EU-DORA
Regulation (EU) 2022/2554 — Digital Operational Resilience Act
- Ch. I — General Provisions
- Art. 1. Subject matter (8)
- Art. 2. Scope (4)
- Art. 3. Definitions ref
- Art. 4. Proportionality principle (3)
- Ch. II — ICT Risk Management
- Art. 5. Governance and organisation (37)
- Art. 6. ICT risk management framework (23)
- Art. 7. ICT systems, protocols and tools (4)
- Art. 8. Identification (10)
- Art. 9. Protection and prevention (17)
- Art. 10. Detection (7)
- Art. 11. Response and recovery (23)
- Art. 12. Backup policies and procedures, restoration and recovery procedures and methods (19)
- Art. 13. Learning and evolving (16)
- Art. 14. Communication (4)
- Art. 15. Further harmonisation of ICT risk management tools, methods, processes and policies (10)
- Art. 16. Simplified ICT risk management framework (13)
- Ch. III — ICT-Related Incident Management, Classification and Reporting
- Art. 17. ICT-related incident management process (9)
- Art. 18. Classification of ICT-related incidents and cyber threats (7)
- Art. 19. Reporting of major ICT-related incidents and voluntary notification of significant cyber threats (18)
- Art. 20. Harmonisation of reporting content and templates (7)
- Art. 21. Centralisation of reporting of major ICT-related incidents (9)
- Art. 22. Supervisory feedback (6)
- Art. 23. Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions (2)
- Ch. IV — Digital Operational Resilience Testing
- Art. 24. General requirements for the performance of digital operational resilience testing (8)
- Art. 25. Testing of ICT tools and systems (3)
- Art. 26. Advanced testing of ICT tools, systems and processes based on TLPT (14)
- Art. 27. Requirements for testers for the carrying out of TLPT (9)
- Ch. V — Managing ICT Third-Party Risk
- Art. 28. General principles (26)
- Art. 29. Preliminary assessment of ICT concentration risk at entity level (7)
- Art. 30. Key contractual provisions (24)
- Art. 31. Designation of critical ICT third-party service providers (16)
- Art. 32. Structure of the Oversight Framework (11)
- Art. 33. Tasks of the Lead Overseer (18)
- Art. 34. Operational coordination between Lead Overseers (4)
- Art. 35. Powers of the Lead Overseer (19)
- Art. 36. Exercise of the powers of the Lead Overseer outside the Union (15)
- Art. 37. Request for information (15)
- Art. 38. General investigations (10)
- Art. 39. Inspections (8)
- Art. 40. Ongoing oversight (7)
- Art. 41. Harmonisation of conditions enabling the conduct of the oversight activities (5)
- Art. 42. Follow-up by competent authorities (14)
- Art. 43. Oversight fees (3)
- Art. 44. International cooperation (2)
- Ch. VI — Information-Sharing Arrangements
- Art. 45. Information-sharing arrangements on cyber threat information and intelligence (3)
- Ch. VII — Competent Authorities
- Art. 46. Competent authorities (17)
- Art. 47. Cooperation with structures and authorities established by Directive (EU) 2022/2555 (7)
- Art. 48. Cooperation between authorities (2)
- Art. 49. Financial cross-sector exercises, communication and cooperation (5)
- Art. 50. Administrative penalties and remedial measures (14)
- Art. 51. Exercise of the power to impose administrative penalties and remedial measures (9)
- Art. 52. Criminal penalties (2)
- Art. 53. Notification duties (2)
- Art. 54. Publication of administrative penalties (8)
- Art. 55. Professional secrecy (4)
- Art. 56. Data Protection (3)
- Ch. VIII — Delegated Acts
- Art. 57. Exercise of the delegation (3)
- Ch. IX — Transitional and Final Provisions
- Art. 58. Review clause (7)
- Art. 59. Amendments to Regulation (EC) No 1060/2009 (5)
- Art. 60. Amendments to Regulation (EU) No 648/2012 (7)
- Art. 61. Amendments to Regulation (EU) No 909/2014 (6)
- Art. 62. Amendments to Regulation (EU) No 600/2014 (3)
- Art. 63. Amendment to Regulation (EU) 2016/1011 (4)
- Art. 64. Entry into force and application (1)
Chapter I — General Provisions
Chapter II — ICT Risk Management
Chapter III — ICT-Related Incident Management, Classification and Reporting
Article 17. ICT-related incident management process
9 obligations
EU-DORA-17-01
Requirement
Define, establish and implement ICT-related incident management process
Financial entities must define, establish and implement an ICT-related incident management process to detect, manage and
EU-DORA-17-02
Documentation
Record all ICT-related incidents and significant cyber threats
Financial entities must record all ICT-related incidents and significant cyber threats.
