EU-DORA
Regulation (EU) 2022/2554 — Digital Operational Resilience Act
- Ch. I — General Provisions
- Art. 1. Subject matter (8)
- Art. 2. Scope (4)
- Art. 3. Definitions ref
- Art. 4. Proportionality principle (3)
- Ch. II — ICT Risk Management
- Art. 5. Governance and organisation (37)
- Art. 6. ICT risk management framework (23)
- Art. 7. ICT systems, protocols and tools (4)
- Art. 8. Identification (10)
- Art. 9. Protection and prevention (17)
- Art. 10. Detection (7)
- Art. 11. Response and recovery (23)
- Art. 12. Backup policies and procedures, restoration and recovery procedures and methods (19)
- Art. 13. Learning and evolving (16)
- Art. 14. Communication (4)
- Art. 15. Further harmonisation of ICT risk management tools, methods, processes and policies (10)
- Art. 16. Simplified ICT risk management framework (13)
- Ch. III — ICT-Related Incident Management, Classification and Reporting
- Art. 17. ICT-related incident management process (9)
- Art. 18. Classification of ICT-related incidents and cyber threats (7)
- Art. 19. Reporting of major ICT-related incidents and voluntary notification of significant cyber threats (18)
- Art. 20. Harmonisation of reporting content and templates (7)
- Art. 21. Centralisation of reporting of major ICT-related incidents (9)
- Art. 22. Supervisory feedback (6)
- Art. 23. Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions (2)
- Ch. IV — Digital Operational Resilience Testing
- Art. 24. General requirements for the performance of digital operational resilience testing (8)
- Art. 25. Testing of ICT tools and systems (3)
- Art. 26. Advanced testing of ICT tools, systems and processes based on TLPT (14)
- Art. 27. Requirements for testers for the carrying out of TLPT (9)
- Ch. V — Managing ICT Third-Party Risk
- Art. 28. General principles (26)
- Art. 29. Preliminary assessment of ICT concentration risk at entity level (7)
- Art. 30. Key contractual provisions (24)
- Art. 31. Designation of critical ICT third-party service providers (16)
- Art. 32. Structure of the Oversight Framework (11)
- Art. 33. Tasks of the Lead Overseer (18)
- Art. 34. Operational coordination between Lead Overseers (4)
- Art. 35. Powers of the Lead Overseer (19)
- Art. 36. Exercise of the powers of the Lead Overseer outside the Union (15)
- Art. 37. Request for information (15)
- Art. 38. General investigations (10)
- Art. 39. Inspections (8)
- Art. 40. Ongoing oversight (7)
- Art. 41. Harmonisation of conditions enabling the conduct of the oversight activities (5)
- Art. 42. Follow-up by competent authorities (14)
- Art. 43. Oversight fees (3)
- Art. 44. International cooperation (2)
- Ch. VI — Information-Sharing Arrangements
- Art. 45. Information-sharing arrangements on cyber threat information and intelligence (3)
- Ch. VII — Competent Authorities
- Art. 46. Competent authorities (17)
- Art. 47. Cooperation with structures and authorities established by Directive (EU) 2022/2555 (7)
- Art. 48. Cooperation between authorities (2)
- Art. 49. Financial cross-sector exercises, communication and cooperation (5)
- Art. 50. Administrative penalties and remedial measures (14)
- Art. 51. Exercise of the power to impose administrative penalties and remedial measures (9)
- Art. 52. Criminal penalties (2)
- Art. 53. Notification duties (2)
- Art. 54. Publication of administrative penalties (8)
- Art. 55. Professional secrecy (4)
- Art. 56. Data Protection (3)
- Ch. VIII — Delegated Acts
- Art. 57. Exercise of the delegation (3)
- Ch. IX — Transitional and Final Provisions
- Art. 58. Review clause (7)
- Art. 59. Amendments to Regulation (EC) No 1060/2009 (5)
- Art. 60. Amendments to Regulation (EU) No 648/2012 (7)
- Art. 61. Amendments to Regulation (EU) No 909/2014 (6)
- Art. 62. Amendments to Regulation (EU) No 600/2014 (3)
- Art. 63. Amendment to Regulation (EU) 2016/1011 (4)
- Art. 64. Entry into force and application (1)
Chapter I — General Provisions
Chapter II — ICT Risk Management
Article 5. Governance and organisation
14 obligations
EU-DORA-5-02
Requirement
Management body must define ICT risk management framework
The management body of the financial entity must define all arrangements related to the ICT risk management framework re
EU-DORA-5-03
Requirement
Management body must approve ICT risk management framework
The management body of the financial entity must approve all arrangements related to the ICT risk management framework r
EU-DORA-5-04
Human Oversight
Management body must oversee ICT risk management framework
The management body of the financial entity must oversee all arrangements related to the ICT risk management framework r
EU-DORA-5-05
Requirement
Management body responsibility for ICT risk management implementation
The management body of the financial entity must be responsible for the implementation of all arrangements related to th
EU-DORA-5-06
Requirement
Management body bears ultimate responsibility for managing ICT risk
The management body must bear the ultimate responsibility for managing the financial entity's ICT risk.
