EU-DORA
Regulation (EU) 2022/2554 — Digital Operational Resilience Act
- Ch. I — General Provisions
- Art. 1. Subject matter (8)
- Art. 2. Scope (4)
- Art. 3. Definitions ref
- Art. 4. Proportionality principle (3)
- Ch. II — ICT Risk Management
- Art. 5. Governance and organisation (37)
- Art. 6. ICT risk management framework (23)
- Art. 7. ICT systems, protocols and tools (4)
- Art. 8. Identification (10)
- Art. 9. Protection and prevention (17)
- Art. 10. Detection (7)
- Art. 11. Response and recovery (23)
- Art. 12. Backup policies and procedures, restoration and recovery procedures and methods (19)
- Art. 13. Learning and evolving (16)
- Art. 14. Communication (4)
- Art. 15. Further harmonisation of ICT risk management tools, methods, processes and policies (10)
- Art. 16. Simplified ICT risk management framework (13)
- Ch. III — ICT-Related Incident Management, Classification and Reporting
- Art. 17. ICT-related incident management process (9)
- Art. 18. Classification of ICT-related incidents and cyber threats (7)
- Art. 19. Reporting of major ICT-related incidents and voluntary notification of significant cyber threats (18)
- Art. 20. Harmonisation of reporting content and templates (7)
- Art. 21. Centralisation of reporting of major ICT-related incidents (9)
- Art. 22. Supervisory feedback (6)
- Art. 23. Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions (2)
- Ch. IV — Digital Operational Resilience Testing
- Art. 24. General requirements for the performance of digital operational resilience testing (8)
- Art. 25. Testing of ICT tools and systems (3)
- Art. 26. Advanced testing of ICT tools, systems and processes based on TLPT (14)
- Art. 27. Requirements for testers for the carrying out of TLPT (9)
- Ch. V — Managing ICT Third-Party Risk
- Art. 28. General principles (26)
- Art. 29. Preliminary assessment of ICT concentration risk at entity level (7)
- Art. 30. Key contractual provisions (24)
- Art. 31. Designation of critical ICT third-party service providers (16)
- Art. 32. Structure of the Oversight Framework (11)
- Art. 33. Tasks of the Lead Overseer (18)
- Art. 34. Operational coordination between Lead Overseers (4)
- Art. 35. Powers of the Lead Overseer (19)
- Art. 36. Exercise of the powers of the Lead Overseer outside the Union (15)
- Art. 37. Request for information (15)
- Art. 38. General investigations (10)
- Art. 39. Inspections (8)
- Art. 40. Ongoing oversight (7)
- Art. 41. Harmonisation of conditions enabling the conduct of the oversight activities (5)
- Art. 42. Follow-up by competent authorities (14)
- Art. 43. Oversight fees (3)
- Art. 44. International cooperation (2)
- Ch. VI — Information-Sharing Arrangements
- Art. 45. Information-sharing arrangements on cyber threat information and intelligence (3)
- Ch. VII — Competent Authorities
- Art. 46. Competent authorities (17)
- Art. 47. Cooperation with structures and authorities established by Directive (EU) 2022/2555 (7)
- Art. 48. Cooperation between authorities (2)
- Art. 49. Financial cross-sector exercises, communication and cooperation (5)
- Art. 50. Administrative penalties and remedial measures (14)
- Art. 51. Exercise of the power to impose administrative penalties and remedial measures (9)
- Art. 52. Criminal penalties (2)
- Art. 53. Notification duties (2)
- Art. 54. Publication of administrative penalties (8)
- Art. 55. Professional secrecy (4)
- Art. 56. Data Protection (3)
- Ch. VIII — Delegated Acts
- Art. 57. Exercise of the delegation (3)
- Ch. IX — Transitional and Final Provisions
- Art. 58. Review clause (7)
- Art. 59. Amendments to Regulation (EC) No 1060/2009 (5)
- Art. 60. Amendments to Regulation (EU) No 648/2012 (7)
- Art. 61. Amendments to Regulation (EU) No 909/2014 (6)
- Art. 62. Amendments to Regulation (EU) No 600/2014 (3)
- Art. 63. Amendment to Regulation (EU) 2016/1011 (4)
- Art. 64. Entry into force and application (1)
Chapter I — General Provisions
Chapter II — ICT Risk Management
Chapter III — ICT-Related Incident Management, Classification and Reporting
Chapter IV — Digital Operational Resilience Testing
Chapter V — Managing ICT Third-Party Risk
Article 34. Operational coordination between Lead Overseers
2 obligations
EU-DORA-34-03
Documentation
Draw up common oversight protocol
Lead Overseers must draw up a common oversight protocol specifying detailed procedures for carrying out day-to-day coord
EU-DORA-34-04
Requirement
Periodically revise oversight protocol
Lead Overseers must periodically revise the common oversight protocol to reflect operational needs, particularly the evo
Article 35. Powers of the Lead Overseer
19 obligations
EU-DORA-35-01
Transparency
Provide all relevant information and documentation to Lead Overseer
