EU-DORA
Regulation (EU) 2022/2554 — Digital Operational Resilience Act
- Ch. I — General Provisions
- Art. 1. Subject matter (8)
- Art. 2. Scope (4)
- Art. 3. Definitions ref
- Art. 4. Proportionality principle (3)
- Ch. II — ICT Risk Management
- Art. 5. Governance and organisation (37)
- Art. 6. ICT risk management framework (23)
- Art. 7. ICT systems, protocols and tools (4)
- Art. 8. Identification (10)
- Art. 9. Protection and prevention (17)
- Art. 10. Detection (7)
- Art. 11. Response and recovery (23)
- Art. 12. Backup policies and procedures, restoration and recovery procedures and methods (19)
- Art. 13. Learning and evolving (16)
- Art. 14. Communication (4)
- Art. 15. Further harmonisation of ICT risk management tools, methods, processes and policies (10)
- Art. 16. Simplified ICT risk management framework (13)
- Ch. III — ICT-Related Incident Management, Classification and Reporting
- Art. 17. ICT-related incident management process (9)
- Art. 18. Classification of ICT-related incidents and cyber threats (7)
- Art. 19. Reporting of major ICT-related incidents and voluntary notification of significant cyber threats (18)
- Art. 20. Harmonisation of reporting content and templates (7)
- Art. 21. Centralisation of reporting of major ICT-related incidents (9)
- Art. 22. Supervisory feedback (6)
- Art. 23. Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions (2)
- Ch. IV — Digital Operational Resilience Testing
- Art. 24. General requirements for the performance of digital operational resilience testing (8)
- Art. 25. Testing of ICT tools and systems (3)
- Art. 26. Advanced testing of ICT tools, systems and processes based on TLPT (14)
- Art. 27. Requirements for testers for the carrying out of TLPT (9)
- Ch. V — Managing ICT Third-Party Risk
- Art. 28. General principles (26)
- Art. 29. Preliminary assessment of ICT concentration risk at entity level (7)
- Art. 30. Key contractual provisions (24)
- Art. 31. Designation of critical ICT third-party service providers (16)
- Art. 32. Structure of the Oversight Framework (11)
- Art. 33. Tasks of the Lead Overseer (18)
- Art. 34. Operational coordination between Lead Overseers (4)
- Art. 35. Powers of the Lead Overseer (19)
- Art. 36. Exercise of the powers of the Lead Overseer outside the Union (15)
- Art. 37. Request for information (15)
- Art. 38. General investigations (10)
- Art. 39. Inspections (8)
- Art. 40. Ongoing oversight (7)
- Art. 41. Harmonisation of conditions enabling the conduct of the oversight activities (5)
- Art. 42. Follow-up by competent authorities (14)
- Art. 43. Oversight fees (3)
- Art. 44. International cooperation (2)
- Ch. VI — Information-Sharing Arrangements
- Art. 45. Information-sharing arrangements on cyber threat information and intelligence (3)
- Ch. VII — Competent Authorities
- Art. 46. Competent authorities (17)
- Art. 47. Cooperation with structures and authorities established by Directive (EU) 2022/2555 (7)
- Art. 48. Cooperation between authorities (2)
- Art. 49. Financial cross-sector exercises, communication and cooperation (5)
- Art. 50. Administrative penalties and remedial measures (14)
- Art. 51. Exercise of the power to impose administrative penalties and remedial measures (9)
- Art. 52. Criminal penalties (2)
- Art. 53. Notification duties (2)
- Art. 54. Publication of administrative penalties (8)
- Art. 55. Professional secrecy (4)
- Art. 56. Data Protection (3)
- Ch. VIII — Delegated Acts
- Art. 57. Exercise of the delegation (3)
- Ch. IX — Transitional and Final Provisions
- Art. 58. Review clause (7)
- Art. 59. Amendments to Regulation (EC) No 1060/2009 (5)
- Art. 60. Amendments to Regulation (EU) No 648/2012 (7)
- Art. 61. Amendments to Regulation (EU) No 909/2014 (6)
- Art. 62. Amendments to Regulation (EU) No 600/2014 (3)
- Art. 63. Amendment to Regulation (EU) 2016/1011 (4)
- Art. 64. Entry into force and application (1)
Chapter I — General Provisions
Chapter II — ICT Risk Management
Chapter III — ICT-Related Incident Management, Classification and Reporting
Chapter IV — Digital Operational Resilience Testing
Chapter V — Managing ICT Third-Party Risk
Article 36. Exercise of the powers of the Lead Overseer outside the Union
11 obligations
EU-DORA-36-05
Requirement
Provide consent for third-country inspections
Critical ICT third-party service providers must provide consent when requested by the Lead Overseer for the conduct of i
EU-DORA-36-06
Requirement
Officially notify third-country authority before inspection
Lead Overseer must officially notify the relevant authority of the third-country concerned and ensure they have raised n
EU-DORA-36-07
Requirement
Conclude administrative cooperation arrangements with third countries
