EU-DORA
Regulation (EU) 2022/2554 — Digital Operational Resilience Act
- Ch. I — General Provisions
- Art. 1. Subject matter (8)
- Art. 2. Scope (4)
- Art. 3. Definitions ref
- Art. 4. Proportionality principle (3)
- Ch. II — ICT Risk Management
- Art. 5. Governance and organisation (37)
- Art. 6. ICT risk management framework (23)
- Art. 7. ICT systems, protocols and tools (4)
- Art. 8. Identification (10)
- Art. 9. Protection and prevention (17)
- Art. 10. Detection (7)
- Art. 11. Response and recovery (23)
- Art. 12. Backup policies and procedures, restoration and recovery procedures and methods (19)
- Art. 13. Learning and evolving (16)
- Art. 14. Communication (4)
- Art. 15. Further harmonisation of ICT risk management tools, methods, processes and policies (10)
- Art. 16. Simplified ICT risk management framework (13)
- Ch. III — ICT-Related Incident Management, Classification and Reporting
- Art. 17. ICT-related incident management process (9)
- Art. 18. Classification of ICT-related incidents and cyber threats (7)
- Art. 19. Reporting of major ICT-related incidents and voluntary notification of significant cyber threats (18)
- Art. 20. Harmonisation of reporting content and templates (7)
- Art. 21. Centralisation of reporting of major ICT-related incidents (9)
- Art. 22. Supervisory feedback (6)
- Art. 23. Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions (2)
- Ch. IV — Digital Operational Resilience Testing
- Art. 24. General requirements for the performance of digital operational resilience testing (8)
- Art. 25. Testing of ICT tools and systems (3)
- Art. 26. Advanced testing of ICT tools, systems and processes based on TLPT (14)
- Art. 27. Requirements for testers for the carrying out of TLPT (9)
- Ch. V — Managing ICT Third-Party Risk
- Art. 28. General principles (26)
- Art. 29. Preliminary assessment of ICT concentration risk at entity level (7)
- Art. 30. Key contractual provisions (24)
- Art. 31. Designation of critical ICT third-party service providers (16)
- Art. 32. Structure of the Oversight Framework (11)
- Art. 33. Tasks of the Lead Overseer (18)
- Art. 34. Operational coordination between Lead Overseers (4)
- Art. 35. Powers of the Lead Overseer (19)
- Art. 36. Exercise of the powers of the Lead Overseer outside the Union (15)
- Art. 37. Request for information (15)
- Art. 38. General investigations (10)
- Art. 39. Inspections (8)
- Art. 40. Ongoing oversight (7)
- Art. 41. Harmonisation of conditions enabling the conduct of the oversight activities (5)
- Art. 42. Follow-up by competent authorities (14)
- Art. 43. Oversight fees (3)
- Art. 44. International cooperation (2)
- Ch. VI — Information-Sharing Arrangements
- Art. 45. Information-sharing arrangements on cyber threat information and intelligence (3)
- Ch. VII — Competent Authorities
- Art. 46. Competent authorities (17)
- Art. 47. Cooperation with structures and authorities established by Directive (EU) 2022/2555 (7)
- Art. 48. Cooperation between authorities (2)
- Art. 49. Financial cross-sector exercises, communication and cooperation (5)
- Art. 50. Administrative penalties and remedial measures (14)
- Art. 51. Exercise of the power to impose administrative penalties and remedial measures (9)
- Art. 52. Criminal penalties (2)
- Art. 53. Notification duties (2)
- Art. 54. Publication of administrative penalties (8)
- Art. 55. Professional secrecy (4)
- Art. 56. Data Protection (3)
- Ch. VIII — Delegated Acts
- Art. 57. Exercise of the delegation (3)
- Ch. IX — Transitional and Final Provisions
- Art. 58. Review clause (7)
- Art. 59. Amendments to Regulation (EC) No 1060/2009 (5)
- Art. 60. Amendments to Regulation (EU) No 648/2012 (7)
- Art. 61. Amendments to Regulation (EU) No 909/2014 (6)
- Art. 62. Amendments to Regulation (EU) No 600/2014 (3)
- Art. 63. Amendment to Regulation (EU) 2016/1011 (4)
- Art. 64. Entry into force and application (1)
Chapter I — General Provisions
Chapter II — ICT Risk Management
Article 6. ICT risk management framework
10 obligations
EU-DORA-6-01
Risk Management
Establish comprehensive ICT risk management framework
Financial entities must have a sound, comprehensive and well-documented ICT risk management framework as part of their o
EU-DORA-6-02
Requirement
Include minimum components in ICT risk management framework
The ICT risk management framework must include at least strategies, policies, procedures, ICT protocols and tools necess
EU-DORA-6-03
Risk Management
Deploy appropriate ICT risk mitigation measures
Financial entities must minimise the impact of ICT risk by deploying appropriate strategies, policies, procedures, ICT p
EU-DORA-6-04
Transparency
Provide ICT risk information to competent authorities upon request
Financial entities must provide complete and updated information on ICT risk and on their ICT risk management framework
