EU-DORA
Regulation (EU) 2022/2554 — Digital Operational Resilience Act
- Ch. I — General Provisions
- Art. 1. Subject matter (8)
- Art. 2. Scope (4)
- Art. 3. Definitions ref
- Art. 4. Proportionality principle (3)
- Ch. II — ICT Risk Management
- Art. 5. Governance and organisation (37)
- Art. 6. ICT risk management framework (23)
- Art. 7. ICT systems, protocols and tools (4)
- Art. 8. Identification (10)
- Art. 9. Protection and prevention (17)
- Art. 10. Detection (7)
- Art. 11. Response and recovery (23)
- Art. 12. Backup policies and procedures, restoration and recovery procedures and methods (19)
- Art. 13. Learning and evolving (16)
- Art. 14. Communication (4)
- Art. 15. Further harmonisation of ICT risk management tools, methods, processes and policies (10)
- Art. 16. Simplified ICT risk management framework (13)
- Ch. III — ICT-Related Incident Management, Classification and Reporting
- Art. 17. ICT-related incident management process (9)
- Art. 18. Classification of ICT-related incidents and cyber threats (7)
- Art. 19. Reporting of major ICT-related incidents and voluntary notification of significant cyber threats (18)
- Art. 20. Harmonisation of reporting content and templates (7)
- Art. 21. Centralisation of reporting of major ICT-related incidents (9)
- Art. 22. Supervisory feedback (6)
- Art. 23. Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions (2)
- Ch. IV — Digital Operational Resilience Testing
- Art. 24. General requirements for the performance of digital operational resilience testing (8)
- Art. 25. Testing of ICT tools and systems (3)
- Art. 26. Advanced testing of ICT tools, systems and processes based on TLPT (14)
- Art. 27. Requirements for testers for the carrying out of TLPT (9)
- Ch. V — Managing ICT Third-Party Risk
- Art. 28. General principles (26)
- Art. 29. Preliminary assessment of ICT concentration risk at entity level (7)
- Art. 30. Key contractual provisions (24)
- Art. 31. Designation of critical ICT third-party service providers (16)
- Art. 32. Structure of the Oversight Framework (11)
- Art. 33. Tasks of the Lead Overseer (18)
- Art. 34. Operational coordination between Lead Overseers (4)
- Art. 35. Powers of the Lead Overseer (19)
- Art. 36. Exercise of the powers of the Lead Overseer outside the Union (15)
- Art. 37. Request for information (15)
- Art. 38. General investigations (10)
- Art. 39. Inspections (8)
- Art. 40. Ongoing oversight (7)
- Art. 41. Harmonisation of conditions enabling the conduct of the oversight activities (5)
- Art. 42. Follow-up by competent authorities (14)
- Art. 43. Oversight fees (3)
- Art. 44. International cooperation (2)
- Ch. VI — Information-Sharing Arrangements
- Art. 45. Information-sharing arrangements on cyber threat information and intelligence (3)
- Ch. VII — Competent Authorities
- Art. 46. Competent authorities (17)
- Art. 47. Cooperation with structures and authorities established by Directive (EU) 2022/2555 (7)
- Art. 48. Cooperation between authorities (2)
- Art. 49. Financial cross-sector exercises, communication and cooperation (5)
- Art. 50. Administrative penalties and remedial measures (14)
- Art. 51. Exercise of the power to impose administrative penalties and remedial measures (9)
- Art. 52. Criminal penalties (2)
- Art. 53. Notification duties (2)
- Art. 54. Publication of administrative penalties (8)
- Art. 55. Professional secrecy (4)
- Art. 56. Data Protection (3)
- Ch. VIII — Delegated Acts
- Art. 57. Exercise of the delegation (3)
- Ch. IX — Transitional and Final Provisions
- Art. 58. Review clause (7)
- Art. 59. Amendments to Regulation (EC) No 1060/2009 (5)
- Art. 60. Amendments to Regulation (EU) No 648/2012 (7)
- Art. 61. Amendments to Regulation (EU) No 909/2014 (6)
- Art. 62. Amendments to Regulation (EU) No 600/2014 (3)
- Art. 63. Amendment to Regulation (EU) 2016/1011 (4)
- Art. 64. Entry into force and application (1)
Chapter I — General Provisions
Chapter II — ICT Risk Management
Chapter III — ICT-Related Incident Management, Classification and Reporting
Chapter IV — Digital Operational Resilience Testing
Chapter V — Managing ICT Third-Party Risk
Article 32. Structure of the Oversight Framework
5 obligations
EU-DORA-32-07
Requirement
Designate high-level representative for Oversight Forum
Each Member State must designate the relevant competent authority whose staff member shall be the high-level representat
EU-DORA-32-08
Transparency
Publish list of high-level representatives
The ESAs must publish on their website the list of high-level representatives from the current staff of the relevant com
EU-DORA-32-09
Requirement
