EU-DORA
Regulation (EU) 2022/2554 — Digital Operational Resilience Act
- Ch. I — General Provisions
- Art. 1. Subject matter (8)
- Art. 2. Scope (4)
- Art. 3. Definitions ref
- Art. 4. Proportionality principle (3)
- Ch. II — ICT Risk Management
- Art. 5. Governance and organisation (37)
- Art. 6. ICT risk management framework (23)
- Art. 7. ICT systems, protocols and tools (4)
- Art. 8. Identification (10)
- Art. 9. Protection and prevention (17)
- Art. 10. Detection (7)
- Art. 11. Response and recovery (23)
- Art. 12. Backup policies and procedures, restoration and recovery procedures and methods (19)
- Art. 13. Learning and evolving (16)
- Art. 14. Communication (4)
- Art. 15. Further harmonisation of ICT risk management tools, methods, processes and policies (10)
- Art. 16. Simplified ICT risk management framework (13)
- Ch. III — ICT-Related Incident Management, Classification and Reporting
- Art. 17. ICT-related incident management process (9)
- Art. 18. Classification of ICT-related incidents and cyber threats (7)
- Art. 19. Reporting of major ICT-related incidents and voluntary notification of significant cyber threats (18)
- Art. 20. Harmonisation of reporting content and templates (7)
- Art. 21. Centralisation of reporting of major ICT-related incidents (9)
- Art. 22. Supervisory feedback (6)
- Art. 23. Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions (2)
- Ch. IV — Digital Operational Resilience Testing
- Art. 24. General requirements for the performance of digital operational resilience testing (8)
- Art. 25. Testing of ICT tools and systems (3)
- Art. 26. Advanced testing of ICT tools, systems and processes based on TLPT (14)
- Art. 27. Requirements for testers for the carrying out of TLPT (9)
- Ch. V — Managing ICT Third-Party Risk
- Art. 28. General principles (26)
- Art. 29. Preliminary assessment of ICT concentration risk at entity level (7)
- Art. 30. Key contractual provisions (24)
- Art. 31. Designation of critical ICT third-party service providers (16)
- Art. 32. Structure of the Oversight Framework (11)
- Art. 33. Tasks of the Lead Overseer (18)
- Art. 34. Operational coordination between Lead Overseers (4)
- Art. 35. Powers of the Lead Overseer (19)
- Art. 36. Exercise of the powers of the Lead Overseer outside the Union (15)
- Art. 37. Request for information (15)
- Art. 38. General investigations (10)
- Art. 39. Inspections (8)
- Art. 40. Ongoing oversight (7)
- Art. 41. Harmonisation of conditions enabling the conduct of the oversight activities (5)
- Art. 42. Follow-up by competent authorities (14)
- Art. 43. Oversight fees (3)
- Art. 44. International cooperation (2)
- Ch. VI — Information-Sharing Arrangements
- Art. 45. Information-sharing arrangements on cyber threat information and intelligence (3)
- Ch. VII — Competent Authorities
- Art. 46. Competent authorities (17)
- Art. 47. Cooperation with structures and authorities established by Directive (EU) 2022/2555 (7)
- Art. 48. Cooperation between authorities (2)
- Art. 49. Financial cross-sector exercises, communication and cooperation (5)
- Art. 50. Administrative penalties and remedial measures (14)
- Art. 51. Exercise of the power to impose administrative penalties and remedial measures (9)
- Art. 52. Criminal penalties (2)
- Art. 53. Notification duties (2)
- Art. 54. Publication of administrative penalties (8)
- Art. 55. Professional secrecy (4)
- Art. 56. Data Protection (3)
- Ch. VIII — Delegated Acts
- Art. 57. Exercise of the delegation (3)
- Ch. IX — Transitional and Final Provisions
- Art. 58. Review clause (7)
- Art. 59. Amendments to Regulation (EC) No 1060/2009 (5)
- Art. 60. Amendments to Regulation (EU) No 648/2012 (7)
- Art. 61. Amendments to Regulation (EU) No 909/2014 (6)
- Art. 62. Amendments to Regulation (EU) No 600/2014 (3)
- Art. 63. Amendment to Regulation (EU) 2016/1011 (4)
- Art. 64. Entry into force and application (1)
Chapter I — General Provisions
Chapter II — ICT Risk Management
Article 14. Communication
2 obligations
EU-DORA-14-03
Documentation
External Stakeholder Communication Policies
Financial entities must implement communication policies for external stakeholders as part of their ICT risk management
EU-DORA-14-04
Human Oversight
Designated ICT Communication Strategy Implementer
Financial entities must designate at least one person to be responsible for implementing the communication strategy for
Article 15. Further harmonisation of ICT risk management tools, methods, processes and policies
10 obligations
EU-DORA-15-01
Requirement
Develop draft RTS for ICT security policies harmonisation
