EU-DORA
Regulation (EU) 2022/2554 — Digital Operational Resilience Act
- Ch. I — General Provisions
- Art. 1. Subject matter (8)
- Art. 2. Scope (4)
- Art. 3. Definitions ref
- Art. 4. Proportionality principle (3)
- Ch. II — ICT Risk Management
- Art. 5. Governance and organisation (37)
- Art. 6. ICT risk management framework (23)
- Art. 7. ICT systems, protocols and tools (4)
- Art. 8. Identification (10)
- Art. 9. Protection and prevention (17)
- Art. 10. Detection (7)
- Art. 11. Response and recovery (23)
- Art. 12. Backup policies and procedures, restoration and recovery procedures and methods (19)
- Art. 13. Learning and evolving (16)
- Art. 14. Communication (4)
- Art. 15. Further harmonisation of ICT risk management tools, methods, processes and policies (10)
- Art. 16. Simplified ICT risk management framework (13)
- Ch. III — ICT-Related Incident Management, Classification and Reporting
- Art. 17. ICT-related incident management process (9)
- Art. 18. Classification of ICT-related incidents and cyber threats (7)
- Art. 19. Reporting of major ICT-related incidents and voluntary notification of significant cyber threats (18)
- Art. 20. Harmonisation of reporting content and templates (7)
- Art. 21. Centralisation of reporting of major ICT-related incidents (9)
- Art. 22. Supervisory feedback (6)
- Art. 23. Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions (2)
- Ch. IV — Digital Operational Resilience Testing
- Art. 24. General requirements for the performance of digital operational resilience testing (8)
- Art. 25. Testing of ICT tools and systems (3)
- Art. 26. Advanced testing of ICT tools, systems and processes based on TLPT (14)
- Art. 27. Requirements for testers for the carrying out of TLPT (9)
- Ch. V — Managing ICT Third-Party Risk
- Art. 28. General principles (26)
- Art. 29. Preliminary assessment of ICT concentration risk at entity level (7)
- Art. 30. Key contractual provisions (24)
- Art. 31. Designation of critical ICT third-party service providers (16)
- Art. 32. Structure of the Oversight Framework (11)
- Art. 33. Tasks of the Lead Overseer (18)
- Art. 34. Operational coordination between Lead Overseers (4)
- Art. 35. Powers of the Lead Overseer (19)
- Art. 36. Exercise of the powers of the Lead Overseer outside the Union (15)
- Art. 37. Request for information (15)
- Art. 38. General investigations (10)
- Art. 39. Inspections (8)
- Art. 40. Ongoing oversight (7)
- Art. 41. Harmonisation of conditions enabling the conduct of the oversight activities (5)
- Art. 42. Follow-up by competent authorities (14)
- Art. 43. Oversight fees (3)
- Art. 44. International cooperation (2)
- Ch. VI — Information-Sharing Arrangements
- Art. 45. Information-sharing arrangements on cyber threat information and intelligence (3)
- Ch. VII — Competent Authorities
- Art. 46. Competent authorities (17)
- Art. 47. Cooperation with structures and authorities established by Directive (EU) 2022/2555 (7)
- Art. 48. Cooperation between authorities (2)
- Art. 49. Financial cross-sector exercises, communication and cooperation (5)
- Art. 50. Administrative penalties and remedial measures (14)
- Art. 51. Exercise of the power to impose administrative penalties and remedial measures (9)
- Art. 52. Criminal penalties (2)
- Art. 53. Notification duties (2)
- Art. 54. Publication of administrative penalties (8)
- Art. 55. Professional secrecy (4)
- Art. 56. Data Protection (3)
- Ch. VIII — Delegated Acts
- Art. 57. Exercise of the delegation (3)
- Ch. IX — Transitional and Final Provisions
- Art. 58. Review clause (7)
- Art. 59. Amendments to Regulation (EC) No 1060/2009 (5)
- Art. 60. Amendments to Regulation (EU) No 648/2012 (7)
- Art. 61. Amendments to Regulation (EU) No 909/2014 (6)
- Art. 62. Amendments to Regulation (EU) No 600/2014 (3)
- Art. 63. Amendment to Regulation (EU) 2016/1011 (4)
- Art. 64. Entry into force and application (1)
Chapter I — General Provisions
Chapter II — ICT Risk Management
Article 5. Governance and organisation
21 obligations
EU-DORA-5-16
Human Oversight
Oversee ICT business continuity policy implementation
The management body must oversee the implementation of the financial entity's ICT business continuity policy referred to
EU-DORA-5-17
Requirement
Periodically review ICT business continuity policy implementation
The management body must periodically review the implementation of the financial entity's ICT business continuity policy
EU-DORA-5-18
Requirement
Approve ICT response and recovery plans
The management body must approve the financial entity's ICT response and recovery plans referred to in Article 11(3).