EU-DORA-6-05
Human Oversight
Assign ICT risk management responsibility to control function
Financial entities other than microenterprises must assign responsibility for managing and overseeing ICT risk to a cont
EU-DORA-6-06
Requirement
Ensure segregation of ICT functions according to three lines of defence
Financial entities must ensure appropriate segregation and independence of ICT risk management functions, control functi
EU-DORA-6-07
Documentation
Document and regularly review ICT risk management framework
The ICT risk management framework must be documented and reviewed at least once a year (or periodically for microenterpr
EU-DORA-6-08
Requirement
Continuously improve ICT risk management framework
The ICT risk management framework must be continuously improved based on lessons derived from implementation and monitor
EU-DORA-6-09
Reporting
Submit framework review report to competent authority upon request
Financial entities must submit a report on the review of the ICT risk management framework to the competent authority wh
EU-DORA-6-10
Monitoring
Subject ICT risk management framework to regular internal audit
Financial entities other than microenterprises must subject their ICT risk management framework to internal audit by aud
Chapter III — ICT-Related Incident Management, Classification and Reporting
Chapter IV — Digital Operational Resilience Testing
Chapter V — Managing ICT Third-Party Risk
Chapter VI — Information-Sharing Arrangements
Chapter VII — Competent Authorities
Chapter VIII — Delegated Acts
Chapter IX — Transitional and Final Provisions
Article 58. Review clause
1 obligation
Article 59. Amendments to Regulation (EC) No 1060/2009
5 obligations
EU-DORA-59-01
Requirement
Credit rating agencies must have effective ICT control and safeguard arrangements
Credit rating agencies shall have effective control and safeguard arrangements for managing ICT systems in accordance wi
EU-DORA-59-02
Requirement
Credit rating agencies must maintain sound administrative and accounting procedures
Credit rating agencies shall have sound administrative and accounting procedures as part of their operational requiremen
EU-DORA-59-03
Requirement
Credit rating agencies must establish internal control mechanisms
Credit rating agencies shall establish and maintain internal control mechanisms as required by the amended regulation.
EU-DORA-59-04
Risk Management
Credit rating agencies must implement effective risk assessment procedures
Credit rating agencies shall have effective procedures for risk assessment as part of their operational framework under
EU-DORA-59-05
Requirement
Credit rating agencies must implement decision-making procedures and organizational structures
Credit rating agencies must implement and maintain decision-making procedures and organizational structures as required
Article 60. Amendments to Regulation (EU) No 648/2012
7 obligations
EU-DORA-60-01
Requirement
CCP ICT Systems Management Compliance
Central Counterparties (CCPs) must manage their ICT systems in accordance with Regulation (EU) 2022/2554 as part of main
EU-DORA-60-02
Requirement
CCP Organizational Structure Maintenance
Central Counterparties must maintain and operate an organisational structure that ensures continuity and orderly functio
EU-DORA-60-03
Requirement
CCP ICT Business Continuity Policy Implementation
Central Counterparties must establish, implement and maintain ICT business continuity policy and ICT response and recove
EU-DORA-60-04
Requirement
CCP Business Continuity Objective Achievement
Central Counterparties must ensure their business continuity policy and disaster recovery plan aims to preserve function
EU-DORA-60-05
Risk Management
Trade Repository Operational Risk Management
Trade repositories must identify sources of operational risk and minimise them through development of appropriate system
EU-DORA-60-06
Requirement
Trade Repository ICT Business Continuity Implementation
Trade repositories must establish, implement and maintain ICT business continuity policy and ICT response and recovery p
EU-DORA-60-07
Requirement
Trade Repository Business Continuity Objective Achievement
Trade repositories must ensure their business continuity policy and disaster recovery plan aims to maintain functions, e
Article 61. Amendments to Regulation (EU) No 909/2014
2 obligations
EU-DORA-61-01
Risk Management
ICT operational risk identification and minimization
A CSD shall identify sources of operational risk, both internal and external, and minimise their impact through deployme
EU-DORA-61-02
Requirement
Business continuity and disaster recovery plan establishment
For services that it provides as well as for each securities settlement system that it operates, a CSD shall establish,