EU-DORA
Regulation (EU) 2022/2554 — Digital Operational Resilience Act
- Ch. I — General Provisions
- Art. 1. Subject matter (8)
- Art. 2. Scope (4)
- Art. 3. Definitions ref
- Art. 4. Proportionality principle (3)
- Ch. II — ICT Risk Management
- Art. 5. Governance and organisation (37)
- Art. 6. ICT risk management framework (23)
- Art. 7. ICT systems, protocols and tools (4)
- Art. 8. Identification (10)
- Art. 9. Protection and prevention (17)
- Art. 10. Detection (7)
- Art. 11. Response and recovery (23)
- Art. 12. Backup policies and procedures, restoration and recovery procedures and methods (19)
- Art. 13. Learning and evolving (16)
- Art. 14. Communication (4)
- Art. 15. Further harmonisation of ICT risk management tools, methods, processes and policies (10)
- Art. 16. Simplified ICT risk management framework (13)
- Ch. III — ICT-Related Incident Management, Classification and Reporting
- Art. 17. ICT-related incident management process (9)
- Art. 18. Classification of ICT-related incidents and cyber threats (7)
- Art. 19. Reporting of major ICT-related incidents and voluntary notification of significant cyber threats (18)
- Art. 20. Harmonisation of reporting content and templates (7)
- Art. 21. Centralisation of reporting of major ICT-related incidents (9)
- Art. 22. Supervisory feedback (6)
- Art. 23. Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions (2)
- Ch. IV — Digital Operational Resilience Testing
- Art. 24. General requirements for the performance of digital operational resilience testing (8)
- Art. 25. Testing of ICT tools and systems (3)
- Art. 26. Advanced testing of ICT tools, systems and processes based on TLPT (14)
- Art. 27. Requirements for testers for the carrying out of TLPT (9)
- Ch. V — Managing ICT Third-Party Risk
- Art. 28. General principles (26)
- Art. 29. Preliminary assessment of ICT concentration risk at entity level (7)
- Art. 30. Key contractual provisions (24)
- Art. 31. Designation of critical ICT third-party service providers (16)
- Art. 32. Structure of the Oversight Framework (11)
- Art. 33. Tasks of the Lead Overseer (18)
- Art. 34. Operational coordination between Lead Overseers (4)
- Art. 35. Powers of the Lead Overseer (19)
- Art. 36. Exercise of the powers of the Lead Overseer outside the Union (15)
- Art. 37. Request for information (15)
- Art. 38. General investigations (10)
- Art. 39. Inspections (8)
- Art. 40. Ongoing oversight (7)
- Art. 41. Harmonisation of conditions enabling the conduct of the oversight activities (5)
- Art. 42. Follow-up by competent authorities (14)
- Art. 43. Oversight fees (3)
- Art. 44. International cooperation (2)
- Ch. VI — Information-Sharing Arrangements
- Art. 45. Information-sharing arrangements on cyber threat information and intelligence (3)
- Ch. VII — Competent Authorities
- Art. 46. Competent authorities (17)
- Art. 47. Cooperation with structures and authorities established by Directive (EU) 2022/2555 (7)
- Art. 48. Cooperation between authorities (2)
- Art. 49. Financial cross-sector exercises, communication and cooperation (5)
- Art. 50. Administrative penalties and remedial measures (14)
- Art. 51. Exercise of the power to impose administrative penalties and remedial measures (9)
- Art. 52. Criminal penalties (2)
- Art. 53. Notification duties (2)
- Art. 54. Publication of administrative penalties (8)
- Art. 55. Professional secrecy (4)
- Art. 56. Data Protection (3)
- Ch. VIII — Delegated Acts
- Art. 57. Exercise of the delegation (3)
- Ch. IX — Transitional and Final Provisions
- Art. 58. Review clause (7)
- Art. 59. Amendments to Regulation (EC) No 1060/2009 (5)
- Art. 60. Amendments to Regulation (EU) No 648/2012 (7)
- Art. 61. Amendments to Regulation (EU) No 909/2014 (6)
- Art. 62. Amendments to Regulation (EU) No 600/2014 (3)
- Art. 63. Amendment to Regulation (EU) 2016/1011 (4)
- Art. 64. Entry into force and application (1)
Chapter I — General Provisions
Chapter II — ICT Risk Management
Chapter III — ICT-Related Incident Management, Classification and Reporting
Chapter IV — Digital Operational Resilience Testing
Chapter V — Managing ICT Third-Party Risk
Article 29. Preliminary assessment of ICT concentration risk at entity level
4 obligations
EU-DORA-29-04
Risk Management
Assess subcontracting benefits and risks
Where contractual arrangements for ICT services supporting critical or important functions include the possibility that
EU-DORA-29-05
Risk Management
Consider insolvency law provisions and data recovery constraints
Where contractual arrangements concern ICT services supporting critical or important functions, financial entities must