Critical ICT third-party service providers must provide all relevant information and documentation when requested by the
EU-DORA-35-02
Monitoring
Submit to general investigations and inspections by Lead Overseer
Critical ICT third-party service providers must cooperate with and submit to general investigations and inspections cond
EU-DORA-35-03
Reporting
Provide reports on remedial actions and implementations
Critical ICT third-party service providers must provide reports specifying the actions taken or remedies implemented in
EU-DORA-35-04
Reporting
Transmit subcontracting information using specified template
ICT third-party service providers must transmit information regarding subcontracting to the Lead Overseer using the temp
EU-DORA-35-05
Requirement
Cooperate in good faith with Lead Overseer
Critical ICT third-party service providers must cooperate in good faith with the Lead Overseer and assist it in the fulf
EU-DORA-35-06
Transparency
Provide impact information before recommendation issuance
ICT third-party service providers must provide, within 30 calendar days when given opportunity by the Lead Overseer, rel
EU-DORA-35-07
Requirement
Lead Overseer must ensure regular coordination within JON
The Lead Overseer must ensure regular coordination within the Joint Oversight Network (JON) and seek consistent approach
EU-DORA-35-08
Requirement
Lead Overseer must account for NIS2 Directive framework
The Lead Overseer must take due account of the framework established by Directive (EU) 2022/2555 and consult relevant co
EU-DORA-35-09
Requirement
Lead Overseer must minimize disruption to out-of-scope customers
The Lead Overseer must seek to minimize, to the extent possible, the risk of disruption to services provided by critical
EU-DORA-35-10
Requirement
Lead Overseer must consult Oversight Forum before exercising powers
The Lead Overseer must consult the Oversight Forum before exercising the powers referred to in paragraph 1 of Article 35
EU-DORA-35-11
Reporting
Lead Overseer must inform JON of power exercise outcomes
The Lead Overseer must inform the Joint Oversight Network (JON) of the outcome of exercising powers related to informati
EU-DORA-35-12
Reporting
Lead Overseer must transmit remedial action reports
The Lead Overseer must, without undue delay, transmit reports on remedial actions to the JON and to competent authoritie
EU-DORA-35-13
Requirement
Lead Overseer must impose periodic penalty payments for non-compliance
The Lead Overseer must adopt a decision imposing periodic penalty payments to compel compliance when critical ICT third-
EU-DORA-35-14
Requirement
Lead Overseer must limit penalty payment duration
The Lead Overseer must impose periodic penalty payments on a daily basis until compliance is achieved and for no more th
EU-DORA-35-15
Requirement
Lead Overseer must calculate penalty payments within prescribed limits
The Lead Overseer must calculate penalty payments up to 1% of average daily worldwide turnover of the critical ICT third
EU-DORA-35-16
Requirement
Lead Overseer must consult JON for penalty consistency
The Lead Overseer must engage in consultation within the Joint Oversight Network (JON) to ensure a consistent approach w
EU-DORA-35-17
Transparency
Lead Overseer must publicly disclose penalty payments
The Lead Overseer must disclose to the public every periodic penalty payment that has been imposed, unless such disclosu
EU-DORA-35-18
Requirement
Lead Overseer must provide opportunity to be heard before penalties
The Lead Overseer must give representatives of critical ICT third-party service providers the opportunity to be heard on
EU-DORA-35-19
Requirement
Lead Overseer must respect defence rights and provide file access
The Lead Overseer must fully respect the rights of defence of persons subject to proceedings and provide access to the f
Article 36. Exercise of the powers of the Lead Overseer outside the Union
4 obligations
EU-DORA-36-01
Monitoring
Exercise oversight powers in third countries when Union-based oversight insufficient
Lead Overseer may exercise powers specified in Article 35(1)(a) and (b) on premises located in third countries owned or
EU-DORA-36-02
Requirement
Ensure inspection necessity for third-country oversight
Lead Overseer must deem the conduct of an inspection in a third-country necessary to allow it to fully and effectively p
EU-DORA-36-03
Requirement
Verify direct relation to Union ICT services provision
Lead Overseer must ensure that the inspection in a third-country is directly related to the provision of ICT services to
EU-DORA-36-04
Requirement
Obtain critical ICT provider consent for third-country inspection
Lead Overseer must obtain consent from the critical ICT third-party service provider concerned before conducting an insp