EU-DORA
Regulation (EU) 2022/2554 — Digital Operational Resilience Act
- Ch. I — General Provisions
- Art. 1. Subject matter (8)
- Art. 2. Scope (4)
- Art. 3. Definitions ref
- Art. 4. Proportionality principle (3)
- Ch. II — ICT Risk Management
- Art. 5. Governance and organisation (37)
- Art. 6. ICT risk management framework (23)
- Art. 7. ICT systems, protocols and tools (4)
- Art. 8. Identification (10)
- Art. 9. Protection and prevention (17)
- Art. 10. Detection (7)
- Art. 11. Response and recovery (23)
- Art. 12. Backup policies and procedures, restoration and recovery procedures and methods (19)
- Art. 13. Learning and evolving (16)
- Art. 14. Communication (4)
- Art. 15. Further harmonisation of ICT risk management tools, methods, processes and policies (10)
- Art. 16. Simplified ICT risk management framework (13)
- Ch. III — ICT-Related Incident Management, Classification and Reporting
- Art. 17. ICT-related incident management process (9)
- Art. 18. Classification of ICT-related incidents and cyber threats (7)
- Art. 19. Reporting of major ICT-related incidents and voluntary notification of significant cyber threats (18)
- Art. 20. Harmonisation of reporting content and templates (7)
- Art. 21. Centralisation of reporting of major ICT-related incidents (9)
- Art. 22. Supervisory feedback (6)
- Art. 23. Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions (2)
- Ch. IV — Digital Operational Resilience Testing
- Art. 24. General requirements for the performance of digital operational resilience testing (8)
- Art. 25. Testing of ICT tools and systems (3)
- Art. 26. Advanced testing of ICT tools, systems and processes based on TLPT (14)
- Art. 27. Requirements for testers for the carrying out of TLPT (9)
- Ch. V — Managing ICT Third-Party Risk
- Art. 28. General principles (26)
- Art. 29. Preliminary assessment of ICT concentration risk at entity level (7)
- Art. 30. Key contractual provisions (24)
- Art. 31. Designation of critical ICT third-party service providers (16)
- Art. 32. Structure of the Oversight Framework (11)
- Art. 33. Tasks of the Lead Overseer (18)
- Art. 34. Operational coordination between Lead Overseers (4)
- Art. 35. Powers of the Lead Overseer (19)
- Art. 36. Exercise of the powers of the Lead Overseer outside the Union (15)
- Art. 37. Request for information (15)
- Art. 38. General investigations (10)
- Art. 39. Inspections (8)
- Art. 40. Ongoing oversight (7)
- Art. 41. Harmonisation of conditions enabling the conduct of the oversight activities (5)
- Art. 42. Follow-up by competent authorities (14)
- Art. 43. Oversight fees (3)
- Art. 44. International cooperation (2)
- Ch. VI — Information-Sharing Arrangements
- Art. 45. Information-sharing arrangements on cyber threat information and intelligence (3)
- Ch. VII — Competent Authorities
- Art. 46. Competent authorities (17)
- Art. 47. Cooperation with structures and authorities established by Directive (EU) 2022/2555 (7)
- Art. 48. Cooperation between authorities (2)
- Art. 49. Financial cross-sector exercises, communication and cooperation (5)
- Art. 50. Administrative penalties and remedial measures (14)
- Art. 51. Exercise of the power to impose administrative penalties and remedial measures (9)
- Art. 52. Criminal penalties (2)
- Art. 53. Notification duties (2)
- Art. 54. Publication of administrative penalties (8)
- Art. 55. Professional secrecy (4)
- Art. 56. Data Protection (3)
- Ch. VIII — Delegated Acts
- Art. 57. Exercise of the delegation (3)
- Ch. IX — Transitional and Final Provisions
- Art. 58. Review clause (7)
- Art. 59. Amendments to Regulation (EC) No 1060/2009 (5)
- Art. 60. Amendments to Regulation (EU) No 648/2012 (7)
- Art. 61. Amendments to Regulation (EU) No 909/2014 (6)
- Art. 62. Amendments to Regulation (EU) No 600/2014 (3)
- Art. 63. Amendment to Regulation (EU) 2016/1011 (4)
- Art. 64. Entry into force and application (1)
Chapter I — General Provisions
Chapter II — ICT Risk Management
Chapter III — ICT-Related Incident Management, Classification and Reporting
Chapter IV — Digital Operational Resilience Testing
Chapter V — Managing ICT Third-Party Risk
Article 30. Key contractual provisions
3 obligations
EU-DORA-30-22
Requirement
Consider use of standard contractual clauses
When negotiating contractual arrangements, financial entities and ICT third-party service providers shall consider the u
EU-DORA-30-23
Requirement
ESAs develop regulatory technical standards for subcontracting
The ESAs shall, through the Joint Committee, develop draft regulatory technical standards to specify further the element
EU-DORA-30-24
Requirement
ESAs submit RTS to Commission by deadline
The ESAs shall submit the draft regulatory technical standards to the Commission by 17 July 2024.