EU-DORA-29-06
Risk Management
Consider data protection compliance and law enforcement for third country providers
Where contractual arrangements for ICT services supporting critical or important functions are concluded with an ICT thi
EU-DORA-29-07
Risk Management
Assess impact of subcontracting chains on monitoring and supervision
Where contractual arrangements for ICT services supporting critical or important functions provide for subcontracting, f
Article 30. Key contractual provisions
21 obligations
EU-DORA-30-01
Documentation
Written documentation of rights and obligations
Rights and obligations of the financial entity and ICT third-party service provider must be clearly allocated and set ou
EU-DORA-30-02
Documentation
Include clear description of ICT services and functions
Contractual arrangements must include a clear and complete description of all functions and ICT services to be provided
EU-DORA-30-03
Transparency
Specify service locations and data processing locations
Contracts must specify the locations (regions or countries) where contracted or subcontracted functions and ICT services
EU-DORA-30-04
Data Governance
Include data protection provisions
Contracts must include provisions on availability, authenticity, integrity and confidentiality in relation to the protec
EU-DORA-30-05
Data Governance
Include data access and recovery provisions
Contracts must include provisions ensuring access, recovery and return in an easily accessible format of personal and no
EU-DORA-30-06
Documentation
Include service level descriptions
Contracts must include service level descriptions, including updates and revisions thereof.
EU-DORA-30-07
Requirement
Include ICT incident assistance obligation
Contracts must include the obligation of the ICT third-party service provider to provide assistance to the financial ent
EU-DORA-30-08
Requirement
Include cooperation obligation with authorities
Contracts must include the obligation of the ICT third-party service provider to fully cooperate with the competent auth
EU-DORA-30-09
Requirement
Include termination rights and notice periods
Contracts must include termination rights and related minimum notice periods for the termination of contractual arrangem
EU-DORA-30-10
Requirement
Include security training participation conditions
Contracts must include conditions for the participation of ICT third-party service providers in the financial entities'
EU-DORA-30-11
Monitoring
Include full service level descriptions for critical functions
For ICT services supporting critical or important functions, contracts must include full service level descriptions with
EU-DORA-30-12
Reporting
Include notice periods and reporting obligations for critical functions
For critical or important functions, contracts must include notice periods and reporting obligations of the ICT third-pa
EU-DORA-30-13
Risk Management
Require business contingency plans and ICT security measures
For critical or important functions, contracts must require the ICT third-party service provider to implement and test b
EU-DORA-30-14
Requirement
Obligate participation in TLPT
For critical or important functions, contracts must include the obligation of the ICT third-party service provider to pa
EU-DORA-30-15
Monitoring
Grant unrestricted access and inspection rights
For critical or important functions, contracts must grant unrestricted rights of access, inspection and audit by the fin
EU-DORA-30-16
Requirement
Allow alternative assurance levels agreement
For critical or important functions, contracts must include the right to agree on alternative assurance levels if other
EU-DORA-30-17
Requirement
Obligate cooperation during inspections and audits
For critical or important functions, contracts must include the obligation of the ICT third-party service provider to fu
EU-DORA-30-18
Transparency
Provide inspection and audit scope details
For critical or important functions, contracts must include the obligation to provide details on the scope, procedures t
EU-DORA-30-19
Risk Management
Establish exit strategies with mandatory transition period
For critical or important functions, contracts must include exit strategies with a mandatory adequate transition period
EU-DORA-30-20
Requirement
Allow migration to alternative solutions
For critical or important functions, exit strategies must allow the financial entity to migrate to another ICT third-par
EU-DORA-30-21
Requirement
Allow delegation of audit rights for microenterprises
For microenterprises, the ICT third-party service provider and financial entity may agree that the financial entity's ri