EU-DORA
Regulation (EU) 2022/2554 — Digital Operational Resilience Act
- Ch. I — General Provisions
- Art. 1. Subject matter (8)
- Art. 2. Scope (4)
- Art. 3. Definitions ref
- Art. 4. Proportionality principle (3)
- Ch. II — ICT Risk Management
- Art. 5. Governance and organisation (37)
- Art. 6. ICT risk management framework (23)
- Art. 7. ICT systems, protocols and tools (4)
- Art. 8. Identification (10)
- Art. 9. Protection and prevention (17)
- Art. 10. Detection (7)
- Art. 11. Response and recovery (23)
- Art. 12. Backup policies and procedures, restoration and recovery procedures and methods (19)
- Art. 13. Learning and evolving (16)
- Art. 14. Communication (4)
- Art. 15. Further harmonisation of ICT risk management tools, methods, processes and policies (10)
- Art. 16. Simplified ICT risk management framework (13)
- Ch. III — ICT-Related Incident Management, Classification and Reporting
- Art. 17. ICT-related incident management process (9)
- Art. 18. Classification of ICT-related incidents and cyber threats (7)
- Art. 19. Reporting of major ICT-related incidents and voluntary notification of significant cyber threats (18)
- Art. 20. Harmonisation of reporting content and templates (7)
- Art. 21. Centralisation of reporting of major ICT-related incidents (9)
- Art. 22. Supervisory feedback (6)
- Art. 23. Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions (2)
- Ch. IV — Digital Operational Resilience Testing
- Art. 24. General requirements for the performance of digital operational resilience testing (8)
- Art. 25. Testing of ICT tools and systems (3)
- Art. 26. Advanced testing of ICT tools, systems and processes based on TLPT (14)
- Art. 27. Requirements for testers for the carrying out of TLPT (9)
- Ch. V — Managing ICT Third-Party Risk
- Art. 28. General principles (26)
- Art. 29. Preliminary assessment of ICT concentration risk at entity level (7)
- Art. 30. Key contractual provisions (24)
- Art. 31. Designation of critical ICT third-party service providers (16)
- Art. 32. Structure of the Oversight Framework (11)
- Art. 33. Tasks of the Lead Overseer (18)
- Art. 34. Operational coordination between Lead Overseers (4)
- Art. 35. Powers of the Lead Overseer (19)
- Art. 36. Exercise of the powers of the Lead Overseer outside the Union (15)
- Art. 37. Request for information (15)
- Art. 38. General investigations (10)
- Art. 39. Inspections (8)
- Art. 40. Ongoing oversight (7)
- Art. 41. Harmonisation of conditions enabling the conduct of the oversight activities (5)
- Art. 42. Follow-up by competent authorities (14)
- Art. 43. Oversight fees (3)
- Art. 44. International cooperation (2)
- Ch. VI — Information-Sharing Arrangements
- Art. 45. Information-sharing arrangements on cyber threat information and intelligence (3)
- Ch. VII — Competent Authorities
- Art. 46. Competent authorities (17)
- Art. 47. Cooperation with structures and authorities established by Directive (EU) 2022/2555 (7)
- Art. 48. Cooperation between authorities (2)
- Art. 49. Financial cross-sector exercises, communication and cooperation (5)
- Art. 50. Administrative penalties and remedial measures (14)
- Art. 51. Exercise of the power to impose administrative penalties and remedial measures (9)
- Art. 52. Criminal penalties (2)
- Art. 53. Notification duties (2)
- Art. 54. Publication of administrative penalties (8)
- Art. 55. Professional secrecy (4)
- Art. 56. Data Protection (3)
- Ch. VIII — Delegated Acts
- Art. 57. Exercise of the delegation (3)
- Ch. IX — Transitional and Final Provisions
- Art. 58. Review clause (7)
- Art. 59. Amendments to Regulation (EC) No 1060/2009 (5)
- Art. 60. Amendments to Regulation (EU) No 648/2012 (7)
- Art. 61. Amendments to Regulation (EU) No 909/2014 (6)
- Art. 62. Amendments to Regulation (EU) No 600/2014 (3)
- Art. 63. Amendment to Regulation (EU) 2016/1011 (4)
- Art. 64. Entry into force and application (1)
Chapter I — General Provisions
Chapter II — ICT Risk Management
Article 5. Governance and organisation
1 obligation
Chapter III — ICT-Related Incident Management, Classification and Reporting
Chapter IV — Digital Operational Resilience Testing
Chapter V — Managing ICT Third-Party Risk
Chapter VI — Information-Sharing Arrangements
Chapter VII — Competent Authorities
Article 47. Cooperation with structures and authorities established by Directive (EU) 2022/2555
5 obligations
EU-DORA-47-03
Transparency
Consult and share information with single points of contact and CSIRTs
Competent authorities may consult and share information with the single points of contact and the CSIRTs designated or e
EU-DORA-47-04
Requirement
Request technical advice and assistance from NIS2 competent authorities
