
+
| Full title | Commission Delegated Regulation (EU) 2025/1190 of 28 February 2025 |
|
|
170
|
+
| DORA basis | Art. 26(11) and Art. 27(9) — TLPT requirements, tester qualifications |
|
|
171
|
+
| Published | OJ L, 18 June 2025 |
|
|
172
|
+
| Applies from | 8 July 2025 |
|
|
173
|
+
|
|
174
|
+
**Key content:**
|
|
175
|
+
- Criteria for identifying financial entities required to conduct TLPT (Art. 26(8))
|
|
176
|
+
- Scope determination: which functions and ICT systems must be included
|
|
177
|
+
- Role of competent authority in approving TLPT scope and methodology
|
|
178
|
+
- Requirements for the **threat intelligence phase**: accreditation of threat
|
|
179
|
+
intelligence providers
|
|
180
|
+
- Requirements for **red team testing**: methodology, documentation, attestation
|
|
181
|
+
- **Mutual recognition:** TLPT results recognized across EU jurisdictions for
|
|
182
|
+
entities operating cross-border — only one test needed (Art. 26(5))
|
|
183
|
+
- Tester qualification requirements per Art. 27:
|
|
184
|
+
- Independence from the tested entity
|
|
185
|
+
- Relevant professional certification
|
|
186
|
+
- Risk methodology capability
|
|
187
|
+
- **TIBER-EU alignment:** The CDR aligns TLPT with the TIBER-EU framework;
|
|
188
|
+
TIBER-EU tests conducted under the TIBER-EU framework may satisfy DORA
|
|
189
|
+
TLPT requirements where conditions are met
|
|
190
|
+
|
|
191
|
+
---
|
|
192
|
+
|
|
193
|
+
### 8. CDR (EU) 2025/532 — RTS on Subcontracting of ICT Services
|
|
194
|
+
|
|
195
|
+
| Field | Detail |
|
|
196
|
+
|-------|--------|
|
|
197
|
+
| Full title | Commission Delegated Regulation (EU) 2025/532 |
|
|
198
|
+
| DORA basis | Art. 30(5) — subcontracting provisions |
|
|
199
|
+
| Applies from | 17 January 2025 |
|
|
200
|
+
|
|
201
|
+
**Key content:**
|
|
202
|
+
- When a TPSP subcontracts ICT services supporting critical/important functions,
|
|
203
|
+
the financial entity must ensure the contract includes:
|
|
204
|
+
- Prior written consent of the financial entity for sub-contracting chains
|
|
205
|
+
- Equivalent contractual provisions at sub-processor level
|
|
206
|
+
- Right to audit the sub-processor (directly or via the TPSP)
|
|
207
|
+
- Conditions under which financial entities may apply pre-approved sub-contracting
|
|
208
|
+
arrangements (framework sub-contracting clauses)
|
|
209
|
+
- Notification requirements for changes in sub-processors
|
|
210
|
+
|
|
211
|
+
---
|
|
212
|
+
|
|
213
|
+
### 9. CDR (EU) 2024/1502 — Designation Criteria for Critical ICT TPSPs
|
|
214
|
+
|
|
215
|
+
| Field | Detail |
|
|
216
|
+
|-------|--------|
|
|
217
|
+
| Full title | Commission Delegated Regulation (EU) 2024/1502 of 22 February 2024 |
|
|
218
|
+
| DORA basis | Art. 31(6) — criteria for designation of critical ICT TPSPs |
|
|
219
|
+
| Published | OJ L, 5 June 2024 |
|
|
220
|
+
| Applies from | 17 January 2025 |
|
|
221
|
+
|
|
222
|
+
**Key content — designation criteria:**
|
|
223
|
+
- **Systemic impact:** Would failure or discontinuation of the TPSP's services
|
|
224
|
+
cause systemic disruption to the financial system?
|
|
225
|
+
- **Scale:** Number and types of financial entities served; proportion of their
|
|
226
|
+
ICT needs
|
|
227
|
+
- **Substitutability:** How easily could another TPSP replace the service?
|
|
228
|
+
(Low substitutability → higher probability of designation)
|
|
229
|
+
- **Interconnectedness:** Does the TPSP's failure trigger cascading effects?
|
|
230
|
+
- **Concentration risk:** Does a large portion of EU financial entities rely
|
|
231
|
+
on this single TPSP for critical functions?
|
|
232
|
+
|
|
233
|
+
**Designation process:** ESAs assess all ICT TPSPs that provide services to
|
|
234
|
+
EU financial entities and publish a list of designated CTPPs. TPSPs not
|
|
235
|
+
established in the EU that provide services to EU financial entities must
|
|
236
|
+
designate an EU legal representative (Art. 31(11)).
