EU-DORA
Regulation (EU) 2022/2554 — Digital Operational Resilience Act
- Ch. I — General Provisions
- Art. 1. Subject matter (8)
- Art. 2. Scope (4)
- Art. 3. Definitions ref
- Art. 4. Proportionality principle (3)
- Ch. II — ICT Risk Management
- Art. 5. Governance and organisation (37)
- Art. 6. ICT risk management framework (23)
- Art. 7. ICT systems, protocols and tools (4)
- Art. 8. Identification (10)
- Art. 9. Protection and prevention (17)
- Art. 10. Detection (7)
- Art. 11. Response and recovery (23)
- Art. 12. Backup policies and procedures, restoration and recovery procedures and methods (19)
- Art. 13. Learning and evolving (16)
- Art. 14. Communication (4)
- Art. 15. Further harmonisation of ICT risk management tools, methods, processes and policies (10)
- Art. 16. Simplified ICT risk management framework (13)
- Ch. III — ICT-Related Incident Management, Classification and Reporting
- Art. 17. ICT-related incident management process (9)
- Art. 18. Classification of ICT-related incidents and cyber threats (7)
- Art. 19. Reporting of major ICT-related incidents and voluntary notification of significant cyber threats (18)
- Art. 20. Harmonisation of reporting content and templates (7)
- Art. 21. Centralisation of reporting of major ICT-related incidents (9)
- Art. 22. Supervisory feedback (6)
- Art. 23. Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions (2)
- Ch. IV — Digital Operational Resilience Testing
- Art. 24. General requirements for the performance of digital operational resilience testing (8)
- Art. 25. Testing of ICT tools and systems (3)
- Art. 26. Advanced testing of ICT tools, systems and processes based on TLPT (14)
- Art. 27. Requirements for testers for the carrying out of TLPT (9)
- Ch. V — Managing ICT Third-Party Risk
- Art. 28. General principles (26)
- Art. 29. Preliminary assessment of ICT concentration risk at entity level (7)
- Art. 30. Key contractual provisions (24)
- Art. 31. Designation of critical ICT third-party service providers (16)
- Art. 32. Structure of the Oversight Framework (11)
- Art. 33. Tasks of the Lead Overseer (18)
- Art. 34. Operational coordination between Lead Overseers (4)
- Art. 35. Powers of the Lead Overseer (19)
- Art. 36. Exercise of the powers of the Lead Overseer outside the Union (15)
- Art. 37. Request for information (15)
- Art. 38. General investigations (10)
- Art. 39. Inspections (8)
- Art. 40. Ongoing oversight (7)
- Art. 41. Harmonisation of conditions enabling the conduct of the oversight activities (5)
- Art. 42. Follow-up by competent authorities (14)
- Art. 43. Oversight fees (3)
- Art. 44. International cooperation (2)
- Ch. VI — Information-Sharing Arrangements
- Art. 45. Information-sharing arrangements on cyber threat information and intelligence (3)
- Ch. VII — Competent Authorities
- Art. 46. Competent authorities (17)
- Art. 47. Cooperation with structures and authorities established by Directive (EU) 2022/2555 (7)
- Art. 48. Cooperation between authorities (2)
- Art. 49. Financial cross-sector exercises, communication and cooperation (5)
- Art. 50. Administrative penalties and remedial measures (14)
- Art. 51. Exercise of the power to impose administrative penalties and remedial measures (9)
- Art. 52. Criminal penalties (2)
- Art. 53. Notification duties (2)
- Art. 54. Publication of administrative penalties (8)
- Art. 55. Professional secrecy (4)
- Art. 56. Data Protection (3)
- Ch. VIII — Delegated Acts
- Art. 57. Exercise of the delegation (3)
- Ch. IX — Transitional and Final Provisions
- Art. 58. Review clause (7)
- Art. 59. Amendments to Regulation (EC) No 1060/2009 (5)
- Art. 60. Amendments to Regulation (EU) No 648/2012 (7)
- Art. 61. Amendments to Regulation (EU) No 909/2014 (6)
- Art. 62. Amendments to Regulation (EU) No 600/2014 (3)
- Art. 63. Amendment to Regulation (EU) 2016/1011 (4)
- Art. 64. Entry into force and application (1)
Chapter I — General Provisions
Chapter II — ICT Risk Management
Article 11. Response and recovery
13 obligations
EU-DORA-11-11
Requirement
Conduct business impact analysis (BIA)
Financial entities must conduct a business impact analysis (BIA) of their exposures to severe business disruptions as pa
EU-DORA-11-12
Requirement
Assess potential impact using quantitative and qualitative criteria
Financial entities must assess the potential impact of severe business disruptions by means of quantitative and qualitat
EU-DORA-11-13
Requirement
Consider criticality and interdependencies in BIA
The BIA must consider the criticality of identified and mapped business functions, support processes, third-party depend
EU-DORA-11-14
Requirement
Ensure ICT assets alignment with BIA requirements
Financial entities must ensure that ICT assets and ICT services are designed and used in full alignment with the BIA, in
EU-DORA-11-15
Requirement
Test ICT business continuity and response plans annually
Financial entities must test the ICT business continuity plans and the ICT response and recovery plans in relation to IC
EU-DORA-11-16
Requirement
Test crisis communication plans
Financial entities must test the crisis communication plans established in accordance with Article 14.
