EU-DORA
Regulation (EU) 2022/2554 — Digital Operational Resilience Act
- Ch. I — General Provisions
- Art. 1. Subject matter (8)
- Art. 2. Scope (4)
- Art. 3. Definitions ref
- Art. 4. Proportionality principle (3)
- Ch. II — ICT Risk Management
- Art. 5. Governance and organisation (37)
- Art. 6. ICT risk management framework (23)
- Art. 7. ICT systems, protocols and tools (4)
- Art. 8. Identification (10)
- Art. 9. Protection and prevention (17)
- Art. 10. Detection (7)
- Art. 11. Response and recovery (23)
- Art. 12. Backup policies and procedures, restoration and recovery procedures and methods (19)
- Art. 13. Learning and evolving (16)
- Art. 14. Communication (4)
- Art. 15. Further harmonisation of ICT risk management tools, methods, processes and policies (10)
- Art. 16. Simplified ICT risk management framework (13)
- Ch. III — ICT-Related Incident Management, Classification and Reporting
- Art. 17. ICT-related incident management process (9)
- Art. 18. Classification of ICT-related incidents and cyber threats (7)
- Art. 19. Reporting of major ICT-related incidents and voluntary notification of significant cyber threats (18)
- Art. 20. Harmonisation of reporting content and templates (7)
- Art. 21. Centralisation of reporting of major ICT-related incidents (9)
- Art. 22. Supervisory feedback (6)
- Art. 23. Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions (2)
- Ch. IV — Digital Operational Resilience Testing
- Art. 24. General requirements for the performance of digital operational resilience testing (8)
- Art. 25. Testing of ICT tools and systems (3)
- Art. 26. Advanced testing of ICT tools, systems and processes based on TLPT (14)
- Art. 27. Requirements for testers for the carrying out of TLPT (9)
- Ch. V — Managing ICT Third-Party Risk
- Art. 28. General principles (26)
- Art. 29. Preliminary assessment of ICT concentration risk at entity level (7)
- Art. 30. Key contractual provisions (24)
- Art. 31. Designation of critical ICT third-party service providers (16)
- Art. 32. Structure of the Oversight Framework (11)
- Art. 33. Tasks of the Lead Overseer (18)
- Art. 34. Operational coordination between Lead Overseers (4)
- Art. 35. Powers of the Lead Overseer (19)
- Art. 36. Exercise of the powers of the Lead Overseer outside the Union (15)
- Art. 37. Request for information (15)
- Art. 38. General investigations (10)
- Art. 39. Inspections (8)
- Art. 40. Ongoing oversight (7)
- Art. 41. Harmonisation of conditions enabling the conduct of the oversight activities (5)
- Art. 42. Follow-up by competent authorities (14)
- Art. 43. Oversight fees (3)
- Art. 44. International cooperation (2)
- Ch. VI — Information-Sharing Arrangements
- Art. 45. Information-sharing arrangements on cyber threat information and intelligence (3)
- Ch. VII — Competent Authorities
- Art. 46. Competent authorities (17)
- Art. 47. Cooperation with structures and authorities established by Directive (EU) 2022/2555 (7)
- Art. 48. Cooperation between authorities (2)
- Art. 49. Financial cross-sector exercises, communication and cooperation (5)
- Art. 50. Administrative penalties and remedial measures (14)
- Art. 51. Exercise of the power to impose administrative penalties and remedial measures (9)
- Art. 52. Criminal penalties (2)
- Art. 53. Notification duties (2)
- Art. 54. Publication of administrative penalties (8)
- Art. 55. Professional secrecy (4)
- Art. 56. Data Protection (3)
- Ch. VIII — Delegated Acts
- Art. 57. Exercise of the delegation (3)
- Ch. IX — Transitional and Final Provisions
- Art. 58. Review clause (7)
- Art. 59. Amendments to Regulation (EC) No 1060/2009 (5)
- Art. 60. Amendments to Regulation (EU) No 648/2012 (7)
- Art. 61. Amendments to Regulation (EU) No 909/2014 (6)
- Art. 62. Amendments to Regulation (EU) No 600/2014 (3)
- Art. 63. Amendment to Regulation (EU) 2016/1011 (4)
- Art. 64. Entry into force and application (1)
Chapter I — General Provisions
Chapter II — ICT Risk Management
Article 6. ICT risk management framework
13 obligations
EU-DORA-6-11
Requirement
Ensure auditors have sufficient ICT risk expertise and independence
Auditors conducting ICT risk management framework audits must possess sufficient knowledge, skills and expertise in ICT
EU-DORA-6-12
Requirement
Ensure ICT audit frequency is commensurate to ICT risk
The frequency and focus of ICT audits must be commensurate to the ICT risk of the financial entity.