Article 31. Designation of critical ICT third-party service providers
16 obligations
EU-DORA-31-01
Registration
Designate critical ICT third-party service providers
ESAs must, through the Joint Committee and upon recommendation from the Oversight Forum, designate ICT third-party servi
EU-DORA-31-02
Registration
Appoint Lead Overseer for critical ICT third-party service providers
ESAs must appoint as Lead Overseer for each critical ICT third-party service provider the ESA responsible for the financ
EU-DORA-31-03
Requirement
Designate coordination point for group critical ICT service providers
Critical ICT third-party service providers which are part of a group must designate one legal person as a coordination p
EU-DORA-31-04
Transparency
Notify ICT third-party service provider of assessment outcome
The Lead Overseer must notify the ICT third-party service provider of the outcome of the assessment leading to the desig
EU-DORA-31-05
Transparency
Submit reasoned statement within 6 weeks
ICT third-party service providers may submit to the Lead Overseer a reasoned statement with any relevant information for
EU-DORA-31-06
Requirement
Consider reasoned statement and may request additional information
The Lead Overseer must consider the reasoned statement submitted by ICT third-party service provider and may request add
EU-DORA-31-07
Transparency
Notify ICT third-party service provider of critical designation
After designating an ICT third-party service provider as critical, the ESAs through the Joint Committee must notify the
EU-DORA-31-08
Transparency
Notify financial entities of critical designation
The ICT third-party service provider must notify the financial entities to which they provide services of their designat
EU-DORA-31-09
Requirement
Adopt delegated act specifying criteria by July 17, 2024
The Commission must adopt a delegated act in accordance with Article 57 to supplement this Regulation by specifying furt
EU-DORA-31-10
Transparency
Establish, publish and update yearly list of critical ICT third-party service providers
The ESAs, through the Joint Committee, must establish, publish and update yearly the list of critical ICT third-party se
EU-DORA-31-11
Reporting
Transmit reports to Oversight Forum yearly
Competent authorities must, on a yearly and aggregated basis, transmit the reports referred to in Article 28(3), third s
EU-DORA-31-12
Monitoring
Assess ICT third-party dependencies
The Oversight Forum must assess the ICT third-party dependencies of financial entities based on the information received
EU-DORA-31-13
Registration
Submit reasoned application for critical designation
ICT third-party service providers not included in the critical list may submit a reasoned application to EBA, ESMA or EI
EU-DORA-31-14
Requirement
Decide on voluntary critical designation application within 6 months
EBA, ESMA or EIOPA, through the Joint Committee, must decide whether to designate an ICT third-party service provider as
EU-DORA-31-15
Requirement
Establish subsidiary in Union within 12 months for third country providers
Critical ICT third-party service providers established in a third country must establish a subsidiary in the Union withi
EU-DORA-31-16
Transparency
Notify Lead Overseer of subsidiary management structure changes
Critical ICT third-party service providers from third countries must notify the Lead Overseer of any changes to the stru
Article 32. Structure of the Oversight Framework
6 obligations
EU-DORA-32-01
Requirement
Establish Oversight Forum as sub-committee
The Joint Committee must establish the Oversight Forum as a sub-committee to support the work of the Joint Committee and
EU-DORA-32-02
Requirement
Prepare draft joint positions and common acts
The Oversight Forum must prepare the draft joint positions and the draft common acts of the Joint Committee in the area
EU-DORA-32-03
Monitoring
Regularly discuss ICT risk developments
The Oversight Forum must regularly discuss relevant developments on ICT risk and vulnerabilities and promote a consisten
EU-DORA-32-04
Reporting
Conduct yearly collective assessment of oversight activities
The Oversight Forum must undertake a collective assessment on a yearly basis of the results and findings of the oversigh
EU-DORA-32-05
Requirement
Promote coordination measures for digital operational resilience
The Oversight Forum must promote coordination measures to increase the digital operational resilience of financial entit
EU-DORA-32-06
Reporting
Submit comprehensive benchmarks for critical ICT third-party service providers
The Oversight Forum must submit comprehensive benchmarks for critical ICT third-party service providers to be adopted by