EU-DORA-5-07
Data Governance
Establish data availability policies
The management body must put in place policies that aim to ensure the maintenance of high standards of availability of d
EU-DORA-5-08
Data Governance
Establish data authenticity policies
The management body must put in place policies that aim to ensure the maintenance of high standards of authenticity of d
EU-DORA-5-09
Data Governance
Establish data integrity policies
The management body must put in place policies that aim to ensure the maintenance of high standards of integrity of data
EU-DORA-5-10
Data Governance
Establish data confidentiality policies
The management body must put in place policies that aim to ensure the maintenance of high standards of confidentiality o
EU-DORA-5-11
Requirement
Set clear roles and responsibilities for ICT functions
The management body must set clear roles and responsibilities for all ICT-related functions.
EU-DORA-5-12
Requirement
Establish governance arrangements for ICT function coordination
The management body must establish appropriate governance arrangements to ensure effective and timely communication, coo
EU-DORA-5-13
Requirement
Set and approve digital operational resilience strategy
The management body must bear the overall responsibility for setting and approving the digital operational resilience st
EU-DORA-5-14
Risk Management
Determine appropriate ICT risk tolerance level
The management body must determine the appropriate risk tolerance level of ICT risk of the financial entity, as referred
EU-DORA-5-15
Requirement
Approve ICT business continuity policy
The management body must approve the financial entity's ICT business continuity policy referred to in Article 11(1).
Chapter III — ICT-Related Incident Management, Classification and Reporting
Chapter IV — Digital Operational Resilience Testing
Chapter V — Managing ICT Third-Party Risk
Chapter VI — Information-Sharing Arrangements
Chapter VII — Competent Authorities
Article 50. Administrative penalties and remedial measures
2 obligations
EU-DORA-50-13
Requirement
Grant power to apply penalties to management and responsible individuals
Where administrative penalties and remedial measures apply to legal persons, Member States must confer on competent auth
EU-DORA-50-14
Requirement
Ensure reasoned decisions and appeal rights for penalties
Member States must ensure that any decision imposing administrative penalties or remedial measures is properly reasoned
Article 51. Exercise of the power to impose administrative penalties and remedial measures
9 obligations
EU-DORA-51-01
Requirement
Exercise administrative penalty powers in accordance with national frameworks
Competent authorities must exercise their powers to impose administrative penalties and remedial measures (as specified
EU-DORA-51-02
Requirement
Consider intentionality and negligence in penalty determination
Competent authorities must take into account the extent to which a breach is intentional or results from negligence when
EU-DORA-51-03
Requirement
Consider materiality, gravity and duration of breach
Competent authorities must consider the materiality, gravity and duration of the breach when determining administrative
EU-DORA-51-04
Requirement
Consider degree of responsibility in penalty determination
Competent authorities must consider the degree of responsibility of the natural or legal person responsible for the brea
EU-DORA-51-05
Requirement
Consider financial strength in penalty determination
Competent authorities must consider the financial strength of the responsible natural or legal person when determining a
EU-DORA-51-06
Requirement
Consider profits gained or losses avoided in penalty determination
Competent authorities must consider the importance of profits gained or losses avoided by the responsible natural or leg
EU-DORA-51-07
Requirement
Consider losses to third parties in penalty determination
Competent authorities must consider the losses for third parties caused by the breach, insofar as they can be determined
EU-DORA-51-08
Requirement
Consider level of cooperation in penalty determination
Competent authorities must consider the level of cooperation of the responsible natural or legal person with the compete
EU-DORA-51-09
Requirement
Consider previous breaches in penalty determination
Competent authorities must consider previous breaches by the responsible natural or legal person when determining the ty