EU-DORA-11-17
Requirement
Include cyber-attack scenarios and switchover testing
Financial entities other than microenterprises must include in the testing plans scenarios of cyber-attacks and switchov
EU-DORA-11-18
Requirement
Regularly review ICT business continuity policy and plans
Financial entities must regularly review their ICT business continuity policy and ICT response and recovery plans, takin
EU-DORA-11-19
Requirement
Establish crisis management function
Financial entities other than microenterprises must have a crisis management function, which, in the event of activation
EU-DORA-11-20
Documentation
Keep readily accessible records of disruption activities
Financial entities must keep readily accessible records of activities before and during disruption events when their ICT
EU-DORA-11-21
Reporting
Provide ICT business continuity test results to authorities (CSDs)
Central securities depositories must provide the competent authorities with copies of the results of the ICT business co
EU-DORA-11-22
Reporting
Report aggregated annual costs and losses upon request
Financial entities other than microenterprises must report to the competent authorities, upon their request, an estimati
EU-DORA-11-23
Requirement
ESAs to develop guidelines on cost and loss estimation
The ESAs, through the Joint Committee, must by 17 July 2024 develop common guidelines on the estimation of aggregated an
Article 12. Backup policies and procedures, restoration and recovery procedures and methods
12 obligations
EU-DORA-12-01
Documentation
Develop and document backup policies specifying scope and frequency
Financial entities must develop and document backup policies and procedures that specify the scope of data subject to ba
EU-DORA-12-02
Documentation
Develop and document restoration and recovery procedures and methods
Financial entities must develop and document restoration and recovery procedures and methods as part of their ICT risk m
EU-DORA-12-03
Requirement
Set up backup systems that can be activated according to documented procedures
Financial entities must set up backup systems that can be activated in accordance with their backup policies and procedu
EU-DORA-12-04
Requirement
Ensure backup system activation does not jeopardise security or data integrity
The activation of backup systems must not jeopardise the security of network and information systems or the availability
EU-DORA-12-05
Requirement
Periodically test backup, restoration and recovery procedures
Financial entities must undertake periodic testing of backup procedures and restoration and recovery procedures and meth
EU-DORA-12-06
Requirement
Use physically and logically segregated ICT systems for backup restoration
When restoring backup data using own systems, financial entities must use ICT systems that are physically and logically
EU-DORA-12-07
Requirement
Securely protect backup ICT systems from unauthorized access and corruption
Backup ICT systems must be securely protected from any unauthorised access or ICT corruption and allow for timely restor
EU-DORA-12-08
Requirement
Enable recovery of all transactions for central counterparties
For central counterparties, recovery plans must enable the recovery of all transactions at the time of disruption to all
EU-DORA-12-09
Requirement
Maintain adequate resources and backup facilities for data reporting services
Data reporting service providers must maintain adequate resources and have back-up and restoration facilities in place i
EU-DORA-12-10
Requirement
Maintain redundant ICT capacities (non-microenterprises)
Financial entities, other than microenterprises, must maintain redundant ICT capacities equipped with resources, capabil
EU-DORA-12-11
Requirement
Assess need for redundant ICT capacities (microenterprises)
Microenterprises must assess the need to maintain redundant ICT capacities based on their risk profile.
EU-DORA-12-12
Requirement
Maintain at least one secondary processing site (CSDs)
Central securities depositories must maintain at least one secondary processing site endowed with adequate resources, ca