EU-DORA
Regulation (EU) 2022/2554 — Digital Operational Resilience Act
- Ch. I — General Provisions
- Art. 1. Subject matter (8)
- Art. 2. Scope (4)
- Art. 3. Definitions ref
- Art. 4. Proportionality principle (3)
- Ch. II — ICT Risk Management
- Art. 5. Governance and organisation (37)
- Art. 6. ICT risk management framework (23)
- Art. 7. ICT systems, protocols and tools (4)
- Art. 8. Identification (10)
- Art. 9. Protection and prevention (17)
- Art. 10. Detection (7)
- Art. 11. Response and recovery (23)
- Art. 12. Backup policies and procedures, restoration and recovery procedures and methods (19)
- Art. 13. Learning and evolving (16)
- Art. 14. Communication (4)
- Art. 15. Further harmonisation of ICT risk management tools, methods, processes and policies (10)
- Art. 16. Simplified ICT risk management framework (13)
- Ch. III — ICT-Related Incident Management, Classification and Reporting
- Art. 17. ICT-related incident management process (9)
- Art. 18. Classification of ICT-related incidents and cyber threats (7)
- Art. 19. Reporting of major ICT-related incidents and voluntary notification of significant cyber threats (18)
- Art. 20. Harmonisation of reporting content and templates (7)
- Art. 21. Centralisation of reporting of major ICT-related incidents (9)
- Art. 22. Supervisory feedback (6)
- Art. 23. Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions (2)
- Ch. IV — Digital Operational Resilience Testing
- Art. 24. General requirements for the performance of digital operational resilience testing (8)
- Art. 25. Testing of ICT tools and systems (3)
- Art. 26. Advanced testing of ICT tools, systems and processes based on TLPT (14)
- Art. 27. Requirements for testers for the carrying out of TLPT (9)
- Ch. V — Managing ICT Third-Party Risk
- Art. 28. General principles (26)
- Art. 29. Preliminary assessment of ICT concentration risk at entity level (7)
- Art. 30. Key contractual provisions (24)
- Art. 31. Designation of critical ICT third-party service providers (16)
- Art. 32. Structure of the Oversight Framework (11)
- Art. 33. Tasks of the Lead Overseer (18)
- Art. 34. Operational coordination between Lead Overseers (4)
- Art. 35. Powers of the Lead Overseer (19)
- Art. 36. Exercise of the powers of the Lead Overseer outside the Union (15)
- Art. 37. Request for information (15)
- Art. 38. General investigations (10)
- Art. 39. Inspections (8)
- Art. 40. Ongoing oversight (7)
- Art. 41. Harmonisation of conditions enabling the conduct of the oversight activities (5)
- Art. 42. Follow-up by competent authorities (14)
- Art. 43. Oversight fees (3)
- Art. 44. International cooperation (2)
- Ch. VI — Information-Sharing Arrangements
- Art. 45. Information-sharing arrangements on cyber threat information and intelligence (3)
- Ch. VII — Competent Authorities
- Art. 46. Competent authorities (17)
- Art. 47. Cooperation with structures and authorities established by Directive (EU) 2022/2555 (7)
- Art. 48. Cooperation between authorities (2)
- Art. 49. Financial cross-sector exercises, communication and cooperation (5)
- Art. 50. Administrative penalties and remedial measures (14)
- Art. 51. Exercise of the power to impose administrative penalties and remedial measures (9)
- Art. 52. Criminal penalties (2)
- Art. 53. Notification duties (2)
- Art. 54. Publication of administrative penalties (8)
- Art. 55. Professional secrecy (4)
- Art. 56. Data Protection (3)
- Ch. VIII — Delegated Acts
- Art. 57. Exercise of the delegation (3)
- Ch. IX — Transitional and Final Provisions
- Art. 58. Review clause (7)
- Art. 59. Amendments to Regulation (EC) No 1060/2009 (5)
- Art. 60. Amendments to Regulation (EU) No 648/2012 (7)
- Art. 61. Amendments to Regulation (EU) No 909/2014 (6)
- Art. 62. Amendments to Regulation (EU) No 600/2014 (3)
- Art. 63. Amendment to Regulation (EU) 2016/1011 (4)
- Art. 64. Entry into force and application (1)
Chapter I — General Provisions
Article 4. Proportionality principle
3 obligations
EU-DORA-4-01
Requirement
Implement Chapter II rules with proportionality
Financial entities must implement the rules laid down in Chapter II in accordance with the principle of proportionality,
EU-DORA-4-02
Requirement
Apply Chapters III, IV and V Section I proportionately
Financial entities must apply the provisions of Chapters III, IV and V, Section I in a manner proportionate to their siz
EU-DORA-4-03
Requirement
Consider proportionality principle in ICT risk management framework reviews
Competent authorities must consider the application of the proportionality principle by financial entities when reviewin
Chapter II — ICT Risk Management
Chapter III — ICT-Related Incident Management, Classification and Reporting
Chapter IV — Digital Operational Resilience Testing