Competent authorities may request relevant technical advice and assistance from the competent authorities designated or
EU-DORA-47-05
Requirement
Establish cooperation arrangements with NIS2 authorities
Competent authorities may establish cooperation arrangements to allow effective and fast-response coordination mechanism
EU-DORA-47-06
Documentation
Specify procedures for coordination of supervisory activities
Cooperation arrangements may specify procedures for the coordination of supervisory and oversight activities in relation
EU-DORA-47-07
Transparency
Establish information exchange mechanisms between authorities
Cooperation arrangements may establish mechanisms for the exchange of information between competent authorities under th
Article 48. Cooperation between authorities
2 obligations
EU-DORA-48-01
Requirement
Close cooperation between competent authorities and Lead Overseer
Competent authorities must cooperate closely among themselves and, where applicable, with the Lead Overseer in carrying
EU-DORA-48-02
Transparency
Timely mutual information exchange on critical ICT third-party providers
Competent authorities and the Lead Overseer must mutually exchange all relevant information concerning critical ICT thir
Article 49. Financial cross-sector exercises, communication and cooperation
5 obligations
EU-DORA-49-01
Requirement
Cross-sector practices sharing mechanism establishment
ESAs, through the Joint Committee and in collaboration with specified authorities, may establish mechanisms to enable th
EU-DORA-49-02
Requirement
Crisis management and contingency exercises development
ESAs and collaborating authorities may develop crisis management and contingency exercises involving cyber-attack scenar
EU-DORA-49-03
Requirement
Cross-sector dependency testing in exercises
Crisis management and contingency exercises may, as appropriate, also test the financial sector's dependencies on other
EU-DORA-49-04
Requirement
Close cooperation and information exchange duty
Competent authorities, ESAs and the ECB shall cooperate closely with each other and exchange information to carry out th
EU-DORA-49-05
Requirement
Close supervision coordination requirement
Competent authorities, ESAs and the ECB shall closely coordinate their supervision in order to identify and remedy breac
Article 50. Administrative penalties and remedial measures
12 obligations
EU-DORA-50-01
Requirement
Grant necessary supervisory, investigatory and sanctioning powers
Competent authorities must be granted all supervisory, investigatory and sanctioning powers necessary to fulfil their du
EU-DORA-50-02
Requirement
Grant document and data access powers
Competent authorities must be granted the power to have access to any document or data held in any form that they consid
EU-DORA-50-03
Requirement
Grant on-site inspection powers including summoning representatives
Competent authorities must be granted the power to carry out on-site inspections or investigations, including summoning
EU-DORA-50-04
Requirement
Grant interview powers for information collection
Competent authorities must be granted the power to interview any other natural or legal person who consents to be interv
EU-DORA-50-05
Requirement
Grant corrective and remedial measures powers
Competent authorities must be granted the power to require corrective and remedial measures for breaches of the requirem
EU-DORA-50-06
Requirement
Establish administrative penalties and remedial measures rules
Member States must lay down rules establishing appropriate administrative penalties and remedial measures for breaches o
EU-DORA-50-07
Requirement
Ensure penalties are effective, proportionate and dissuasive
Administrative penalties and measures must be effective, proportionate and dissuasive.
EU-DORA-50-08
Requirement
Grant power to issue cease and desist orders
Member States must confer on competent authorities the power to issue an order requiring the natural or legal person to
EU-DORA-50-09
Requirement
Grant power to require cessation of contrary practices
Member States must confer on competent authorities the power to require the temporary or permanent cessation of any prac
EU-DORA-50-10
Requirement
Grant power to adopt compliance measures including pecuniary
Member States must confer on competent authorities the power to adopt any type of measure, including of pecuniary nature
EU-DORA-50-11
Requirement
Grant power to require telecommunication traffic records
Member States must confer on competent authorities the power to require, insofar as permitted by national law, existing
EU-DORA-50-12
Requirement
Grant power to issue public notices and statements
Member States must confer on competent authorities the power to issue public notices, including public statements indica