EU-DORA
Regulation (EU) 2022/2554 — Digital Operational Resilience Act
- Ch. I — General Provisions
- Art. 1. Subject matter (8)
- Art. 2. Scope (4)
- Art. 3. Definitions ref
- Art. 4. Proportionality principle (3)
- Ch. II — ICT Risk Management
- Art. 5. Governance and organisation (37)
- Art. 6. ICT risk management framework (23)
- Art. 7. ICT systems, protocols and tools (4)
- Art. 8. Identification (10)
- Art. 9. Protection and prevention (17)
- Art. 10. Detection (7)
- Art. 11. Response and recovery (23)
- Art. 12. Backup policies and procedures, restoration and recovery procedures and methods (19)
- Art. 13. Learning and evolving (16)
- Art. 14. Communication (4)
- Art. 15. Further harmonisation of ICT risk management tools, methods, processes and policies (10)
- Art. 16. Simplified ICT risk management framework (13)
- Ch. III — ICT-Related Incident Management, Classification and Reporting
- Art. 17. ICT-related incident management process (9)
- Art. 18. Classification of ICT-related incidents and cyber threats (7)
- Art. 19. Reporting of major ICT-related incidents and voluntary notification of significant cyber threats (18)
- Art. 20. Harmonisation of reporting content and templates (7)
- Art. 21. Centralisation of reporting of major ICT-related incidents (9)
- Art. 22. Supervisory feedback (6)
- Art. 23. Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions (2)
- Ch. IV — Digital Operational Resilience Testing
- Art. 24. General requirements for the performance of digital operational resilience testing (8)
- Art. 25. Testing of ICT tools and systems (3)
- Art. 26. Advanced testing of ICT tools, systems and processes based on TLPT (14)
- Art. 27. Requirements for testers for the carrying out of TLPT (9)
- Ch. V — Managing ICT Third-Party Risk
- Art. 28. General principles (26)
- Art. 29. Preliminary assessment of ICT concentration risk at entity level (7)
- Art. 30. Key contractual provisions (24)
- Art. 31. Designation of critical ICT third-party service providers (16)
- Art. 32. Structure of the Oversight Framework (11)
- Art. 33. Tasks of the Lead Overseer (18)
- Art. 34. Operational coordination between Lead Overseers (4)
- Art. 35. Powers of the Lead Overseer (19)
- Art. 36. Exercise of the powers of the Lead Overseer outside the Union (15)
- Art. 37. Request for information (15)
- Art. 38. General investigations (10)
- Art. 39. Inspections (8)
- Art. 40. Ongoing oversight (7)
- Art. 41. Harmonisation of conditions enabling the conduct of the oversight activities (5)
- Art. 42. Follow-up by competent authorities (14)
- Art. 43. Oversight fees (3)
- Art. 44. International cooperation (2)
- Ch. VI — Information-Sharing Arrangements
- Art. 45. Information-sharing arrangements on cyber threat information and intelligence (3)
- Ch. VII — Competent Authorities
- Art. 46. Competent authorities (17)
- Art. 47. Cooperation with structures and authorities established by Directive (EU) 2022/2555 (7)
- Art. 48. Cooperation between authorities (2)
- Art. 49. Financial cross-sector exercises, communication and cooperation (5)
- Art. 50. Administrative penalties and remedial measures (14)
- Art. 51. Exercise of the power to impose administrative penalties and remedial measures (9)
- Art. 52. Criminal penalties (2)
- Art. 53. Notification duties (2)
- Art. 54. Publication of administrative penalties (8)
- Art. 55. Professional secrecy (4)
- Art. 56. Data Protection (3)
- Ch. VIII — Delegated Acts
- Art. 57. Exercise of the delegation (3)
- Ch. IX — Transitional and Final Provisions
- Art. 58. Review clause (7)
- Art. 59. Amendments to Regulation (EC) No 1060/2009 (5)
- Art. 60. Amendments to Regulation (EU) No 648/2012 (7)
- Art. 61. Amendments to Regulation (EU) No 909/2014 (6)
- Art. 62. Amendments to Regulation (EU) No 600/2014 (3)
- Art. 63. Amendment to Regulation (EU) 2016/1011 (4)
- Art. 64. Entry into force and application (1)
Chapter I — General Provisions
Chapter II — ICT Risk Management
Article 7. ICT systems, protocols and tools
4 obligations
EU-DORA-7-01
Requirement
Use and maintain updated ICT systems with appropriate magnitude
Financial entities must use and maintain updated ICT systems, protocols and tools that are appropriate to the magnitude
EU-DORA-7-02
Requirement
Use and maintain reliable ICT systems
Financial entities must use and maintain updated ICT systems, protocols and tools that are reliable.
