EU-DORA
Regulation (EU) 2022/2554 — Digital Operational Resilience Act
- Ch. I — General Provisions
- Art. 1. Subject matter (8)
- Art. 2. Scope (4)
- Art. 3. Definitions ref
- Art. 4. Proportionality principle (3)
- Ch. II — ICT Risk Management
- Art. 5. Governance and organisation (37)
- Art. 6. ICT risk management framework (23)
- Art. 7. ICT systems, protocols and tools (4)
- Art. 8. Identification (10)
- Art. 9. Protection and prevention (17)
- Art. 10. Detection (7)
- Art. 11. Response and recovery (23)
- Art. 12. Backup policies and procedures, restoration and recovery procedures and methods (19)
- Art. 13. Learning and evolving (16)
- Art. 14. Communication (4)
- Art. 15. Further harmonisation of ICT risk management tools, methods, processes and policies (10)
- Art. 16. Simplified ICT risk management framework (13)
- Ch. III — ICT-Related Incident Management, Classification and Reporting
- Art. 17. ICT-related incident management process (9)
- Art. 18. Classification of ICT-related incidents and cyber threats (7)
- Art. 19. Reporting of major ICT-related incidents and voluntary notification of significant cyber threats (18)
- Art. 20. Harmonisation of reporting content and templates (7)
- Art. 21. Centralisation of reporting of major ICT-related incidents (9)
- Art. 22. Supervisory feedback (6)
- Art. 23. Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions (2)
- Ch. IV — Digital Operational Resilience Testing
- Art. 24. General requirements for the performance of digital operational resilience testing (8)
- Art. 25. Testing of ICT tools and systems (3)
- Art. 26. Advanced testing of ICT tools, systems and processes based on TLPT (14)
- Art. 27. Requirements for testers for the carrying out of TLPT (9)
- Ch. V — Managing ICT Third-Party Risk
- Art. 28. General principles (26)
- Art. 29. Preliminary assessment of ICT concentration risk at entity level (7)
- Art. 30. Key contractual provisions (24)
- Art. 31. Designation of critical ICT third-party service providers (16)
- Art. 32. Structure of the Oversight Framework (11)
- Art. 33. Tasks of the Lead Overseer (18)
- Art. 34. Operational coordination between Lead Overseers (4)
- Art. 35. Powers of the Lead Overseer (19)
- Art. 36. Exercise of the powers of the Lead Overseer outside the Union (15)
- Art. 37. Request for information (15)
- Art. 38. General investigations (10)
- Art. 39. Inspections (8)
- Art. 40. Ongoing oversight (7)
- Art. 41. Harmonisation of conditions enabling the conduct of the oversight activities (5)
- Art. 42. Follow-up by competent authorities (14)
- Art. 43. Oversight fees (3)
- Art. 44. International cooperation (2)
- Ch. VI — Information-Sharing Arrangements
- Art. 45. Information-sharing arrangements on cyber threat information and intelligence (3)
- Ch. VII — Competent Authorities
- Art. 46. Competent authorities (17)
- Art. 47. Cooperation with structures and authorities established by Directive (EU) 2022/2555 (7)
- Art. 48. Cooperation between authorities (2)
- Art. 49. Financial cross-sector exercises, communication and cooperation (5)
- Art. 50. Administrative penalties and remedial measures (14)
- Art. 51. Exercise of the power to impose administrative penalties and remedial measures (9)
- Art. 52. Criminal penalties (2)
- Art. 53. Notification duties (2)
- Art. 54. Publication of administrative penalties (8)
- Art. 55. Professional secrecy (4)
- Art. 56. Data Protection (3)
- Ch. VIII — Delegated Acts
- Art. 57. Exercise of the delegation (3)
- Ch. IX — Transitional and Final Provisions
- Art. 58. Review clause (7)
- Art. 59. Amendments to Regulation (EC) No 1060/2009 (5)
- Art. 60. Amendments to Regulation (EU) No 648/2012 (7)
- Art. 61. Amendments to Regulation (EU) No 909/2014 (6)
- Art. 62. Amendments to Regulation (EU) No 600/2014 (3)
- Art. 63. Amendment to Regulation (EU) 2016/1011 (4)
- Art. 64. Entry into force and application (1)
Chapter I — General Provisions
Chapter II — ICT Risk Management
Chapter III — ICT-Related Incident Management, Classification and Reporting
Chapter IV — Digital Operational Resilience Testing
Chapter V — Managing ICT Third-Party Risk
Article 37. Request for information
1 obligation
Article 38. General investigations
10 obligations
EU-DORA-38-01
Requirement
Submit to investigations by Lead Overseer
Critical ICT third-party service providers must submit to investigations conducted by the Lead Overseer based on a decis
EU-DORA-38-02
Transparency
Provide records, data, procedures and materials for examination
Critical ICT third-party service providers must provide access to and allow examination of records, data, procedures and