The ESAs must, through the Joint Committee and in consultation with ENISA, develop common draft regulatory technical sta
EU-DORA-15-02
Requirement
Develop draft RTS for access management rights controls
The ESAs must develop common draft regulatory technical standards for further components of access management rights con
EU-DORA-15-03
Requirement
Develop draft RTS for anomalous activity detection mechanisms
The ESAs must develop common draft regulatory technical standards to further develop the mechanisms specified in Article
EU-DORA-15-04
Requirement
Develop draft RTS for ICT business continuity policy components
The ESAs must develop common draft regulatory technical standards to specify further the components of the ICT business
EU-DORA-15-05
Requirement
Develop draft RTS for ICT business continuity plan testing
The ESAs must develop common draft regulatory technical standards to specify further the testing of ICT business continu
EU-DORA-15-06
Requirement
Develop draft RTS for ICT response and recovery plan components
The ESAs must develop common draft regulatory technical standards to specify further the components of the ICT response
EU-DORA-15-07
Requirement
Develop draft RTS for ICT risk management framework review report format
The ESAs must develop common draft regulatory technical standards to specify further the content and format of the repor
EU-DORA-15-08
Requirement
Consider proportionality factors when developing draft RTS
When developing draft regulatory technical standards, the ESAs must take into account the size and overall risk profile
EU-DORA-15-09
Requirement
Submit draft RTS to Commission by deadline
The ESAs must submit the draft regulatory technical standards to the Commission by 17 January 2024.
EU-DORA-15-10
Requirement
Commission power to adopt regulatory technical standards
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referr
Article 16. Simplified ICT risk management framework
13 obligations
EU-DORA-16-01
Risk Management
Implement documented ICT risk management framework
Put in place and maintain a sound and documented ICT risk management framework that details the mechanisms and measures
EU-DORA-16-02
Monitoring
Continuously monitor ICT systems security and functioning
Continuously monitor the security and functioning of all ICT systems to ensure operational resilience.
EU-DORA-16-03
Risk Management
Minimize ICT risk through sound, resilient systems
Minimize the impact of ICT risk through the use of sound, resilient and updated ICT systems, protocols and tools which a
EU-DORA-16-04
Risk Management
Enable prompt identification and handling of ICT risks and incidents
Allow sources of ICT risk and anomalies in the network and information systems to be promptly identified and detected an
EU-DORA-16-05
Risk Management
Identify key ICT third-party service provider dependencies
Identify key dependencies on ICT third-party service providers to understand and manage external risks.
EU-DORA-16-06
Risk Management
Ensure business continuity for critical or important functions
Ensure the continuity of critical or important functions, through business continuity plans and response and recovery me
EU-DORA-16-07
Requirement
Regularly test business continuity plans and control effectiveness
Test, on a regular basis, the plans and measures referred to in business continuity, as well as the effectiveness of the
EU-DORA-16-08
Requirement
Implement operational conclusions from testing and incidents
Implement, as appropriate, relevant operational conclusions resulting from the tests and from post-incident analysis int
EU-DORA-16-09
Documentation
Document and periodically review ICT risk management framework
The ICT risk management framework shall be documented and reviewed periodically and upon the occurrence of major ICT-rel
EU-DORA-16-10
Requirement
Continuously improve ICT risk management framework
The ICT risk management framework shall be continuously improved on the basis of lessons derived from implementation and
EU-DORA-16-11
Reporting
Submit framework review report to competent authority upon request
Submit a report on the review of the ICT risk management framework to the competent authority upon its request.
EU-DORA-16-12
Requirement
ESAs develop regulatory technical standards for simplified framework
The ESAs shall, through the Joint Committee, in consultation with the ENISA, develop common draft regulatory technical s
EU-DORA-16-13
Requirement
ESAs submit draft standards to Commission by deadline
The ESAs shall submit the draft regulatory technical standards to the Commission by 17 January 2024.