EU-DORA
Regulation (EU) 2022/2554 — Digital Operational Resilience Act
- Ch. I — General Provisions
- Art. 1. Subject matter (8)
- Art. 2. Scope (4)
- Art. 3. Definitions ref
- Art. 4. Proportionality principle (3)
- Ch. II — ICT Risk Management
- Art. 5. Governance and organisation (37)
- Art. 6. ICT risk management framework (23)
- Art. 7. ICT systems, protocols and tools (4)
- Art. 8. Identification (10)
- Art. 9. Protection and prevention (17)
- Art. 10. Detection (7)
- Art. 11. Response and recovery (23)
- Art. 12. Backup policies and procedures, restoration and recovery procedures and methods (19)
- Art. 13. Learning and evolving (16)
- Art. 14. Communication (4)
- Art. 15. Further harmonisation of ICT risk management tools, methods, processes and policies (10)
- Art. 16. Simplified ICT risk management framework (13)
- Ch. III — ICT-Related Incident Management, Classification and Reporting
- Art. 17. ICT-related incident management process (9)
- Art. 18. Classification of ICT-related incidents and cyber threats (7)
- Art. 19. Reporting of major ICT-related incidents and voluntary notification of significant cyber threats (18)
- Art. 20. Harmonisation of reporting content and templates (7)
- Art. 21. Centralisation of reporting of major ICT-related incidents (9)
- Art. 22. Supervisory feedback (6)
- Art. 23. Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions (2)
- Ch. IV — Digital Operational Resilience Testing
- Art. 24. General requirements for the performance of digital operational resilience testing (8)
- Art. 25. Testing of ICT tools and systems (3)
- Art. 26. Advanced testing of ICT tools, systems and processes based on TLPT (14)
- Art. 27. Requirements for testers for the carrying out of TLPT (9)
- Ch. V — Managing ICT Third-Party Risk
- Art. 28. General principles (26)
- Art. 29. Preliminary assessment of ICT concentration risk at entity level (7)
- Art. 30. Key contractual provisions (24)
- Art. 31. Designation of critical ICT third-party service providers (16)
- Art. 32. Structure of the Oversight Framework (11)
- Art. 33. Tasks of the Lead Overseer (18)
- Art. 34. Operational coordination between Lead Overseers (4)
- Art. 35. Powers of the Lead Overseer (19)
- Art. 36. Exercise of the powers of the Lead Overseer outside the Union (15)
- Art. 37. Request for information (15)
- Art. 38. General investigations (10)
- Art. 39. Inspections (8)
- Art. 40. Ongoing oversight (7)
- Art. 41. Harmonisation of conditions enabling the conduct of the oversight activities (5)
- Art. 42. Follow-up by competent authorities (14)
- Art. 43. Oversight fees (3)
- Art. 44. International cooperation (2)
- Ch. VI — Information-Sharing Arrangements
- Art. 45. Information-sharing arrangements on cyber threat information and intelligence (3)
- Ch. VII — Competent Authorities
- Art. 46. Competent authorities (17)
- Art. 47. Cooperation with structures and authorities established by Directive (EU) 2022/2555 (7)
- Art. 48. Cooperation between authorities (2)
- Art. 49. Financial cross-sector exercises, communication and cooperation (5)
- Art. 50. Administrative penalties and remedial measures (14)
- Art. 51. Exercise of the power to impose administrative penalties and remedial measures (9)
- Art. 52. Criminal penalties (2)
- Art. 53. Notification duties (2)
- Art. 54. Publication of administrative penalties (8)
- Art. 55. Professional secrecy (4)
- Art. 56. Data Protection (3)
- Ch. VIII — Delegated Acts
- Art. 57. Exercise of the delegation (3)
- Ch. IX — Transitional and Final Provisions
- Art. 58. Review clause (7)
- Art. 59. Amendments to Regulation (EC) No 1060/2009 (5)
- Art. 60. Amendments to Regulation (EU) No 648/2012 (7)
- Art. 61. Amendments to Regulation (EU) No 909/2014 (6)
- Art. 62. Amendments to Regulation (EU) No 600/2014 (3)
- Art. 63. Amendment to Regulation (EU) 2016/1011 (4)
- Art. 64. Entry into force and application (1)
Chapter I — General Provisions
Chapter II — ICT Risk Management
Article 5. Governance and organisation
1 obligation
Chapter III — ICT-Related Incident Management, Classification and Reporting
Chapter IV — Digital Operational Resilience Testing
Chapter V — Managing ICT Third-Party Risk
Chapter VI — Information-Sharing Arrangements
Chapter VII — Competent Authorities
Article 54. Publication of administrative penalties
8 obligations
EU-DORA-54-01
Transparency
Publish administrative penalties on official website
Competent authorities must publish on their official websites, without undue delay, any decision imposing an administrat
EU-DORA-54-02
Transparency
Include required information in penalty publication
When publishing administrative penalties, competent authorities must include information on the type and nature of the b
EU-DORA-54-03
Requirement
Conduct case-by-case assessment for publication decisions
Competent authorities must conduct a case-by-case assessment to determine if publication of identity would be disproport
EU-DORA-54-04
Requirement
Adopt alternative publication solutions when appropriate
When case-by-case assessment shows publication would be disproportionate, competent authorities must adopt one of three
EU-DORA-54-05
Requirement
May postpone anonymous publication data
In cases where administrative penalties are published anonymously, competent authorities may postpone the publication of
EU-DORA-54-06
Transparency
Add appeal information to published penalties
When publishing penalties that are under appeal, competent authorities must immediately add this information to their of
EU-DORA-54-07
Transparency
Publish judicial decisions annulling penalties
Competent authorities must publish any judicial decision that annuls a decision imposing an administrative penalty.
