EU-DORA

EU-DORA-12-13 Requirement

Ensure geographical distance of secondary processing site

The secondary processing site must be located at a geographical distance from the primary processing site to ensure that

EU-DORA-12-14 Requirement

Ensure secondary site can maintain continuity of critical functions

The secondary processing site must be capable of ensuring the continuity of critical or important functions identically

EU-DORA-12-15 Requirement

Ensure immediate accessibility of secondary processing site

The secondary processing site must be immediately accessible to the financial entity's staff to ensure continuity of cri

EU-DORA-12-16 Requirement

Determine recovery time and recovery point objectives based on function criticality

Financial entities must determine recovery time and recovery point objectives for each function, taking into account whe

EU-DORA-12-17 Requirement

Ensure time objectives meet agreed service levels in extreme scenarios

Recovery time objectives must ensure that, in extreme scenarios, the agreed service levels are met.

EU-DORA-12-18 Requirement

Perform necessary checks to ensure data integrity during recovery

When recovering from an ICT-related incident, financial entities must perform necessary checks, including any multiple c

EU-DORA-12-19 Requirement

Perform checks when reconstructing data from external stakeholders

Financial entities must perform checks when reconstructing data from external stakeholders, in order to ensure that all

EU-DORA-13-01 Requirement

Establish Threat Intelligence Capabilities

Financial entities must establish and maintain capabilities and staff to gather information on vulnerabilities and cyber

EU-DORA-13-02 Requirement

Conduct Post-Incident Reviews After Major ICT Incidents

Financial entities must implement post ICT-related incident reviews after any major ICT-related incident that disrupts t

EU-DORA-13-03 Reporting

Report Post-Incident Review Changes to Authorities

Financial entities (except microenterprises) must communicate to competent authorities, upon request, the changes implem

EU-DORA-13-04 Requirement

Evaluate Response Promptness in Post-Incident Reviews

Post ICT-related incident reviews must determine whether established procedures were followed and actions were effective

EU-DORA-13-05 Requirement

Evaluate Forensic Analysis Quality in Post-Incident Reviews

Post ICT-related incident reviews must assess the quality and speed of performing forensic analysis, where deemed approp

EU-DORA-13-06 Requirement

Evaluate Internal Incident Escalation Effectiveness

Post ICT-related incident reviews must assess the effectiveness of incident escalation within the financial entity.

EU-DORA-13-07 Requirement

Evaluate Communication Effectiveness in Post-Incident Reviews

Post ICT-related incident reviews must assess the effectiveness of both internal and external communication during incid

EU-DORA-13-08 Risk Management

Incorporate Lessons into ICT Risk Assessment Process

Financial entities must continuously incorporate lessons derived from digital operational resilience testing (Articles 2

EU-DORA-13-09 Risk Management

Review ICT Risk Management Framework Components

Financial entities must use findings from lessons learned to form the basis for appropriate reviews of relevant componen

EU-DORA-13-10 Monitoring

Monitor Digital Operational Resilience Strategy Implementation

Financial entities must monitor the effectiveness of the implementation of their digital operational resilience strategy

EU-DORA-13-11 Monitoring

Map ICT Risk Evolution Over Time

Financial entities must map the evolution of ICT risk over time and analyze the frequency, types, magnitude and evolutio

EU-DORA-13-12 Reporting

Senior ICT Staff Annual Reporting to Management Body

Senior ICT staff must report at least yearly to the management body on the findings from lessons learned incorporation (

EU-DORA-13-13 Requirement

Develop ICT Security Awareness Programmes

Financial entities must develop ICT security awareness programmes and digital operational resilience training as compuls

EU-DORA-13-14 Requirement

Include Third-Party Service Providers in Training Schemes

Financial entities must, where appropriate, include ICT third-party service providers in their relevant training schemes

EU-DORA-13-15 Monitoring

Monitor Technological Developments Continuously

Financial entities (except microenterprises) must continuously monitor relevant technological developments to understand

EU-DORA-13-16 Requirement

Keep Updated with Latest ICT Risk Management Processes

Financial entities (except microenterprises) must keep up-to-date with the latest ICT risk management processes to effec

EU-DORA-14-01 Documentation

Crisis Communication Plans for ICT Incidents

Financial entities must establish and maintain crisis communication plans that enable responsible disclosure of at least

EU-DORA-14-02 Documentation

Internal Staff Communication Policies

Financial entities must implement communication policies for internal staff as part of their ICT risk management framewo