EU-DORA
Regulation (EU) 2022/2554 — Digital Operational Resilience Act
- Ch. I — General Provisions
- Art. 1. Subject matter (8)
- Art. 2. Scope (4)
- Art. 3. Definitions ref
- Art. 4. Proportionality principle (3)
- Ch. II — ICT Risk Management
- Art. 5. Governance and organisation (37)
- Art. 6. ICT risk management framework (23)
- Art. 7. ICT systems, protocols and tools (4)
- Art. 8. Identification (10)
- Art. 9. Protection and prevention (17)
- Art. 10. Detection (7)
- Art. 11. Response and recovery (23)
- Art. 12. Backup policies and procedures, restoration and recovery procedures and methods (19)
- Art. 13. Learning and evolving (16)
- Art. 14. Communication (4)
- Art. 15. Further harmonisation of ICT risk management tools, methods, processes and policies (10)
- Art. 16. Simplified ICT risk management framework (13)
- Ch. III — ICT-Related Incident Management, Classification and Reporting
- Art. 17. ICT-related incident management process (9)
- Art. 18. Classification of ICT-related incidents and cyber threats (7)
- Art. 19. Reporting of major ICT-related incidents and voluntary notification of significant cyber threats (18)
- Art. 20. Harmonisation of reporting content and templates (7)
- Art. 21. Centralisation of reporting of major ICT-related incidents (9)
- Art. 22. Supervisory feedback (6)
- Art. 23. Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions (2)
- Ch. IV — Digital Operational Resilience Testing
- Art. 24. General requirements for the performance of digital operational resilience testing (8)
- Art. 25. Testing of ICT tools and systems (3)
- Art. 26. Advanced testing of ICT tools, systems and processes based on TLPT (14)
- Art. 27. Requirements for testers for the carrying out of TLPT (9)
- Ch. V — Managing ICT Third-Party Risk
- Art. 28. General principles (26)
- Art. 29. Preliminary assessment of ICT concentration risk at entity level (7)
- Art. 30. Key contractual provisions (24)
- Art. 31. Designation of critical ICT third-party service providers (16)
- Art. 32. Structure of the Oversight Framework (11)
- Art. 33. Tasks of the Lead Overseer (18)
- Art. 34. Operational coordination between Lead Overseers (4)
- Art. 35. Powers of the Lead Overseer (19)
- Art. 36. Exercise of the powers of the Lead Overseer outside the Union (15)
- Art. 37. Request for information (15)
- Art. 38. General investigations (10)
- Art. 39. Inspections (8)
- Art. 40. Ongoing oversight (7)
- Art. 41. Harmonisation of conditions enabling the conduct of the oversight activities (5)
- Art. 42. Follow-up by competent authorities (14)
- Art. 43. Oversight fees (3)
- Art. 44. International cooperation (2)
- Ch. VI — Information-Sharing Arrangements
- Art. 45. Information-sharing arrangements on cyber threat information and intelligence (3)
- Ch. VII — Competent Authorities
- Art. 46. Competent authorities (17)
- Art. 47. Cooperation with structures and authorities established by Directive (EU) 2022/2555 (7)
- Art. 48. Cooperation between authorities (2)
- Art. 49. Financial cross-sector exercises, communication and cooperation (5)
- Art. 50. Administrative penalties and remedial measures (14)
- Art. 51. Exercise of the power to impose administrative penalties and remedial measures (9)
- Art. 52. Criminal penalties (2)
- Art. 53. Notification duties (2)
- Art. 54. Publication of administrative penalties (8)
- Art. 55. Professional secrecy (4)
- Art. 56. Data Protection (3)
- Ch. VIII — Delegated Acts
- Art. 57. Exercise of the delegation (3)
- Ch. IX — Transitional and Final Provisions
- Art. 58. Review clause (7)
- Art. 59. Amendments to Regulation (EC) No 1060/2009 (5)
- Art. 60. Amendments to Regulation (EU) No 648/2012 (7)
- Art. 61. Amendments to Regulation (EU) No 909/2014 (6)
- Art. 62. Amendments to Regulation (EU) No 600/2014 (3)
- Art. 63. Amendment to Regulation (EU) 2016/1011 (4)
- Art. 64. Entry into force and application (1)
Chapter I — General Provisions
Chapter II — ICT Risk Management
Chapter III — ICT-Related Incident Management, Classification and Reporting
Article 21. Centralisation of reporting of major ICT-related incidents
4 obligations
EU-DORA-21-06
Documentation
Include membership conditions in joint report
The joint report must comprise conditions of membership for the single EU Hub.