EU-DORA-7-03
Requirement
Use ICT systems with sufficient data processing capacity
Financial entities must use and maintain updated ICT systems, protocols and tools equipped with sufficient capacity to a
EU-DORA-7-04
Requirement
Use technologically resilient ICT systems for stressed conditions
Financial entities must use and maintain updated ICT systems, protocols and tools that are technologically resilient in
Article 8. Identification
10 obligations
EU-DORA-8-01
Documentation
Identify and classify ICT supported business functions, roles and responsibilities
Financial entities must identify, classify and adequately document all ICT supported business functions, roles and respo
EU-DORA-8-02
Monitoring
Review adequacy of classification and documentation yearly
Financial entities must review as needed, and at least yearly, the adequacy of the classification of ICT supported busin
EU-DORA-8-03
Risk Management
Continuously identify all sources of ICT risk
Financial entities must continuously identify all sources of ICT risk, particularly the risk exposure to and from other
EU-DORA-8-04
Risk Management
Review risk scenarios annually
Financial entities must review on a regular basis, and at least yearly, the risk scenarios impacting them.
EU-DORA-8-05
Risk Management
Perform risk assessment upon major changes (non-microenterprises)
Financial entities other than microenterprises must perform a risk assessment upon each major change in the network and
EU-DORA-8-06
Documentation
Identify and map all information and ICT assets
Financial entities must identify all information assets and ICT assets, including those on remote sites, network resourc
EU-DORA-8-07
Documentation
Map asset configuration and interdependencies
Financial entities must map the configuration of the information assets and ICT assets and the links and interdependenci
EU-DORA-8-08
Documentation
Identify ICT third-party dependent processes
Financial entities must identify and document all processes that are dependent on ICT third-party service providers, and
EU-DORA-8-09
Documentation
Maintain and update asset inventories
Financial entities must maintain relevant inventories for business functions, assets, and third-party dependencies, and
EU-DORA-8-10
Risk Management
Conduct annual ICT risk assessment on legacy systems (non-microenterprises)
Financial entities other than microenterprises must conduct on a regular basis, and at least yearly, a specific ICT risk
Article 9. Protection and prevention
11 obligations
EU-DORA-9-01
Monitoring
Continuous monitoring and control of ICT systems security and functioning
Financial entities must continuously monitor and control the security and functioning of ICT systems and tools to adequa
EU-DORA-9-02
Risk Management
Minimize ICT risk impact through deployment of security measures
Financial entities must minimize the impact of ICT risk on ICT systems through the deployment of appropriate ICT securit
EU-DORA-9-03
Requirement
Design, procure and implement ICT security policies for resilience
Financial entities must design, procure and implement ICT security policies, procedures, protocols and tools that ensure
EU-DORA-9-04
Data Governance
Maintain high standards of data availability, authenticity, integrity and confidentiality
Financial entities must maintain high standards of availability, authenticity, integrity and confidentiality of data whe
EU-DORA-9-05
Requirement
Use appropriate ICT solutions and processes per Article 4
Financial entities must use ICT solutions and processes that are appropriate in accordance with Article 4 to achieve sec
EU-DORA-9-06
Requirement
Ensure security of data transfer means
Financial entities must ensure the security of the means of transfer of data through their ICT solutions and processes.
EU-DORA-9-07
Risk Management
Minimize risk of data corruption, loss, unauthorized access and technical flaws
Financial entities must minimize the risk of corruption or loss of data, unauthorized access and technical flaws that ma
EU-DORA-9-08
Requirement
Prevent availability loss, authenticity/integrity impairment and confidentiality breaches
Financial entities must prevent the lack of availability, the impairment of the authenticity and integrity, the breaches
EU-DORA-9-09
Data Governance
Protect data from data management risks
Financial entities must ensure that data is protected from risks arising from data management, including poor administra
EU-DORA-9-10
Documentation
Develop and document information security policy
Financial entities must develop and document an information security policy defining rules to protect the availability,
EU-DORA-9-11
Requirement
Establish sound network and infrastructure management structure
Financial entities must establish a sound network and infrastructure management structure using appropriate techniques,