EU-DORA
Regulation (EU) 2022/2554 — Digital Operational Resilience Act
- Ch. I — General Provisions
- Art. 1. Subject matter (8)
- Art. 2. Scope (4)
- Art. 3. Definitions ref
- Art. 4. Proportionality principle (3)
- Ch. II — ICT Risk Management
- Art. 5. Governance and organisation (37)
- Art. 6. ICT risk management framework (23)
- Art. 7. ICT systems, protocols and tools (4)
- Art. 8. Identification (10)
- Art. 9. Protection and prevention (17)
- Art. 10. Detection (7)
- Art. 11. Response and recovery (23)
- Art. 12. Backup policies and procedures, restoration and recovery procedures and methods (19)
- Art. 13. Learning and evolving (16)
- Art. 14. Communication (4)
- Art. 15. Further harmonisation of ICT risk management tools, methods, processes and policies (10)
- Art. 16. Simplified ICT risk management framework (13)
- Ch. III — ICT-Related Incident Management, Classification and Reporting
- Art. 17. ICT-related incident management process (9)
- Art. 18. Classification of ICT-related incidents and cyber threats (7)
- Art. 19. Reporting of major ICT-related incidents and voluntary notification of significant cyber threats (18)
- Art. 20. Harmonisation of reporting content and templates (7)
- Art. 21. Centralisation of reporting of major ICT-related incidents (9)
- Art. 22. Supervisory feedback (6)
- Art. 23. Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions (2)
- Ch. IV — Digital Operational Resilience Testing
- Art. 24. General requirements for the performance of digital operational resilience testing (8)
- Art. 25. Testing of ICT tools and systems (3)
- Art. 26. Advanced testing of ICT tools, systems and processes based on TLPT (14)
- Art. 27. Requirements for testers for the carrying out of TLPT (9)
- Ch. V — Managing ICT Third-Party Risk
- Art. 28. General principles (26)
- Art. 29. Preliminary assessment of ICT concentration risk at entity level (7)
- Art. 30. Key contractual provisions (24)
- Art. 31. Designation of critical ICT third-party service providers (16)
- Art. 32. Structure of the Oversight Framework (11)
- Art. 33. Tasks of the Lead Overseer (18)
- Art. 34. Operational coordination between Lead Overseers (4)
- Art. 35. Powers of the Lead Overseer (19)
- Art. 36. Exercise of the powers of the Lead Overseer outside the Union (15)
- Art. 37. Request for information (15)
- Art. 38. General investigations (10)
- Art. 39. Inspections (8)
- Art. 40. Ongoing oversight (7)
- Art. 41. Harmonisation of conditions enabling the conduct of the oversight activities (5)
- Art. 42. Follow-up by competent authorities (14)
- Art. 43. Oversight fees (3)
- Art. 44. International cooperation (2)
- Ch. VI — Information-Sharing Arrangements
- Art. 45. Information-sharing arrangements on cyber threat information and intelligence (3)
- Ch. VII — Competent Authorities
- Art. 46. Competent authorities (17)
- Art. 47. Cooperation with structures and authorities established by Directive (EU) 2022/2555 (7)
- Art. 48. Cooperation between authorities (2)
- Art. 49. Financial cross-sector exercises, communication and cooperation (5)
- Art. 50. Administrative penalties and remedial measures (14)
- Art. 51. Exercise of the power to impose administrative penalties and remedial measures (9)
- Art. 52. Criminal penalties (2)
- Art. 53. Notification duties (2)
- Art. 54. Publication of administrative penalties (8)
- Art. 55. Professional secrecy (4)
- Art. 56. Data Protection (3)
- Ch. VIII — Delegated Acts
- Art. 57. Exercise of the delegation (3)
- Ch. IX — Transitional and Final Provisions
- Art. 58. Review clause (7)
- Art. 59. Amendments to Regulation (EC) No 1060/2009 (5)
- Art. 60. Amendments to Regulation (EU) No 648/2012 (7)
- Art. 61. Amendments to Regulation (EU) No 909/2014 (6)
- Art. 62. Amendments to Regulation (EU) No 600/2014 (3)
- Art. 63. Amendment to Regulation (EU) 2016/1011 (4)
- Art. 64. Entry into force and application (1)
Chapter I — General Provisions
Article 1. Subject matter
8 obligations
EU-DORA-1-01
Risk Management
Implement ICT risk management requirements
Financial entities must implement and maintain information and communication technology (ICT) risk management systems an
EU-DORA-1-02
Reporting
Report major ICT-related incidents to competent authorities
Financial entities must report major ICT-related incidents to the competent authorities as specified in this Regulation.
