EU-DORA

Regulation (EU) 2022/2554 — Digital Operational Resilience Act

EU Version 1.0 606 obligations

Requirement 349 Risk Management 51 Reporting 50 Transparency 50 Documentation 38 Monitoring 22 Conformity 19 Data Governance 15 Human Oversight 8 Registration 3 Prohibition 1

Showing 201–225 of 606 obligations

Chapter I — General Provisions

Chapter II — ICT Risk Management

Chapter III — ICT-Related Incident Management, Classification and Reporting

Chapter IV — Digital Operational Resilience Testing

Chapter V — Managing ICT Third-Party Risk

Article 28. General principles

22 obligations

EU-DORA-28-05 Documentation

Include policy on critical/important ICT services in third-party risk strategy

The ICT third-party risk strategy must include a policy on the use of ICT services supporting critical or important func

EU-DORA-28-06 Monitoring

Management body regular risk review for critical/important functions

The management body must regularly review risks identified in respect to contractual arrangements on the use of ICT serv

EU-DORA-28-07 Documentation

Maintain and update register of ICT service contractual arrangements

Financial entities must maintain and update at entity, sub-consolidated and consolidated levels a register of informatio

EU-DORA-28-08 Documentation

Appropriately document contractual arrangements with distinction

Contractual arrangements must be appropriately documented, distinguishing between those that cover ICT services supporti

EU-DORA-28-09 Reporting

Report yearly on new ICT service arrangements

Financial entities must report at least yearly to competent authorities on the number of new arrangements on the use of

EU-DORA-28-10 Transparency

Make register available to competent authority upon request

Financial entities must make available to the competent authority, upon its request, the full register of information or

EU-DORA-28-11 Transparency

Inform competent authority of planned critical/important arrangements

Financial entities must inform the competent authority in a timely manner about any planned contractual arrangement on t

EU-DORA-28-12 Requirement

Assess if contractual arrangement covers critical/important function

Before entering into contractual arrangements for ICT services, financial entities must assess whether the arrangement c

EU-DORA-28-13 Requirement

Assess if supervisory conditions for contracting are met

Before entering into contractual arrangements for ICT services, financial entities must assess if supervisory conditions

EU-DORA-28-14 Risk Management

Identify and assess all relevant risks including concentration risk

Before entering into contractual arrangements for ICT services, financial entities must identify and assess all relevant

EU-DORA-28-15 Requirement

Undertake due diligence on prospective ICT third-party service providers

Before entering into contractual arrangements for ICT services, financial entities must undertake all due diligence on p

EU-DORA-28-16 Risk Management

Identify and assess conflicts of interest from contractual arrangement

Before entering into contractual arrangements for ICT services, financial entities must identify and assess conflicts of

EU-DORA-28-17 Requirement

Only contract with providers complying with appropriate information security standards

Financial entities may only enter into contractual arrangements with ICT third-party service providers that comply with

EU-DORA-28-18 Requirement

Consider highest quality security standards for critical/important functions

For contractual arrangements concerning critical or important functions, financial entities must take due consideration

EU-DORA-28-19 Monitoring

Pre-determine audit frequency and areas using risk-based approach

In exercising access, inspection and audit rights over ICT third-party service providers, financial entities must pre-de

EU-DORA-28-20 Requirement

Verify auditor skills for technically complex arrangements

For contractual arrangements with high technical complexity, financial entities must verify that auditors (internal, ext

EU-DORA-28-21 Requirement

Ensure contractual arrangements may be terminated in specified circumstances

Financial entities must ensure that contractual arrangements on the use of ICT services may be terminated in circumstanc

EU-DORA-28-22 Requirement

Put in place exit strategies for critical/important functions

For ICT services supporting critical or important functions, financial entities must put in place exit strategies that t

EU-DORA-28-23 Requirement

Ensure ability to exit without disruption, compliance limitation, or service detriment

Financial entities must ensure they can exit contractual arrangements without disruption to business activities, limitin

EU-DORA-28-24 Documentation

Maintain comprehensive, documented, tested and reviewed exit plans

Exit plans must be comprehensive, documented and, in accordance with Article 4(2) criteria, sufficiently tested and revi

EU-DORA-28-25 Requirement

Identify alternative solutions and develop transition plans

Financial entities must identify alternative solutions and develop transition plans enabling them to remove contracted I

EU-DORA-28-26 Requirement

Have appropriate contingency measures for business continuity

Financial entities must have appropriate contingency measures in place to maintain business continuity in the event of c

Article 29. Preliminary assessment of ICT concentration risk at entity level

3 obligations

EU-DORA-29-01 Risk Management

Assess non-substitutable ICT provider risk

When performing identification and assessment of risks under Article 28(4)(c), financial entities must consider whether

EU-DORA-29-02 Risk Management

Assess concentration risk from multiple arrangements