EU-DORA
Regulation (EU) 2022/2554 — Digital Operational Resilience Act
- Ch. I — General Provisions
- Art. 1. Subject matter (8)
- Art. 2. Scope (4)
- Art. 3. Definitions ref
- Art. 4. Proportionality principle (3)
- Ch. II — ICT Risk Management
- Art. 5. Governance and organisation (37)
- Art. 6. ICT risk management framework (23)
- Art. 7. ICT systems, protocols and tools (4)
- Art. 8. Identification (10)
- Art. 9. Protection and prevention (17)
- Art. 10. Detection (7)
- Art. 11. Response and recovery (23)
- Art. 12. Backup policies and procedures, restoration and recovery procedures and methods (19)
- Art. 13. Learning and evolving (16)
- Art. 14. Communication (4)
- Art. 15. Further harmonisation of ICT risk management tools, methods, processes and policies (10)
- Art. 16. Simplified ICT risk management framework (13)
- Ch. III — ICT-Related Incident Management, Classification and Reporting
- Art. 17. ICT-related incident management process (9)
- Art. 18. Classification of ICT-related incidents and cyber threats (7)
- Art. 19. Reporting of major ICT-related incidents and voluntary notification of significant cyber threats (18)
- Art. 20. Harmonisation of reporting content and templates (7)
- Art. 21. Centralisation of reporting of major ICT-related incidents (9)
- Art. 22. Supervisory feedback (6)
- Art. 23. Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions (2)
- Ch. IV — Digital Operational Resilience Testing
- Art. 24. General requirements for the performance of digital operational resilience testing (8)
- Art. 25. Testing of ICT tools and systems (3)
- Art. 26. Advanced testing of ICT tools, systems and processes based on TLPT (14)
- Art. 27. Requirements for testers for the carrying out of TLPT (9)
- Ch. V — Managing ICT Third-Party Risk
- Art. 28. General principles (26)
- Art. 29. Preliminary assessment of ICT concentration risk at entity level (7)
- Art. 30. Key contractual provisions (24)
- Art. 31. Designation of critical ICT third-party service providers (16)
- Art. 32. Structure of the Oversight Framework (11)
- Art. 33. Tasks of the Lead Overseer (18)
- Art. 34. Operational coordination between Lead Overseers (4)
- Art. 35. Powers of the Lead Overseer (19)
- Art. 36. Exercise of the powers of the Lead Overseer outside the Union (15)
- Art. 37. Request for information (15)
- Art. 38. General investigations (10)
- Art. 39. Inspections (8)
- Art. 40. Ongoing oversight (7)
- Art. 41. Harmonisation of conditions enabling the conduct of the oversight activities (5)
- Art. 42. Follow-up by competent authorities (14)
- Art. 43. Oversight fees (3)
- Art. 44. International cooperation (2)
- Ch. VI — Information-Sharing Arrangements
- Art. 45. Information-sharing arrangements on cyber threat information and intelligence (3)
- Ch. VII — Competent Authorities
- Art. 46. Competent authorities (17)
- Art. 47. Cooperation with structures and authorities established by Directive (EU) 2022/2555 (7)
- Art. 48. Cooperation between authorities (2)
- Art. 49. Financial cross-sector exercises, communication and cooperation (5)
- Art. 50. Administrative penalties and remedial measures (14)
- Art. 51. Exercise of the power to impose administrative penalties and remedial measures (9)
- Art. 52. Criminal penalties (2)
- Art. 53. Notification duties (2)
- Art. 54. Publication of administrative penalties (8)
- Art. 55. Professional secrecy (4)
- Art. 56. Data Protection (3)
- Ch. VIII — Delegated Acts
- Art. 57. Exercise of the delegation (3)
- Ch. IX — Transitional and Final Provisions
- Art. 58. Review clause (7)
- Art. 59. Amendments to Regulation (EC) No 1060/2009 (5)
- Art. 60. Amendments to Regulation (EU) No 648/2012 (7)
- Art. 61. Amendments to Regulation (EU) No 909/2014 (6)
- Art. 62. Amendments to Regulation (EU) No 600/2014 (3)
- Art. 63. Amendment to Regulation (EU) 2016/1011 (4)
- Art. 64. Entry into force and application (1)
Chapter I — General Provisions
Chapter II — ICT Risk Management
Chapter III — ICT-Related Incident Management, Classification and Reporting
Chapter IV — Digital Operational Resilience Testing
Chapter V — Managing ICT Third-Party Risk
Article 43. Oversight fees
1 obligation
Article 44. International cooperation
2 obligations
EU-DORA-44-01
Requirement
International cooperation arrangements for ICT third-party risk
European Supervisory Authorities (EBA, ESMA, EIOPA) may conclude administrative arrangements with third-country regulato
EU-DORA-44-02
Reporting
Five-year joint confidential reporting on international cooperation
The European Supervisory Authorities must submit every five years a joint confidential report to the European Parliament
Chapter VI — Information-Sharing Arrangements
Article 45. Information-sharing arrangements on cyber threat information and intelligence
3 obligations
EU-DORA-45-01
Requirement