Appoint independent experts through transparent process
The Oversight Forum must appoint independent experts from a pool of experts selected following a public and transparent
EU-DORA-32-10
Requirement
Issue guidelines on cooperation by 17 July 2024
The ESAs must issue guidelines by 17 July 2024 on the cooperation between the ESAs and the competent authorities coverin
EU-DORA-32-11
Reporting
Submit yearly report on application of oversight framework
The ESAs, through the Joint Committee and based on preparatory work conducted by the Oversight Forum, must submit a repo
Article 33. Tasks of the Lead Overseer
18 obligations
EU-DORA-33-01
Monitoring
Conduct oversight of assigned critical ICT third-party service providers
The Lead Overseer must conduct oversight activities for all critical ICT third-party service providers assigned to them
EU-DORA-33-02
Human Oversight
Serve as primary point of contact for critical ICT third-party service providers
The Lead Overseer must act as the primary point of contact for critical ICT third-party service providers for all matter
EU-DORA-33-03
Risk Management
Assess risk management rules and procedures of critical ICT third-party providers
The Lead Overseer must assess whether each critical ICT third-party service provider has comprehensive, sound and effect
EU-DORA-33-04
Risk Management
Focus assessment on ICT services supporting critical or important functions
The assessment must primarily focus on ICT services provided by the critical ICT third-party service provider that suppo
EU-DORA-33-05
Risk Management
Extend assessment to non-critical functions when necessary
When necessary to address all relevant risks, the assessment must be extended to ICT services supporting functions other
EU-DORA-33-06
Risk Management
Assess ICT requirements for service security and quality
The assessment must cover ICT requirements to ensure security, availability, continuity, scalability and quality of serv
EU-DORA-33-07
Risk Management
Assess physical security measures
The assessment must cover physical security contributing to ICT security, including security of premises, facilities, an
EU-DORA-33-08
Risk Management
Assess risk management processes
The assessment must cover risk management processes, including ICT risk management policies, ICT business continuity pol
EU-DORA-33-09
Risk Management
Assess governance arrangements
The assessment must cover governance arrangements, including organizational structure with clear, transparent and consis
EU-DORA-33-10
Monitoring
Assess incident identification, monitoring and reporting mechanisms
The assessment must cover the identification, monitoring and prompt reporting of material ICT-related incidents to finan
EU-DORA-33-11
Data Governance
Assess data and application portability mechanisms
The assessment must cover mechanisms for data portability, application portability and interoperability that ensure effe
EU-DORA-33-12
Risk Management
Assess ICT systems testing
The assessment must cover the testing of ICT systems, infrastructure and controls.
EU-DORA-33-13
Monitoring
Assess ICT audits
The assessment must cover ICT audits conducted by the critical ICT third-party service provider.
EU-DORA-33-14
Conformity
Assess use of relevant standards
The assessment must cover the use of relevant national and international standards applicable to the provision of ICT se
EU-DORA-33-15
Documentation
Adopt individual oversight plan in coordination with JON
Based on the assessment and in coordination with the Joint Oversight Network (JON) referred to in Article 34(1), the Lea
EU-DORA-33-16
Transparency
Communicate oversight plan yearly to critical ICT third-party service providers
The oversight plan must be communicated yearly to the critical ICT third-party service provider.
EU-DORA-33-17
Transparency
Communicate draft oversight plan prior to adoption
Prior to adoption of the oversight plan, the Lead Overseer must communicate the draft oversight plan to the critical ICT
EU-DORA-33-18
Human Oversight
Coordinate with competent authorities on measures concerning critical providers
Once annual oversight plans have been adopted and notified, competent authorities may only take measures concerning crit
Article 34. Operational coordination between Lead Overseers
2 obligations
EU-DORA-34-01
Requirement
Establish Joint Oversight Network (JON)
The three Lead Overseers must set up a Joint Oversight Network (JON) to coordinate among themselves in preparatory stage
EU-DORA-34-02
Requirement
Ensure consistent oversight approach
Lead Overseers must ensure a consistent approach to oversight activities to enable coordinated general oversight strateg