EU-DORA-1-03
Reporting
Report major operational or security payment-related incidents
Financial entities referred to in Article 2(1), points (a) to (d) must report major operational or security payment-rela
EU-DORA-1-04
Requirement
Conduct digital operational resilience testing
Financial entities must conduct digital operational resilience testing in accordance with the requirements specified in
EU-DORA-1-05
Requirement
Participate in information and intelligence sharing on cyber threats
Financial entities must engage in information and intelligence sharing in relation to cyber threats and vulnerabilities
EU-DORA-1-06
Risk Management
Implement sound management of ICT third-party risk
Financial entities must implement measures for the sound management of ICT third-party risk in accordance with this Regu
EU-DORA-1-07
Requirement
Comply with contractual arrangement requirements for ICT services
Both ICT third-party service providers and financial entities must ensure their contractual arrangements comply with the
EU-DORA-1-08
Requirement
Comply with Oversight Framework for critical ICT third-party providers
Critical ICT third-party service providers must comply with the rules for the establishment and conduct of the Oversight
Chapter II — ICT Risk Management
Article 10. Detection
7 obligations
EU-DORA-10-01
Requirement
Implement anomaly detection mechanisms
Financial entities must establish and maintain mechanisms to promptly detect anomalous activities, ICT network performan
EU-DORA-10-02
Requirement
Regular testing of detection mechanisms
Financial entities must regularly test all detection mechanisms in accordance with Article 25.
EU-DORA-10-03
Requirement
Implement multiple layers of control in detection mechanisms
Detection mechanisms must enable multiple layers of control to provide comprehensive monitoring and detection capabiliti
EU-DORA-10-04
Requirement
Define alert thresholds and criteria
Financial entities must define alert thresholds and criteria to trigger and initiate ICT-related incident response proce
EU-DORA-10-05
Requirement
Implement automatic alert mechanisms
Detection mechanisms must include automatic alert mechanisms for relevant staff in charge of ICT-related incident respon
EU-DORA-10-06
Requirement
Devote sufficient resources for monitoring activities
Financial entities must allocate sufficient resources and capabilities to monitor user activity, ICT anomalies occurrenc
EU-DORA-10-07
Requirement
Implement trade report checking systems (data reporting service providers)
Data reporting service providers must have systems that can effectively check trade reports for completeness, identify o
Article 11. Response and recovery
10 obligations
EU-DORA-11-01
Requirement
Establish comprehensive ICT business continuity policy
Financial entities must put in place a comprehensive ICT business continuity policy as part of their ICT risk management
EU-DORA-11-02
Documentation
Implement ICT business continuity policy through documented arrangements
Financial entities must implement the ICT business continuity policy through dedicated, appropriate and documented arran
EU-DORA-11-03
Requirement
Ensure continuity of critical or important functions
Financial entities must implement arrangements that ensure the continuity of the financial entity's critical or importan
EU-DORA-11-04
Requirement
Establish ICT incident response and resolution procedures
Financial entities must implement arrangements to quickly, appropriately and effectively respond to, and resolve, all IC
EU-DORA-11-05
Requirement
Activate dedicated incident containment plans
Financial entities must implement arrangements to activate, without delay, dedicated plans that enable containment measu
EU-DORA-11-06
Requirement
Estimate preliminary impacts, damages and losses
Financial entities must implement arrangements to estimate preliminary impacts, damages and losses from ICT-related inci
EU-DORA-11-07
Requirement
Establish communication and crisis management actions
Financial entities must set out communication and crisis management actions that ensure updated information is transmitt
EU-DORA-11-08
Requirement
Implement ICT response and recovery plans
Financial entities must implement associated ICT response and recovery plans as part of the ICT risk management framewor
EU-DORA-11-09
Requirement
Subject ICT response and recovery plans to independent internal audit
Financial entities other than microenterprises must subject their ICT response and recovery plans to independent interna
EU-DORA-11-10
Requirement
Maintain and test ICT business continuity plans
Financial entities must put in place, maintain and periodically test appropriate ICT business continuity plans, notably