EU-DORA-17-03
Requirement
Establish procedures for consistent monitoring, handling and follow-up
Financial entities must establish appropriate procedures and processes to ensure consistent and integrated monitoring, h
EU-DORA-17-04
Requirement
Put in place early warning indicators
The ICT-related incident management process must include early warning indicators.
EU-DORA-17-05
Requirement
Establish incident identification and classification procedures
The incident management process must establish procedures to identify, track, log, categorise and classify ICT-related i
EU-DORA-17-06
Requirement
Assign roles and responsibilities for different incident types
The incident management process must assign roles and responsibilities that need to be activated for different ICT-relat
EU-DORA-17-07
Requirement
Set out communication plans for incidents
The incident management process must set out plans for communication to staff, external stakeholders and media in accord
EU-DORA-17-08
Reporting
Report major incidents to senior management
The incident management process must ensure that at least major ICT-related incidents are reported to relevant senior ma
EU-DORA-17-09
Requirement
Establish incident response procedures
The incident management process must establish ICT-related incident response procedures to mitigate impacts and ensure t
Article 18. Classification of ICT-related incidents and cyber threats
7 obligations
EU-DORA-18-01
Requirement
Classify ICT-related incidents based on specified criteria
Financial entities must classify ICT-related incidents and determine their impact using the six specified criteria: numb
EU-DORA-18-02
Requirement
Classify cyber threats as significant based on specified criteria
Financial entities must classify cyber threats as significant based on the criticality of services at risk (including tr
EU-DORA-18-03
Requirement
Develop draft regulatory technical standards for incident classification criteria
The ESAs must, through the Joint Committee and in consultation with the ECB and ENISA, develop common draft regulatory t
EU-DORA-18-04
Requirement
Develop draft regulatory technical standards for competent authority assessment criteria
The ESAs must develop common draft regulatory technical standards specifying criteria for competent authorities to asses
EU-DORA-18-05
Requirement
Develop draft regulatory technical standards for cyber threat classification criteria
The ESAs must develop common draft regulatory technical standards specifying criteria for classifying cyber threats, inc
EU-DORA-18-06
Requirement
Consider specific criteria when developing regulatory technical standards
When developing the regulatory technical standards, the ESAs must take into account Article 4(2) criteria, international
EU-DORA-18-07
Requirement
Submit draft regulatory technical standards by specified deadline
The ESAs must submit the common draft regulatory technical standards to the Commission by 17 January 2024.
Article 19. Reporting of major ICT-related incidents and voluntary notification of significant cyber threats
9 obligations
EU-DORA-19-01
Reporting
Report major ICT-related incidents to competent authority
Financial entities must report major ICT-related incidents to the relevant competent authority as specified in Article 4
EU-DORA-19-02
Reporting
Report major ICT incidents to ECB (significant credit institutions)
Credit institutions classified as significant must report major ICT-related incidents to the relevant national competent
EU-DORA-19-03
Documentation
Produce initial notification and reports using templates
Financial entities must collect and analyze relevant information to produce initial notifications and reports using temp
EU-DORA-19-04
Requirement
Use alternative notification means when template submission impossible
When technical impossibility prevents submission of initial notification using the template, financial entities must not
EU-DORA-19-05
Transparency
Include significance and cross-border impact information in reports
Initial notifications and reports must include all information necessary for the competent authority to determine the si
EU-DORA-19-06
Transparency
Inform clients about major ICT incidents without undue delay
When a major ICT-related incident impacts the financial interests of clients, financial entities must inform clients abo
EU-DORA-19-07
Transparency
Inform clients about protection measures for cyber threats
In case of significant cyber threats, financial entities must inform potentially affected clients about appropriate prot
EU-DORA-19-08
Reporting
Submit initial notification within prescribed time limits
Financial entities must submit an initial notification to the relevant competent authority within the time limits specif
EU-DORA-19-09
Reporting
Submit intermediate reports upon status changes
Financial entities must submit intermediate reports after the initial notification when the incident status changes sign