EU-DORA
Regulation (EU) 2022/2554 — Digital Operational Resilience Act
- Ch. I — General Provisions
- Art. 1. Subject matter (8)
- Art. 2. Scope (4)
- Art. 3. Definitions ref
- Art. 4. Proportionality principle (3)
- Ch. II — ICT Risk Management
- Art. 5. Governance and organisation (37)
- Art. 6. ICT risk management framework (23)
- Art. 7. ICT systems, protocols and tools (4)
- Art. 8. Identification (10)
- Art. 9. Protection and prevention (17)
- Art. 10. Detection (7)
- Art. 11. Response and recovery (23)
- Art. 12. Backup policies and procedures, restoration and recovery procedures and methods (19)
- Art. 13. Learning and evolving (16)
- Art. 14. Communication (4)
- Art. 15. Further harmonisation of ICT risk management tools, methods, processes and policies (10)
- Art. 16. Simplified ICT risk management framework (13)
- Ch. III — ICT-Related Incident Management, Classification and Reporting
- Art. 17. ICT-related incident management process (9)
- Art. 18. Classification of ICT-related incidents and cyber threats (7)
- Art. 19. Reporting of major ICT-related incidents and voluntary notification of significant cyber threats (18)
- Art. 20. Harmonisation of reporting content and templates (7)
- Art. 21. Centralisation of reporting of major ICT-related incidents (9)
- Art. 22. Supervisory feedback (6)
- Art. 23. Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions (2)
- Ch. IV — Digital Operational Resilience Testing
- Art. 24. General requirements for the performance of digital operational resilience testing (8)
- Art. 25. Testing of ICT tools and systems (3)
- Art. 26. Advanced testing of ICT tools, systems and processes based on TLPT (14)
- Art. 27. Requirements for testers for the carrying out of TLPT (9)
- Ch. V — Managing ICT Third-Party Risk
- Art. 28. General principles (26)
- Art. 29. Preliminary assessment of ICT concentration risk at entity level (7)
- Art. 30. Key contractual provisions (24)
- Art. 31. Designation of critical ICT third-party service providers (16)
- Art. 32. Structure of the Oversight Framework (11)
- Art. 33. Tasks of the Lead Overseer (18)
- Art. 34. Operational coordination between Lead Overseers (4)
- Art. 35. Powers of the Lead Overseer (19)
- Art. 36. Exercise of the powers of the Lead Overseer outside the Union (15)
- Art. 37. Request for information (15)
- Art. 38. General investigations (10)
- Art. 39. Inspections (8)
- Art. 40. Ongoing oversight (7)
- Art. 41. Harmonisation of conditions enabling the conduct of the oversight activities (5)
- Art. 42. Follow-up by competent authorities (14)
- Art. 43. Oversight fees (3)
- Art. 44. International cooperation (2)
- Ch. VI — Information-Sharing Arrangements
- Art. 45. Information-sharing arrangements on cyber threat information and intelligence (3)
- Ch. VII — Competent Authorities
- Art. 46. Competent authorities (17)
- Art. 47. Cooperation with structures and authorities established by Directive (EU) 2022/2555 (7)
- Art. 48. Cooperation between authorities (2)
- Art. 49. Financial cross-sector exercises, communication and cooperation (5)
- Art. 50. Administrative penalties and remedial measures (14)
- Art. 51. Exercise of the power to impose administrative penalties and remedial measures (9)
- Art. 52. Criminal penalties (2)
- Art. 53. Notification duties (2)
- Art. 54. Publication of administrative penalties (8)
- Art. 55. Professional secrecy (4)
- Art. 56. Data Protection (3)
- Ch. VIII — Delegated Acts
- Art. 57. Exercise of the delegation (3)
- Ch. IX — Transitional and Final Provisions
- Art. 58. Review clause (7)
- Art. 59. Amendments to Regulation (EC) No 1060/2009 (5)
- Art. 60. Amendments to Regulation (EU) No 648/2012 (7)
- Art. 61. Amendments to Regulation (EU) No 909/2014 (6)
- Art. 62. Amendments to Regulation (EU) No 600/2014 (3)
- Art. 63. Amendment to Regulation (EU) 2016/1011 (4)
- Art. 64. Entry into force and application (1)
Chapter I — General Provisions
Chapter II — ICT Risk Management
Chapter III — ICT-Related Incident Management, Classification and Reporting
Chapter IV — Digital Operational Resilience Testing
Article 26. Advanced testing of ICT tools, systems and processes based on TLPT
12 obligations
EU-DORA-26-03
Requirement
Identify underlying ICT systems for TLPT
Financial entities must identify all relevant underlying ICT systems, processes and technologies supporting critical or
EU-DORA-26-04
Requirement
Assess TLPT scope and obtain validation
Financial entities must assess which critical or important functions need to be covered by TLPT, determine the precise s
EU-DORA-26-05
Requirement
Ensure ICT third-party participation in TLPT