Chapter V — Managing ICT Third-Party Risk
Article 40. Ongoing oversight
1 obligation
Article 41. Harmonisation of conditions enabling the conduct of the oversight activities
5 obligations
EU-DORA-41-01
Requirement
Develop draft RTS for voluntary critical ICT third-party service provider designation
The ESAs must, through the Joint Committee, develop draft regulatory technical standards to specify the information to b
EU-DORA-41-02
Requirement
Develop draft RTS for ICT third-party service provider information submission
The ESAs must, through the Joint Committee, develop draft regulatory technical standards to specify the content, structu
EU-DORA-41-03
Requirement
Develop draft RTS for joint examination team criteria and arrangements
The ESAs must, through the Joint Committee, develop draft regulatory technical standards to specify the criteria for det
EU-DORA-41-04
Requirement
Develop draft RTS for competent authorities' assessment details
The ESAs must, through the Joint Committee, develop draft regulatory technical standards to specify the details of the c
EU-DORA-41-05
Requirement
Submit draft regulatory technical standards by deadline
The ESAs must submit the draft regulatory technical standards specified in paragraph 1 to the Commission by 17 July 2024
Article 42. Follow-up by competent authorities
14 obligations
EU-DORA-42-01
Transparency
Notify Lead Overseer of recommendation compliance intention within 60 days
Critical ICT third-party service providers must notify the Lead Overseer of their intention to follow recommendations or
EU-DORA-42-02
Transparency
Transmit critical ICT provider responses to competent authorities
The Lead Overseer shall immediately transmit information received from critical ICT third-party service providers regard
EU-DORA-42-03
Transparency
Publicly disclose non-compliance by critical ICT providers
The Lead Overseer shall publicly disclose cases where a critical ICT third-party service provider fails to notify compli
EU-DORA-42-04
Transparency
Notify ICT provider of public disclosure
The Lead Overseer shall notify the ICT third-party service provider when making a public disclosure about their non-comp
EU-DORA-42-05
Transparency
Inform financial entities of identified risks in recommendations
Competent authorities shall inform the relevant financial entities of the risks identified in the recommendations addres
EU-DORA-42-06
Risk Management
Take risks into account when managing ICT third-party risk
Financial entities shall take into account the risks identified in recommendations when managing ICT third-party risk.
EU-DORA-42-07
Transparency
Notify financial entity of potential suspension decision
Where a competent authority deems that a financial entity fails to adequately address risks identified in recommendation
EU-DORA-42-08
Requirement
Consider suspension or termination of ICT provider arrangements
Competent authorities may, as a measure of last resort, require financial entities to temporarily suspend or completely
EU-DORA-42-09
Monitoring
Issue non-binding opinions to promote supervisory consistency
The Lead Overseer may issue non-binding and non-public opinions to competent authorities to promote consistent superviso
EU-DORA-42-10
Requirement
Apply specified criteria when making suspension decisions
Competent authorities shall take into account specific criteria including gravity and duration of non-compliance, proced
EU-DORA-42-11
Requirement
Grant financial entities adjustment period for contractual arrangements
Competent authorities shall grant financial entities the necessary period of time to enable them to adjust contractual a
EU-DORA-42-12
Transparency
Notify Oversight Forum and JON of suspension decisions
Suspension decisions under paragraph 6 shall be notified to the members of the Oversight Forum referred to in Article 32
EU-DORA-42-13
Requirement
Cooperate with impacted financial entities during suspension/termination
Critical ICT third-party service providers affected by suspension decisions shall fully cooperate with the financial ent
EU-DORA-42-14
Reporting
Regularly inform Lead Overseer on supervisory approaches and measures
Competent authorities shall regularly inform the Lead Overseer on the approaches and measures taken in their supervisory
Article 43. Oversight fees
2 obligations
EU-DORA-43-01
Requirement
Pay oversight fees to Lead Overseer
Critical ICT third-party service providers must pay fees charged by the Lead Overseer that fully cover the Lead Overseer
EU-DORA-43-02
Requirement
Charge oversight fees to critical ICT third-party service providers
The Lead Overseer shall charge critical ICT third-party service providers fees in accordance with the delegated act that