EU-DORA-54-08
Requirement
Limit publication duration to maximum five years
Competent authorities must ensure that publications of administrative penalties remain on their official website only fo
Article 55. Professional secrecy
4 obligations
EU-DORA-55-01
Data Governance
Apply professional secrecy conditions to confidential information
All confidential information received, exchanged or transmitted pursuant to this Regulation must be subject to the condi
EU-DORA-55-02
Requirement
Maintain professional secrecy obligation for current and former personnel
The obligation of professional secrecy must be applied to all persons who work, or who have worked, for competent author
EU-DORA-55-03
Prohibition
Prohibit disclosure of information covered by professional secrecy
Information covered by professional secrecy shall not be disclosed to any other person or authority except by virtue of
EU-DORA-55-04
Data Governance
Treat business and operational information as confidential
All information exchanged between competent authorities concerning business or operational conditions and other economic
Article 56. Data Protection
3 obligations
EU-DORA-56-01
Data Governance
Personal Data Processing Limitation for ESAs and Competent Authorities
ESAs and competent authorities must only process personal data when necessary for carrying out their specific obligation
EU-DORA-56-02
Data Governance
GDPR/EUDPR Compliance for Personal Data Processing
ESAs and competent authorities must process personal data in accordance with Regulation (EU) 2016/679 (GDPR) or Regulati
EU-DORA-56-03
Data Governance
Personal Data Retention Period Limitation
ESAs and competent authorities must retain personal data only until the discharge of applicable supervisory duties and f
Chapter VIII — Delegated Acts
Article 57. Exercise of the delegation
3 obligations
EU-DORA-57-01
Reporting
Commission delegation report requirement
The Commission must draw up a report regarding the delegation of power not later than nine months before the end of the
EU-DORA-57-02
Requirement
Expert consultation requirement for delegated acts
Before adopting a delegated act, the Commission must consult experts designated by each Member State in accordance with
EU-DORA-57-03
Reporting
Simultaneous notification requirement for delegated acts
As soon as it adopts a delegated act, the Commission must notify it simultaneously to the European Parliament and to the
Chapter IX — Transitional and Final Provisions
Article 58. Review clause
6 obligations
EU-DORA-58-01
Reporting
Commission review and report on DORA by January 2028
The Commission must carry out a comprehensive review of specific aspects of DORA and submit a report to the European Par
EU-DORA-58-02
Requirement
ESAs and ESRB consultation participation for 2028 review
ESAs and ESRB must participate in consultations with the Commission regarding the comprehensive review of DORA provision
EU-DORA-58-03
Reporting
Commission assessment of payment systems cyber resilience by July 2023
The Commission must assess the need for increased cyber resilience of payment systems and payment-processing activities
EU-DORA-58-04
Requirement
Commission consultation with ESAs, ECB and ESRB for payment systems proposal
If submitting a legislative proposal regarding payment systems and payment-processing activities oversight, the Commissi
EU-DORA-58-05
Requirement
ESAs, ECB and ESRB consultation participation for payment systems review
ESAs, ECB and ESRB must participate in consultations with the Commission regarding potential legislative proposals on pa
EU-DORA-58-06
Reporting
Commission review of auditor digital resilience requirements by January 2026
The Commission must carry out a review on the appropriateness of strengthened requirements for statutory auditors and au