EU-DORA-6-13
Requirement
Establish formal follow-up process for audit findings
Financial entities must establish a formal follow-up process based on internal audit review conclusions, including rules
EU-DORA-6-14
Requirement
Include digital operational resilience strategy in framework
The ICT risk management framework must include a digital operational resilience strategy setting out how the framework s
EU-DORA-6-15
Requirement
Explain framework support for business strategy and objectives
The digital operational resilience strategy must explain how the ICT risk management framework supports the financial en
EU-DORA-6-16
Risk Management
Establish ICT risk tolerance level and analyze impact tolerance
The digital operational resilience strategy must establish the risk tolerance level for ICT risk in accordance with the
EU-DORA-6-17
Requirement
Set clear information security objectives with KPIs and metrics
The digital operational resilience strategy must set out clear information security objectives, including key performanc
EU-DORA-6-18
Requirement
Explain ICT reference architecture and needed changes
The digital operational resilience strategy must explain the ICT reference architecture and any changes needed to reach
EU-DORA-6-19
Requirement
Outline ICT incident detection and protection mechanisms
The digital operational resilience strategy must outline the different mechanisms put in place to detect ICT-related inc
EU-DORA-6-20
Requirement
Evidence current digital operational resilience situation
The digital operational resilience strategy must evidence the current digital operational resilience situation based on
EU-DORA-6-21
Requirement
Implement digital operational resilience testing
The digital operational resilience strategy must implement digital operational resilience testing in accordance with Cha
EU-DORA-6-22
Requirement
Outline communication strategy for ICT incidents
The digital operational resilience strategy must outline a communication strategy in the event of ICT-related incidents
EU-DORA-6-23
Requirement
Maintain full responsibility when outsourcing ICT risk management verification
When financial entities outsource tasks of verifying compliance with ICT risk management requirements to intra-group or
Chapter III — ICT-Related Incident Management, Classification and Reporting
Chapter IV — Digital Operational Resilience Testing
Chapter V — Managing ICT Third-Party Risk
Chapter VI — Information-Sharing Arrangements
Chapter VII — Competent Authorities
Chapter VIII — Delegated Acts
Chapter IX — Transitional and Final Provisions
Article 61. Amendments to Regulation (EU) No 909/2014
4 obligations
EU-DORA-61-03
Requirement
Transaction and position recovery capability
The disaster recovery plan shall provide for the recovery of all transactions and participants' positions at the time of
EU-DORA-61-04
Risk Management
Third-party risk identification and management
A CSD shall identify, monitor and manage the risks that key participants in the securities settlement systems it operate
EU-DORA-61-05
Transparency
Risk information provision to authorities
A CSD shall, upon request, provide competent and relevant authorities with information on any risk identified from key p
EU-DORA-61-06
Reporting
Non-ICT operational incident reporting
A CSD shall inform the competent authority and relevant authorities without delay of any operational incidents, other th
Article 62. Amendments to Regulation (EU) No 600/2014
3 obligations
EU-DORA-62-01
Requirement
APA compliance with DORA security requirements
Approved Publication Arrangements (APAs) must comply with all requirements concerning the security of network and inform
EU-DORA-62-02
Requirement
CTP compliance with DORA security requirements
Consolidated Tape Providers (CTPs) must comply with all requirements concerning the security of network and information
EU-DORA-62-03
Requirement
ARM compliance with DORA security requirements
Approved Reporting Mechanisms (ARMs) must comply with all requirements concerning the security of network and informatio
Article 63. Amendment to Regulation (EU) 2016/1011
4 obligations
EU-DORA-63-01
Requirement
Sound Administrative and Accounting Procedures for Critical Benchmarks
Administrators of critical benchmarks must establish and maintain sound administrative and accounting procedures as part
EU-DORA-63-02
Requirement
Internal Control Mechanisms for Critical Benchmarks
Administrators of critical benchmarks must implement internal control mechanisms to ensure proper governance and oversig
EU-DORA-63-03
Risk Management
Effective Risk Assessment Procedures for Critical Benchmarks
Administrators of critical benchmarks must establish and maintain effective procedures for conducting risk assessments o
EU-DORA-63-04
Requirement
ICT Systems Control and Safeguard Arrangements for Critical Benchmarks
Administrators of critical benchmarks must implement effective control and safeguard arrangements for managing ICT syste
Article 64. Entry into force and application
1 obligation