EBA, ESMA or EIOPA shall conclude administrative cooperation arrangements with relevant third-country authorities to ena
EU-DORA-36-08
Requirement
Include coordination procedures in cooperation arrangements
Cooperation arrangements must specify procedures for coordinating oversight activities under this Regulation and analogo
EU-DORA-36-09
Requirement
Establish information transmission mechanisms in cooperation arrangements
Cooperation arrangements must specify mechanisms for transmission of relevant information between ESAs and third-country
EU-DORA-36-10
Requirement
Include infringement notification mechanisms in cooperation arrangements
Cooperation arrangements must specify mechanisms for prompt notification by third-country authorities to ESAs when criti
EU-DORA-36-11
Requirement
Establish regular regulatory update transmission in cooperation arrangements
Cooperation arrangements must provide for regular transmission of updates on regulatory or supervisory developments conc
EU-DORA-36-12
Requirement
Include third-country authority participation details in cooperation arrangements
Cooperation arrangements must specify details for allowing participation of one representative of the relevant third-cou
EU-DORA-36-13
Requirement
Exercise powers based on available facts when unable to conduct third-country oversight
When the Lead Overseer cannot conduct oversight activities outside the Union, it must exercise its powers under Article
EU-DORA-36-14
Documentation
Document consequences of inability to conduct third-country oversight
Lead Overseer must document and explain any consequence of its inability to conduct the envisaged oversight activities i
EU-DORA-36-15
Requirement
Consider third-country oversight limitations in recommendations
Lead Overseer must take into consideration the potential consequences of its inability to conduct third-country oversigh
Article 37. Request for information
14 obligations
EU-DORA-37-01
Transparency
Provide information upon Lead Overseer request
Critical ICT third-party service providers must provide all information necessary for the Lead Overseer to carry out its
EU-DORA-37-02
Requirement
Lead Overseer must refer to legal basis in simple requests
When sending a simple request for information, the Lead Overseer shall refer to this Article as the legal basis of the r
EU-DORA-37-03
Requirement
Lead Overseer must state purpose in simple requests
When sending a simple request for information, the Lead Overseer shall state the purpose of the request.
EU-DORA-37-04
Requirement
Lead Overseer must specify required information in simple requests
When sending a simple request for information, the Lead Overseer shall specify what information is required.
EU-DORA-37-05
Requirement
Lead Overseer must set time limit in simple requests
When sending a simple request for information, the Lead Overseer shall set a time limit within which the information is
EU-DORA-37-06
Requirement
Lead Overseer must inform about voluntary nature in simple requests
When sending a simple request for information, the Lead Overseer shall inform the representative that they are not oblig
EU-DORA-37-07
Requirement
Lead Overseer must refer to legal basis in decisions
When requiring by decision to supply information, the Lead Overseer shall refer to this Article as the legal basis of th
EU-DORA-37-08
Requirement
Lead Overseer must state purpose in decisions
When requiring by decision to supply information, the Lead Overseer shall state the purpose of the request.
EU-DORA-37-09
Requirement
Lead Overseer must specify required information in decisions
When requiring by decision to supply information, the Lead Overseer shall specify what information is required.
EU-DORA-37-10
Requirement
Lead Overseer must set time limit in decisions
When requiring by decision to supply information, the Lead Overseer shall set a time limit within which the information
EU-DORA-37-11
Requirement
Lead Overseer must indicate periodic penalties in decisions
When requiring by decision to supply information, the Lead Overseer shall indicate the periodic penalty payments provide
EU-DORA-37-12
Requirement
Lead Overseer must indicate appeal rights in decisions
When requiring by decision to supply information, the Lead Overseer shall indicate the right to appeal the decision to E
EU-DORA-37-13
Requirement
Representatives must supply requested information
Representatives of critical ICT third-party service providers shall supply the information requested by the Lead Oversee
EU-DORA-37-14
Requirement
Provider remains responsible for lawyer-supplied information
When lawyers supply information on behalf of their clients, the critical ICT third-party service provider shall remain f