|
|
237
|
+
|
|
238
|
+
---
|
|
239
|
+
|
|
240
|
+
### 10. CDR (EU) 2024/1505 — Oversight Fees for Critical ICT TPSPs
|
|
241
|
+
|
|
242
|
+
| Field | Detail |
|
|
243
|
+
|-------|--------|
|
|
244
|
+
| Full title | Commission Delegated Regulation (EU) 2024/1505 of 22 February 2024 |
|
|
245
|
+
| DORA basis | Art. 43(2) — methodology for calculating oversight fees |
|
|
246
|
+
| Published | OJ L, 5 June 2024 |
|
|
247
|
+
| Applies from | 17 January 2025 |
|
|
248
|
+
|
|
249
|
+
**Key content:**
|
|
250
|
+
- Fee methodology: annual oversight fee for designated CTPPs
|
|
251
|
+
- Based on: total worldwide annual net turnover of the CTPSP
|
|
252
|
+
- Fee caps and floors to ensure proportionality
|
|
253
|
+
- Fee collection process via Lead Overseer
|
|
254
|
+
|
|
255
|
+
---
|
|
256
|
+
|
|
257
|
+
### 11. CDR (EU) 2025/295 — RTS on Oversight Activities Harmonisation
|
|
258
|
+
|
|
259
|
+
| Field | Detail |
|
|
260
|
+
|-------|--------|
|
|
261
|
+
| Full title | Commission Delegated Regulation (EU) 2025/295 |
|
|
262
|
+
| DORA basis | Art. 41(7) — harmonisation of oversight activities |
|
|
263
|
+
| Applies from | 17 January 2025 |
|
|
264
|
+
|
|
265
|
+
**Key content:**
|
|
266
|
+
- How Lead Overseers coordinate with Joint Oversight Network (JON)
|
|
267
|
+
- Information sharing between ESAs and national competent authorities
|
|
268
|
+
- Procedures for issuing oversight recommendations
|
|
269
|
+
- Follow-up process for non-compliance with recommendations
|
|
270
|
+
|
|
271
|
+
---
|
|
272
|
+
|
|
273
|
+
### 12. CDR (EU) 2025/420 — RTS on Joint Examination Teams (JETs)
|
|
274
|
+
|
|
275
|
+
| Field | Detail |
|
|
276
|
+
|-------|--------|
|
|
277
|
+
| Full title | Commission Delegated Regulation (EU) 2025/420 |
|
|
278
|
+
| DORA basis | Art. 32 — structure and operation of Joint Examination Teams |
|
|
279
|
+
| Applies from | 17 January 2025 |
|
|
280
|
+
|
|
281
|
+
**Key content:**
|
|
282
|
+
- Composition of JETs: lead overseer staff + national competent authority experts
|
|
283
|
+
- JET mandate: on-site and off-site examination of designated CTPPs
|
|
284
|
+
- Coordination between JET lead and national experts
|
|
285
|
+
- Reporting of JET findings to Lead Overseer
|
|
286
|
+
|
|
287
|
+
---
|
|
288
|
+
|
|
289
|
+
## Quick Reference: DORA Article → RTS/ITS
|
|
290
|
+
|
|
291
|
+
| DORA Article | Obligation | Implementing Measure |
|
|
292
|
+
|-------------|-----------|---------------------|
|
|
293
|
+
| Art. 15 | ICT RMF detailed elements | CDR (EU) 2024/1774 |
|
|
294
|
+
| Art. 16(3) | Simplified RMF | CDR (EU) 2024/1774 (Ch. II) |
|
|
295
|
+
| Art. 18(3) | Incident classification thresholds | CDR (EU) 2024/1772 |
|
|
296
|
+
| Art. 20(3) | Incident reporting content + timelines | CDR (EU) 2025/301 |
|
|
297
|
+
| Art. 20(4) | Incident reporting templates | CIR (EU) 2025/302 |
|
|
298
|
+
| Art. 26(11) | TLPT requirements | CDR (EU) 2025/1190 |
|
|
299
|
+
| Art. 27(9) | Tester qualifications | CDR (EU) 2025/1190 |
|
|
300
|
+
| Art. 28(9) | Register of Information templates | CIR (EU) 2024/2956 |
|
|
301
|
+
| Art. 28(10) + 30(5) | ICT third-party risk policy + contracts | CDR (EU) 2024/1773 |
|
|
302
|
+
| Art. 30(5) | Subcontracting provisions | CDR (EU) 2025/532 |
|
|
303
|
+
| Art. 31(6) | Critical TPSP designation criteria | CDR (EU) 2024/1502 |
|
|
304
|
+
| Art. 32 | Joint Examination Teams (JETs) | CDR (EU) 2025/420 |
|
|
305
|
+
| Art. 41(7) | Oversight activities harmonisation | CDR (EU) 2025/295 |
|
|
306
|
+
| Art. 43(2) | Oversight fees for CTPPs | CDR (EU) 2024/1505 |
|