EU-DORA
Regulation (EU) 2022/2554 — Digital Operational Resilience Act
- Ch. I — General Provisions
- Art. 1. Subject matter (8)
- Art. 2. Scope (4)
- Art. 3. Definitions ref
- Art. 4. Proportionality principle (3)
- Ch. II — ICT Risk Management
- Art. 5. Governance and organisation (37)
- Art. 6. ICT risk management framework (23)
- Art. 7. ICT systems, protocols and tools (4)
- Art. 8. Identification (10)
- Art. 9. Protection and prevention (17)
- Art. 10. Detection (7)
- Art. 11. Response and recovery (23)
- Art. 12. Backup policies and procedures, restoration and recovery procedures and methods (19)
- Art. 13. Learning and evolving (16)
- Art. 14. Communication (4)
- Art. 15. Further harmonisation of ICT risk management tools, methods, processes and policies (10)
- Art. 16. Simplified ICT risk management framework (13)
- Ch. III — ICT-Related Incident Management, Classification and Reporting
- Art. 17. ICT-related incident management process (9)
- Art. 18. Classification of ICT-related incidents and cyber threats (7)
- Art. 19. Reporting of major ICT-related incidents and voluntary notification of significant cyber threats (18)
- Art. 20. Harmonisation of reporting content and templates (7)
- Art. 21. Centralisation of reporting of major ICT-related incidents (9)
- Art. 22. Supervisory feedback (6)
- Art. 23. Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions (2)
- Ch. IV — Digital Operational Resilience Testing
- Art. 24. General requirements for the performance of digital operational resilience testing (8)
- Art. 25. Testing of ICT tools and systems (3)
- Art. 26. Advanced testing of ICT tools, systems and processes based on TLPT (14)
- Art. 27. Requirements for testers for the carrying out of TLPT (9)
- Ch. V — Managing ICT Third-Party Risk
- Art. 28. General principles (26)
- Art. 29. Preliminary assessment of ICT concentration risk at entity level (7)
- Art. 30. Key contractual provisions (24)
- Art. 31. Designation of critical ICT third-party service providers (16)
- Art. 32. Structure of the Oversight Framework (11)
- Art. 33. Tasks of the Lead Overseer (18)
- Art. 34. Operational coordination between Lead Overseers (4)
- Art. 35. Powers of the Lead Overseer (19)
- Art. 36. Exercise of the powers of the Lead Overseer outside the Union (15)
- Art. 37. Request for information (15)
- Art. 38. General investigations (10)
- Art. 39. Inspections (8)
- Art. 40. Ongoing oversight (7)
- Art. 41. Harmonisation of conditions enabling the conduct of the oversight activities (5)
- Art. 42. Follow-up by competent authorities (14)
- Art. 43. Oversight fees (3)
- Art. 44. International cooperation (2)
- Ch. VI — Information-Sharing Arrangements
- Art. 45. Information-sharing arrangements on cyber threat information and intelligence (3)
- Ch. VII — Competent Authorities
- Art. 46. Competent authorities (17)
- Art. 47. Cooperation with structures and authorities established by Directive (EU) 2022/2555 (7)
- Art. 48. Cooperation between authorities (2)
- Art. 49. Financial cross-sector exercises, communication and cooperation (5)
- Art. 50. Administrative penalties and remedial measures (14)
- Art. 51. Exercise of the power to impose administrative penalties and remedial measures (9)
- Art. 52. Criminal penalties (2)
- Art. 53. Notification duties (2)
- Art. 54. Publication of administrative penalties (8)
- Art. 55. Professional secrecy (4)
- Art. 56. Data Protection (3)
- Ch. VIII — Delegated Acts
- Art. 57. Exercise of the delegation (3)
- Ch. IX — Transitional and Final Provisions
- Art. 58. Review clause (7)
- Art. 59. Amendments to Regulation (EC) No 1060/2009 (5)
- Art. 60. Amendments to Regulation (EU) No 648/2012 (7)
- Art. 61. Amendments to Regulation (EU) No 909/2014 (6)
- Art. 62. Amendments to Regulation (EU) No 600/2014 (3)
- Art. 63. Amendment to Regulation (EU) 2016/1011 (4)
- Art. 64. Entry into force and application (1)
Documentation Obligations
38Chapter I — General Provisions
Chapter II — ICT Risk Management
Article 6. ICT risk management framework
1 obligation
Article 8. Identification
5 obligations
EU-DORA-8-01
Documentation
Identify and classify ICT supported business functions, roles and responsibilities
Financial entities must identify, classify and adequately document all ICT supported business functions, roles and respo
EU-DORA-8-06
Documentation
Identify and map all information and ICT assets
Financial entities must identify all information assets and ICT assets, including those on remote sites, network resourc
EU-DORA-8-07
Documentation
Map asset configuration and interdependencies
Financial entities must map the configuration of the information assets and ICT assets and the links and interdependenci
EU-DORA-8-08
Documentation
Identify ICT third-party dependent processes
Financial entities must identify and document all processes that are dependent on ICT third-party service providers, and
EU-DORA-8-09
Documentation
Maintain and update asset inventories
Financial entities must maintain relevant inventories for business functions, assets, and third-party dependencies, and
Article 9. Protection and prevention
3 obligations
EU-DORA-9-10
Documentation
Develop and document information security policy
Financial entities must develop and document an information security policy defining rules to protect the availability,
EU-DORA-9-15
Documentation
Implement documented ICT change management policies
Financial entities must implement documented policies, procedures and controls for ICT change management, including chan
EU-DORA-9-17
Documentation
Have appropriate and comprehensive documented policies for patches and updates
Financial entities must have appropriate and comprehensive documented policies for patches and updates.