EU-DORA-5-19
Human Oversight
Oversee ICT response and recovery plans implementation
The management body must oversee the implementation of the financial entity's ICT response and recovery plans referred t
EU-DORA-5-20
Requirement
Periodically review ICT response and recovery plans implementation
The management body must periodically review the implementation of the financial entity's ICT response and recovery plan
EU-DORA-5-21
Requirement
Approve ICT internal audit plans
The management body must approve the financial entity's ICT internal audit plans.
EU-DORA-5-22
Requirement
Approve ICT audits
The management body must approve the financial entity's ICT audits.
EU-DORA-5-23
Requirement
Approve material modifications to ICT audit plans and audits
The management body must approve material modifications to the financial entity's ICT internal audit plans and ICT audit
EU-DORA-5-24
Requirement
Periodically review ICT internal audit plans
The management body must periodically review the financial entity's ICT internal audit plans.
EU-DORA-5-25
Requirement
Periodically review ICT audits
The management body must periodically review the financial entity's ICT audits.
EU-DORA-5-26
Requirement
Allocate appropriate budget for digital operational resilience
The management body must allocate appropriate budget to fulfill the financial entity's digital operational resilience ne
EU-DORA-5-27
Requirement
Periodically review budget for digital operational resilience
The management body must periodically review the appropriate budget to fulfill the financial entity's digital operationa
EU-DORA-5-28
Requirement
Approve policy on ICT third-party service provider arrangements
The management body must approve the financial entity's policy on arrangements regarding the use of ICT services provide
EU-DORA-5-29
Requirement
Periodically review policy on ICT third-party service provider arrangements
The management body must periodically review the financial entity's policy on arrangements regarding the use of ICT serv
EU-DORA-5-30
Reporting
Establish reporting channels for ICT third-party arrangements
The management body must put in place, at corporate level, reporting channels enabling it to be duly informed of arrange
EU-DORA-5-31
Reporting
Establish reporting channels for planned ICT third-party changes
The management body must put in place, at corporate level, reporting channels enabling it to be duly informed of any rel
EU-DORA-5-32
Reporting
Establish reporting channels for impact assessment of ICT third-party changes
The management body must put in place, at corporate level, reporting channels enabling it to be duly informed of the pot
EU-DORA-5-33
Reporting
Establish reporting channels for major ICT-related incidents
The management body must put in place, at corporate level, reporting channels enabling it to be duly informed of at leas
EU-DORA-5-34
Requirement
Establish role to monitor ICT third-party service arrangements (non-microenterprises)
Financial entities, other than microenterprises, must establish a role in order to monitor the arrangements concluded wi
EU-DORA-5-35
Requirement
Designate senior management for ICT third-party risk oversight (non-microenterprises)
Financial entities, other than microenterprises, may designate a member of senior management as responsible for overseei
EU-DORA-5-36
Requirement
Management body members must maintain ICT risk knowledge and skills
Members of the management body of the financial entity must actively keep up to date with sufficient knowledge and skill
Chapter III — ICT-Related Incident Management, Classification and Reporting
Chapter IV — Digital Operational Resilience Testing
Chapter V — Managing ICT Third-Party Risk
Chapter VI — Information-Sharing Arrangements
Chapter VII — Competent Authorities
Article 52. Criminal penalties
2 obligations
EU-DORA-52-01
Requirement
Establish liaison powers for competent authorities in criminal penalty regimes
Where Member States have chosen to lay down criminal penalties for breaches of this Regulation, they must ensure that ap
EU-DORA-52-02
Requirement
Establish powers to provide criminal investigation information to other authorities
Where Member States have chosen to lay down criminal penalties for breaches of this Regulation, they must ensure that co
Article 53. Notification duties
2 obligations
EU-DORA-53-01
Reporting
Initial notification of implementing laws by 17 January 2025
Member States must notify the Commission, ESMA, EBA and EIOPA of all laws, regulations and administrative provisions imp
EU-DORA-53-02
Reporting
Ongoing notification of amendments to implementing laws
Member States must notify the Commission, ESMA, EBA and EIOPA without undue delay of any subsequent amendments to their