EU-DORA-38-03
Transparency
Allow copying and extraction of materials
Critical ICT third-party service providers must allow the Lead Overseer to take or obtain certified copies of, or extrac
EU-DORA-38-04
Transparency
Respond to summons for explanations
Representatives of critical ICT third-party service providers must respond to summons for oral or written explanations o
EU-DORA-38-05
Transparency
Provide telephone and data traffic records upon request
Critical ICT third-party service providers must provide records of telephone and data traffic when requested by the Lead
EU-DORA-38-06
Transparency
Inform competent authorities before investigation start
The Lead Overseer must inform competent authorities of financial entities using the ICT services of the critical ICT thi
EU-DORA-38-07
Transparency
Communicate investigation information to JON
The Lead Overseer must communicate to the Joint Oversight Network (JON) all information transmitted to competent authori
EU-DORA-38-08
Documentation
Produce written authorization for investigation officials
Officials and persons authorized by the Lead Overseer must exercise their investigation powers upon production of writte
EU-DORA-38-09
Transparency
Include penalty information in investigation authorization
The written authorization for investigations must indicate the periodic penalty payments provided for in Article 35(6) f
EU-DORA-38-10
Transparency
Include legal remedies and review rights in investigation decision
The Lead Overseer's investigation decision must specify the subject matter, purpose, penalty payments under Article 35(6
Article 39. Inspections
8 obligations
EU-DORA-39-01
Monitoring
Conduct necessary inspections of ICT third-party service providers
The Lead Overseer must conduct all necessary onsite and off-site inspections of ICT third-party service providers' busin
EU-DORA-39-02
Requirement
Consult JON before exercising inspection powers
The Lead Overseer must consult the JON (Joint Oversight Network) before exercising inspection powers on ICT third-party
EU-DORA-39-03
Requirement
Exercise inspection powers with written authorization
Officials and persons authorized by the Lead Overseer must exercise their inspection powers only upon production of writ
EU-DORA-39-04
Transparency
Inform competent authorities before inspections
The Lead Overseer must inform the competent authorities of financial entities using the ICT third-party service provider
EU-DORA-39-05
Requirement
Provide reasonable notice for planned on-site inspections
The Lead Overseer must give reasonable notice to critical ICT third-party service providers before any planned on-site i
EU-DORA-39-06
Requirement
Submit to on-site inspections ordered by Lead Overseer
Critical ICT third-party service providers must submit to on-site inspections ordered by decision of the Lead Overseer.
EU-DORA-39-07
Documentation
Issue inspection decisions with required specifications
The Lead Overseer must issue inspection decisions that specify subject matter, purpose, start date, penalty provisions,
EU-DORA-39-08
Transparency
Inform providers of consequences when opposing inspections
When officials find that a critical ICT third-party service provider opposes an inspection, the Lead Overseer must infor
Article 40. Ongoing oversight
6 obligations
EU-DORA-40-01
Requirement
Lead Overseer must establish joint examination teams for critical ICT providers
When conducting oversight activities, particularly general investigations or inspections, the Lead Overseer shall be ass
EU-DORA-40-02
Requirement
Joint examination team composition requirements
The joint examination team must be composed of staff members from the ESAs, relevant competent authorities supervising f
EU-DORA-40-03
Requirement
Joint examination team member expertise requirements
Members of the joint examination team shall have expertise in ICT matters and in operational risk.
EU-DORA-40-04
Requirement
Joint examination team coordination under Lead Overseer coordinator
The joint examination team shall work under the coordination of a designated Lead Overseer staff member (the 'Lead Overs
EU-DORA-40-05
Requirement
Lead Overseer must adopt recommendations within 3 months after investigation completion
Within 3 months of the completion of an investigation or inspection, the Lead Overseer, after consulting the Oversight F
EU-DORA-40-06
Requirement
Lead Overseer must immediately communicate recommendations to critical ICT provider
The recommendations shall be immediately communicated to the critical ICT third-party service provider.