EU-DORA
Regulation (EU) 2022/2554 — Digital Operational Resilience Act
- Ch. I — General Provisions
- Art. 1. Subject matter (8)
- Art. 2. Scope (4)
- Art. 3. Definitions ref
- Art. 4. Proportionality principle (3)
- Ch. II — ICT Risk Management
- Art. 5. Governance and organisation (37)
- Art. 6. ICT risk management framework (23)
- Art. 7. ICT systems, protocols and tools (4)
- Art. 8. Identification (10)
- Art. 9. Protection and prevention (17)
- Art. 10. Detection (7)
- Art. 11. Response and recovery (23)
- Art. 12. Backup policies and procedures, restoration and recovery procedures and methods (19)
- Art. 13. Learning and evolving (16)
- Art. 14. Communication (4)
- Art. 15. Further harmonisation of ICT risk management tools, methods, processes and policies (10)
- Art. 16. Simplified ICT risk management framework (13)
- Ch. III — ICT-Related Incident Management, Classification and Reporting
- Art. 17. ICT-related incident management process (9)
- Art. 18. Classification of ICT-related incidents and cyber threats (7)
- Art. 19. Reporting of major ICT-related incidents and voluntary notification of significant cyber threats (18)
- Art. 20. Harmonisation of reporting content and templates (7)
- Art. 21. Centralisation of reporting of major ICT-related incidents (9)
- Art. 22. Supervisory feedback (6)
- Art. 23. Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions (2)
- Ch. IV — Digital Operational Resilience Testing
- Art. 24. General requirements for the performance of digital operational resilience testing (8)
- Art. 25. Testing of ICT tools and systems (3)
- Art. 26. Advanced testing of ICT tools, systems and processes based on TLPT (14)
- Art. 27. Requirements for testers for the carrying out of TLPT (9)
- Ch. V — Managing ICT Third-Party Risk
- Art. 28. General principles (26)
- Art. 29. Preliminary assessment of ICT concentration risk at entity level (7)
- Art. 30. Key contractual provisions (24)
- Art. 31. Designation of critical ICT third-party service providers (16)
- Art. 32. Structure of the Oversight Framework (11)
- Art. 33. Tasks of the Lead Overseer (18)
- Art. 34. Operational coordination between Lead Overseers (4)
- Art. 35. Powers of the Lead Overseer (19)
- Art. 36. Exercise of the powers of the Lead Overseer outside the Union (15)
- Art. 37. Request for information (15)
- Art. 38. General investigations (10)
- Art. 39. Inspections (8)
- Art. 40. Ongoing oversight (7)
- Art. 41. Harmonisation of conditions enabling the conduct of the oversight activities (5)
- Art. 42. Follow-up by competent authorities (14)
- Art. 43. Oversight fees (3)
- Art. 44. International cooperation (2)
- Ch. VI — Information-Sharing Arrangements
- Art. 45. Information-sharing arrangements on cyber threat information and intelligence (3)
- Ch. VII — Competent Authorities
- Art. 46. Competent authorities (17)
- Art. 47. Cooperation with structures and authorities established by Directive (EU) 2022/2555 (7)
- Art. 48. Cooperation between authorities (2)
- Art. 49. Financial cross-sector exercises, communication and cooperation (5)
- Art. 50. Administrative penalties and remedial measures (14)
- Art. 51. Exercise of the power to impose administrative penalties and remedial measures (9)
- Art. 52. Criminal penalties (2)
- Art. 53. Notification duties (2)
- Art. 54. Publication of administrative penalties (8)
- Art. 55. Professional secrecy (4)
- Art. 56. Data Protection (3)
- Ch. VIII — Delegated Acts
- Art. 57. Exercise of the delegation (3)
- Ch. IX — Transitional and Final Provisions
- Art. 58. Review clause (7)
- Art. 59. Amendments to Regulation (EC) No 1060/2009 (5)
- Art. 60. Amendments to Regulation (EU) No 648/2012 (7)
- Art. 61. Amendments to Regulation (EU) No 909/2014 (6)
- Art. 62. Amendments to Regulation (EU) No 600/2014 (3)
- Art. 63. Amendment to Regulation (EU) 2016/1011 (4)
- Art. 64. Entry into force and application (1)
Data Governance Obligations
15Chapter I — General Provisions
Chapter II — ICT Risk Management
Article 5. Governance and organisation
4 obligations
EU-DORA-5-07
Data Governance
Establish data availability policies
The management body must put in place policies that aim to ensure the maintenance of high standards of availability of d
EU-DORA-5-08
Data Governance
Establish data authenticity policies
The management body must put in place policies that aim to ensure the maintenance of high standards of authenticity of d
EU-DORA-5-09
Data Governance
Establish data integrity policies
The management body must put in place policies that aim to ensure the maintenance of high standards of integrity of data
EU-DORA-5-10
Data Governance
Establish data confidentiality policies
The management body must put in place policies that aim to ensure the maintenance of high standards of confidentiality o
Article 9. Protection and prevention
2 obligations
EU-DORA-9-04
Data Governance
Maintain high standards of data availability, authenticity, integrity and confidentiality
Financial entities must maintain high standards of availability, authenticity, integrity and confidentiality of data whe
EU-DORA-9-09
Data Governance
Protect data from data management risks
Financial entities must ensure that data is protected from risks arising from data management, including poor administra
Chapter III — ICT-Related Incident Management, Classification and Reporting
Chapter IV — Digital Operational Resilience Testing
Article 27. Requirements for testers for the carrying out of TLPT
1 obligation
Chapter V — Managing ICT Third-Party Risk
Article 30. Key contractual provisions
2 obligations
EU-DORA-30-04
Data Governance
Include data protection provisions
Contracts must include provisions on availability, authenticity, integrity and confidentiality in relation to the protec
EU-DORA-30-05
Data Governance
Include data access and recovery provisions
Contracts must include provisions ensuring access, recovery and return in an easily accessible format of personal and no
Article 33. Tasks of the Lead Overseer
1 obligation
Chapter VI — Information-Sharing Arrangements
Chapter VII — Competent Authorities
Article 55. Professional secrecy
2 obligations
EU-DORA-55-01
Data Governance
Apply professional secrecy conditions to confidential information
All confidential information received, exchanged or transmitted pursuant to this Regulation must be subject to the condi
EU-DORA-55-04
Data Governance
Treat business and operational information as confidential
All information exchanged between competent authorities concerning business or operational conditions and other economic
Article 56. Data Protection
3 obligations
EU-DORA-56-01
Data Governance
Personal Data Processing Limitation for ESAs and Competent Authorities
ESAs and competent authorities must only process personal data when necessary for carrying out their specific obligation
EU-DORA-56-02
Data Governance
GDPR/EUDPR Compliance for Personal Data Processing
ESAs and competent authorities must process personal data in accordance with Regulation (EU) 2016/679 (GDPR) or Regulati
EU-DORA-56-03
Data Governance
Personal Data Retention Period Limitation
ESAs and competent authorities must retain personal data only until the discharge of applicable supervisory duties and f