EU-DORA
Regulation (EU) 2022/2554 — Digital Operational Resilience Act
- Ch. I — General Provisions
- Art. 1. Subject matter (8)
- Art. 2. Scope (4)
- Art. 3. Definitions ref
- Art. 4. Proportionality principle (3)
- Ch. II — ICT Risk Management
- Art. 5. Governance and organisation (37)
- Art. 6. ICT risk management framework (23)
- Art. 7. ICT systems, protocols and tools (4)
- Art. 8. Identification (10)
- Art. 9. Protection and prevention (17)
- Art. 10. Detection (7)
- Art. 11. Response and recovery (23)
- Art. 12. Backup policies and procedures, restoration and recovery procedures and methods (19)
- Art. 13. Learning and evolving (16)
- Art. 14. Communication (4)
- Art. 15. Further harmonisation of ICT risk management tools, methods, processes and policies (10)
- Art. 16. Simplified ICT risk management framework (13)
- Ch. III — ICT-Related Incident Management, Classification and Reporting
- Art. 17. ICT-related incident management process (9)
- Art. 18. Classification of ICT-related incidents and cyber threats (7)
- Art. 19. Reporting of major ICT-related incidents and voluntary notification of significant cyber threats (18)
- Art. 20. Harmonisation of reporting content and templates (7)
- Art. 21. Centralisation of reporting of major ICT-related incidents (9)
- Art. 22. Supervisory feedback (6)
- Art. 23. Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions (2)
- Ch. IV — Digital Operational Resilience Testing
- Art. 24. General requirements for the performance of digital operational resilience testing (8)
- Art. 25. Testing of ICT tools and systems (3)
- Art. 26. Advanced testing of ICT tools, systems and processes based on TLPT (14)
- Art. 27. Requirements for testers for the carrying out of TLPT (9)
- Ch. V — Managing ICT Third-Party Risk
- Art. 28. General principles (26)
- Art. 29. Preliminary assessment of ICT concentration risk at entity level (7)
- Art. 30. Key contractual provisions (24)
- Art. 31. Designation of critical ICT third-party service providers (16)
- Art. 32. Structure of the Oversight Framework (11)
- Art. 33. Tasks of the Lead Overseer (18)
- Art. 34. Operational coordination between Lead Overseers (4)
- Art. 35. Powers of the Lead Overseer (19)
- Art. 36. Exercise of the powers of the Lead Overseer outside the Union (15)
- Art. 37. Request for information (15)
- Art. 38. General investigations (10)
- Art. 39. Inspections (8)
- Art. 40. Ongoing oversight (7)
- Art. 41. Harmonisation of conditions enabling the conduct of the oversight activities (5)
- Art. 42. Follow-up by competent authorities (14)
- Art. 43. Oversight fees (3)
- Art. 44. International cooperation (2)
- Ch. VI — Information-Sharing Arrangements
- Art. 45. Information-sharing arrangements on cyber threat information and intelligence (3)
- Ch. VII — Competent Authorities
- Art. 46. Competent authorities (17)
- Art. 47. Cooperation with structures and authorities established by Directive (EU) 2022/2555 (7)
- Art. 48. Cooperation between authorities (2)
- Art. 49. Financial cross-sector exercises, communication and cooperation (5)
- Art. 50. Administrative penalties and remedial measures (14)
- Art. 51. Exercise of the power to impose administrative penalties and remedial measures (9)
- Art. 52. Criminal penalties (2)
- Art. 53. Notification duties (2)
- Art. 54. Publication of administrative penalties (8)
- Art. 55. Professional secrecy (4)
- Art. 56. Data Protection (3)
- Ch. VIII — Delegated Acts
- Art. 57. Exercise of the delegation (3)
- Ch. IX — Transitional and Final Provisions
- Art. 58. Review clause (7)
- Art. 59. Amendments to Regulation (EC) No 1060/2009 (5)
- Art. 60. Amendments to Regulation (EU) No 648/2012 (7)
- Art. 61. Amendments to Regulation (EU) No 909/2014 (6)
- Art. 62. Amendments to Regulation (EU) No 600/2014 (3)
- Art. 63. Amendment to Regulation (EU) 2016/1011 (4)
- Art. 64. Entry into force and application (1)
Chapter I — General Provisions
Article 2. Scope
4 obligations
EU-DORA-2-01
Requirement
Comply with DORA requirements (financial entities)
Financial entities listed in Article 2(1)(a) to (t) must comply with all requirements imposed by this Regulation on digi
EU-DORA-2-02
Requirement
Comply with DORA requirements (ICT third-party service providers)
ICT third-party service providers must comply with the specific requirements imposed by this Regulation applicable to th
EU-DORA-2-03
Transparency
Inform Commission of exclusions under Article 2(5) Directive 2013/36/EU
Member States that exclude entities referred to in Article 2(5), points (4) to (23), of Directive 2013/36/EU from the sc
EU-DORA-2-04
Transparency
Publish exclusion information publicly
The Commission must make information about Member State exclusions under Article 2(4) publicly available on its website