EU-DORA-21-07
Documentation
Include technical access arrangements in joint report
The joint report must comprise technical arrangements for financial entities and national competent authorities to acces
EU-DORA-21-08
Documentation
Include preliminary financial cost assessment in joint report
The joint report must comprise a preliminary assessment of financial costs incurred by setting-up the operational platfo
EU-DORA-21-09
Reporting
Submit joint report by deadline
The ESAs must submit the joint report on centralized ICT incident reporting to the European Parliament, to the Council a
Article 22. Supervisory feedback
6 obligations
EU-DORA-22-01
Reporting
Acknowledge receipt of incident notifications and reports
Competent authorities must acknowledge receipt of initial notifications and reports submitted under Article 19(4) regard
EU-DORA-22-02
Monitoring
Provide supervisory feedback on incident reports
Competent authorities may provide timely, relevant and proportionate feedback or high-level guidance to financial entiti
EU-DORA-22-03
Risk Management
Maintain responsibility for ICT incident handling despite supervisory feedback
Financial entities must remain fully responsible for handling ICT-related incidents and their consequences, regardless o
EU-DORA-22-04
Reporting
Provide incident details to ESAs for annual reporting
Competent authorities must provide details of major ICT-related incidents to the ESAs in accordance with Article 19(6) t
EU-DORA-22-05
Reporting
Produce annual aggregated report on major ICT incidents
The ESAs must, through the Joint Committee, produce yearly reports on major ICT-related incidents on an anonymised and a
EU-DORA-22-06
Transparency
Issue ICT threat warnings and produce statistics
The ESAs must issue warnings and produce high-level statistics to support ICT threat and vulnerability assessments.
Article 23. Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions
2 obligations
EU-DORA-23-01
Requirement
Apply Chapter requirements to operational payment-related incidents
Credit institutions, payment institutions, account information service providers, and electronic money institutions must
EU-DORA-23-02
Requirement
Apply Chapter requirements to major operational payment-related incidents
Credit institutions, payment institutions, account information service providers, and electronic money institutions must
Chapter IV — Digital Operational Resilience Testing
Article 24. General requirements for the performance of digital operational resilience testing
8 obligations
EU-DORA-24-01
Requirement
Establish comprehensive digital operational resilience testing programme
Financial entities (other than microenterprises) must establish, maintain and review a sound and comprehensive digital o
EU-DORA-24-02
Requirement
Include range of assessments and tools in testing programme
The digital operational resilience testing programme must include a range of assessments, tests, methodologies, practice
EU-DORA-24-03
Risk Management
Follow risk-based approach in testing programme conduct
When conducting the digital operational resilience testing programme, financial entities (other than microenterprises) m
EU-DORA-24-04
Requirement
Ensure tests are undertaken by independent parties
Financial entities (other than microenterprises) must ensure that tests are undertaken by independent parties, whether i
EU-DORA-24-05
Requirement
Dedicate sufficient resources and avoid conflicts of interest for internal testing
Where tests are undertaken by an internal tester, financial entities must dedicate sufficient resources and ensure that
EU-DORA-24-06
Requirement
Establish procedures to prioritise, classify and remedy test issues
Financial entities (other than microenterprises) must establish procedures and policies to prioritise, classify and reme
EU-DORA-24-07
Requirement
Establish internal validation methodologies for identified weaknesses
Financial entities (other than microenterprises) must establish internal validation methodologies to ascertain that all
EU-DORA-24-08
Requirement
Conduct yearly tests on critical and important function systems
Financial entities (other than microenterprises) must ensure, at least yearly, that appropriate tests are conducted on a
Article 25. Testing of ICT tools and systems
3 obligations
EU-DORA-25-01
Requirement
Execute appropriate ICT testing programme tests
Execute appropriate tests as part of the digital operational resilience testing programme, including vulnerability asses
EU-DORA-25-02
Requirement
Perform vulnerability assessments before deployment - CSDs and CCPs
Perform vulnerability assessments before any deployment or redeployment of new or existing applications and infrastructu
EU-DORA-25-03
Requirement
Apply risk-based approach to ICT testing - microenterprises
Perform the tests specified in paragraph 1 by combining a risk-based approach with strategic planning of ICT testing, co
Article 26. Advanced testing of ICT tools, systems and processes based on TLPT
2 obligations
EU-DORA-26-01
Requirement
Conduct TLPT every 3 years
Financial entities (excluding Article 16(1) entities and microenterprises) identified by competent authorities must carr
EU-DORA-26-02
Requirement
Cover critical/important functions in TLPT
Each threat-led penetration test must cover several or all critical or important functions of the financial entity and b