When ICT third-party service providers are included in TLPT scope, financial entities must take necessary measures to en
EU-DORA-26-06
Risk Management
Apply risk management controls during TLPT
Financial entities must apply effective risk management controls with cooperation of ICT third-parties and testers to mi
EU-DORA-26-07
Reporting
Provide TLPT summary and remediation plans
After TLPT completion, financial entities and external testers must provide designated authority with summary of finding
EU-DORA-26-08
Reporting
Notify competent authority of TLPT attestation
Financial entities must notify their relevant competent authority of the attestation received, the summary of findings,
EU-DORA-26-09
Requirement
Contract appropriate testers for TLPT
Financial entities must contract testers in accordance with Article 27. When using internal testers, they must contract
EU-DORA-26-10
Requirement
Use only external testers (significant credit institutions)
Credit institutions classified as significant under Article 6(4) of Regulation (EU) No 1024/2013 must only use external
EU-DORA-26-11
Requirement
Identify financial entities for TLPT requirement
Competent authorities must identify financial entities required to perform TLPT based on Article 4(2) criteria and asses
EU-DORA-26-12
Requirement
Provide TLPT attestation to financial entities
Designated authorities must provide financial entities with attestation confirming TLPT was performed according to requi
EU-DORA-26-13
Requirement
Develop joint regulatory technical standards
ESAs must develop joint draft regulatory technical standards with ECB agreement according to TIBER-EU framework, specify
EU-DORA-26-14
Requirement
Submit regulatory technical standards by deadline
ESAs must submit the draft regulatory technical standards to the Commission by 17 July 2024.
Article 27. Requirements for testers for the carrying out of TLPT
9 obligations
EU-DORA-27-01
Requirement
Use only qualified testers for TLPT - highest suitability and reputability
Financial entities must ensure that testers used for carrying out TLPT are of the highest suitability and reputability.
EU-DORA-27-02
Requirement
Use only testers with technical and organizational capabilities
Financial entities must ensure that testers possess technical and organisational capabilities and demonstrate specific e
EU-DORA-27-03
Requirement
Use only certified or code-compliant testers
Financial entities must ensure that testers are certified by an accreditation body in a Member State or adhere to formal
EU-DORA-27-04
Requirement
Require independent assurance from testers
Financial entities must ensure that testers provide an independent assurance, or an audit report, in relation to the sou
EU-DORA-27-05
Requirement
Use only testers with professional indemnity insurance
Financial entities must ensure that testers are duly and fully covered by relevant professional indemnity insurances, in
EU-DORA-27-06
Requirement
Obtain authority approval for internal testers
When using internal testers, financial entities must ensure that such use has been approved by the relevant competent au
EU-DORA-27-07
Requirement
Ensure authority verification of resources and conflict avoidance for internal testers
When using internal testers, financial entities must ensure that the relevant competent authority has verified that the
EU-DORA-27-08
Requirement
Use external threat intelligence provider when using internal testers
When using internal testers, financial entities must ensure that the threat intelligence provider is external to the fin
EU-DORA-27-09
Data Governance
Ensure sound management of TLPT results through contracts
Financial entities must ensure that contracts concluded with external testers require a sound management of the TLPT res
Chapter V — Managing ICT Third-Party Risk
Article 28. General principles
4 obligations
EU-DORA-28-01
Risk Management
Manage ICT third-party risk as integral component of ICT risk management
Financial entities must manage ICT third-party risk as an integral component of ICT risk within their ICT risk managemen
EU-DORA-28-02
Requirement
Remain fully responsible for compliance despite third-party arrangements
Financial entities that have contractual arrangements for the use of ICT services must remain fully responsible for comp
EU-DORA-28-03
Risk Management
Implement ICT third-party risk management proportionally
Financial entities must implement ICT third-party risk management in accordance with the principle of proportionality, c
EU-DORA-28-04
Requirement
Adopt and regularly review ICT third-party risk strategy
Financial entities (excluding Article 16(1) first subparagraph entities and microenterprises) must adopt and regularly r