Chapter II — ICT Risk Management
Chapter III — ICT-Related Incident Management, Classification and Reporting
Article 19. Reporting of major ICT-related incidents and voluntary notification of significant cyber threats
9 obligations
EU-DORA-19-10
Reporting
Submit final report after root cause analysis completion
Financial entities must submit a final report when root cause analysis is completed (regardless of mitigation implementa
EU-DORA-19-11
Requirement
Remain responsible for reporting when outsourcing to third party
When financial entities outsource reporting obligations to a third-party service provider, they must remain fully respon
EU-DORA-19-12
Reporting
Provide incident details to specified recipients timely
Competent authorities must timely provide details of major ICT-related incidents to EBA/ESMA/EIOPA, ECB, CSIRTs, resolut
EU-DORA-19-13
Monitoring
Assess cross-border relevance and notify other Member States
EBA, ESMA, EIOPA and ECB must assess whether major ICT-related incidents are relevant for other Member States' competent
EU-DORA-19-14
Reporting
Notify European System of Central Banks on payment system issues
The ECB must notify members of the European System of Central Banks on issues relevant to the payment system.
EU-DORA-19-15
Risk Management
Take measures to protect financial system stability
Based on notifications about major ICT-related incidents, competent authorities must take all necessary measures to prot
EU-DORA-19-16
Reporting
Urgently transmit CSD incident details to host Member State
Competent authorities must urgently transmit details of major ICT-related incidents to relevant authorities in host Memb
EU-DORA-19-17
Requirement
Designate single competent authority for multi-supervised entities
Member States must designate a single competent authority responsible for incident reporting functions when a financial
EU-DORA-19-18
Reporting
Immediately transmit reports to ECB (national authorities)
National competent authorities designated under Directive 2013/36/EU must immediately transmit major ICT-related inciden
Article 20. Harmonisation of reporting content and templates
7 obligations
EU-DORA-20-01
Requirement
Develop regulatory technical standards for major ICT incident reporting content
The ESAs must develop common draft regulatory technical standards to establish the content of reports for major ICT-rela
EU-DORA-20-02
Requirement
Determine time limits for ICT incident notifications and reports
The ESAs must develop common draft regulatory technical standards to determine the time limits for the initial notificat
EU-DORA-20-03
Requirement
Establish content standards for significant cyber threat notifications
The ESAs must develop common draft regulatory technical standards to establish the content of notifications for signific
EU-DORA-20-04
Requirement
Consider entity characteristics in developing technical standards
When developing regulatory technical standards, the ESAs must take into account the size and overall risk profile of fin
EU-DORA-20-05
Transparency
Provide justification for deviations from NIS2 Directive approaches
The ESAs must provide justification when deviating from the approaches taken in the context of Directive (EU) 2022/2555
EU-DORA-20-06
Requirement
Develop implementing technical standards for reporting forms and procedures
The ESAs must develop common draft implementing technical standards to establish the standard forms, templates and proce
EU-DORA-20-07
Requirement
Submit technical standards to Commission by deadline
The ESAs must submit the common draft regulatory technical standards and common draft implementing technical standards t
Article 21. Centralisation of reporting of major ICT-related incidents
5 obligations
EU-DORA-21-01
Reporting
Prepare joint report on centralized ICT incident reporting feasibility
The ESAs, through the Joint Committee, and in consultation with the ECB and ENISA, must prepare a joint report assessing
EU-DORA-21-02
Documentation
Include prerequisites assessment in joint report
The joint report must comprise an assessment of prerequisites for the establishment of a single EU Hub for ICT incident
EU-DORA-21-03
Risk Management
Include benefits, limitations and risks analysis in joint report
The joint report must comprise an analysis of benefits, limitations and risks, including risks associated with the high
EU-DORA-21-04
Documentation
Include interoperability capability assessment in joint report
The joint report must comprise an assessment of the necessary capability to ensure interoperability with regard to other
EU-DORA-21-05
Documentation
Include operational management elements in joint report
The joint report must comprise elements of operational management for the single EU Hub.