Comply with information-sharing arrangement conditions for cyber threat intelligence
Financial entities must ensure that when they exchange cyber threat information and intelligence, such sharing: (a) aims
EU-DORA-45-02
Requirement
Define participation conditions in information-sharing arrangements
Information-sharing arrangements must define the conditions for participation and, where appropriate, set out details on
EU-DORA-45-03
Reporting
Notify competent authorities of information-sharing arrangement participation
Financial entities must notify their competent authorities when they begin participation in information-sharing arrangem
Chapter VII — Competent Authorities
Article 46. Competent authorities
17 obligations
EU-DORA-46-01
Conformity
Designation of competent authorities for credit institutions
Credit institutions and institutions exempted pursuant to Directive 2013/36/EU must be subject to supervision by the com
EU-DORA-46-02
Conformity
Designation of competent authorities for payment institutions
Payment institutions, electronic money institutions, and account information service providers must be subject to superv
EU-DORA-46-03
Conformity
Designation of competent authorities for investment firms
Investment firms must be subject to supervision by the competent authority designated in accordance with Article 4 of Di
EU-DORA-46-04
Conformity
Designation of competent authorities for crypto-asset service providers
Crypto-asset service providers authorised under the Regulation on markets in crypto-assets and issuers of asset-referenc
EU-DORA-46-05
Conformity
Designation of competent authorities for central securities depositories
Central securities depositories must be subject to supervision by the competent authority designated in accordance with
EU-DORA-46-06
Conformity
Designation of competent authorities for central counterparties
Central counterparties must be subject to supervision by the competent authority designated in accordance with Article 2
EU-DORA-46-07
Conformity
Designation of competent authorities for trading venues and data reporting
Trading venues and data reporting service providers must be subject to supervision by the competent authority designated
EU-DORA-46-08
Conformity
Designation of competent authorities for trade repositories
Trade repositories must be subject to supervision by the competent authority designated in accordance with Article 22 of
EU-DORA-46-09
Conformity
Designation of competent authorities for alternative investment fund managers
Managers of alternative investment funds must be subject to supervision by the competent authority designated in accorda
EU-DORA-46-10
Conformity
Designation of competent authorities for management companies
Management companies must be subject to supervision by the competent authority designated in accordance with Article 97
EU-DORA-46-11
Conformity
Designation of competent authorities for insurance undertakings
Insurance and reinsurance undertakings must be subject to supervision by the competent authority designated in accordanc
EU-DORA-46-12
Conformity
Designation of competent authorities for insurance intermediaries
Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries must be subject to supervisi
EU-DORA-46-13
Conformity
Designation of competent authorities for occupational retirement provision
Institutions for occupational retirement provision must be subject to supervision by the competent authority designated
EU-DORA-46-14
Conformity
Designation of competent authorities for credit rating agencies
Credit rating agencies must be subject to supervision by the competent authority designated in accordance with Article 2
EU-DORA-46-15
Conformity
Designation of competent authorities for benchmark administrators
Administrators of critical benchmarks must be subject to supervision by the competent authority designated in accordance
EU-DORA-46-16
Conformity
Designation of competent authorities for crowdfunding service providers
Crowdfunding service providers must be subject to supervision by the competent authority designated in accordance with A
EU-DORA-46-17
Conformity
Designation of competent authorities for securitisation repositories
Securitisation repositories must be subject to supervision by the competent authority designated in accordance with Arti
Article 47. Cooperation with structures and authorities established by Directive (EU) 2022/2555
2 obligations
EU-DORA-47-01
Requirement
ESAs and competent authorities may participate in Cooperation Group activities
ESAs and competent authorities may participate in the activities of the Cooperation Group established by Article 14 of D
EU-DORA-47-02
Requirement
Request invitation to Cooperation Group for critical ICT third-party providers
ESAs and competent authorities may request to be invited to participate in Cooperation Group activities for matters rela