Article 11. Response and recovery
2 obligations
EU-DORA-11-02
Documentation
Implement ICT business continuity policy through documented arrangements
Financial entities must implement the ICT business continuity policy through dedicated, appropriate and documented arran
EU-DORA-11-20
Documentation
Keep readily accessible records of disruption activities
Financial entities must keep readily accessible records of activities before and during disruption events when their ICT
Article 12. Backup policies and procedures, restoration and recovery procedures and methods
2 obligations
EU-DORA-12-01
Documentation
Develop and document backup policies specifying scope and frequency
Financial entities must develop and document backup policies and procedures that specify the scope of data subject to ba
EU-DORA-12-02
Documentation
Develop and document restoration and recovery procedures and methods
Financial entities must develop and document restoration and recovery procedures and methods as part of their ICT risk m
Article 14. Communication
3 obligations
EU-DORA-14-01
Documentation
Crisis Communication Plans for ICT Incidents
Financial entities must establish and maintain crisis communication plans that enable responsible disclosure of at least
EU-DORA-14-02
Documentation
Internal Staff Communication Policies
Financial entities must implement communication policies for internal staff as part of their ICT risk management framewo
EU-DORA-14-03
Documentation
External Stakeholder Communication Policies
Financial entities must implement communication policies for external stakeholders as part of their ICT risk management
Article 16. Simplified ICT risk management framework
1 obligation
Chapter III — ICT-Related Incident Management, Classification and Reporting
Article 17. ICT-related incident management process
1 obligation
Article 19. Reporting of major ICT-related incidents and voluntary notification of significant cyber threats
1 obligation
Article 21. Centralisation of reporting of major ICT-related incidents
6 obligations
EU-DORA-21-02
Documentation
Include prerequisites assessment in joint report
The joint report must comprise an assessment of prerequisites for the establishment of a single EU Hub for ICT incident
EU-DORA-21-04
Documentation
Include interoperability capability assessment in joint report
The joint report must comprise an assessment of the necessary capability to ensure interoperability with regard to other
EU-DORA-21-05
Documentation
Include operational management elements in joint report
The joint report must comprise elements of operational management for the single EU Hub.
EU-DORA-21-06
Documentation
Include membership conditions in joint report
The joint report must comprise conditions of membership for the single EU Hub.
EU-DORA-21-07
Documentation
Include technical access arrangements in joint report
The joint report must comprise technical arrangements for financial entities and national competent authorities to acces
EU-DORA-21-08
Documentation
Include preliminary financial cost assessment in joint report
The joint report must comprise a preliminary assessment of financial costs incurred by setting-up the operational platfo
Chapter IV — Digital Operational Resilience Testing
Chapter V — Managing ICT Third-Party Risk
Article 28. General principles
4 obligations
EU-DORA-28-05
Documentation
Include policy on critical/important ICT services in third-party risk strategy
The ICT third-party risk strategy must include a policy on the use of ICT services supporting critical or important func
EU-DORA-28-07
Documentation
Maintain and update register of ICT service contractual arrangements
Financial entities must maintain and update at entity, sub-consolidated and consolidated levels a register of informatio
EU-DORA-28-08
Documentation
Appropriately document contractual arrangements with distinction
Contractual arrangements must be appropriately documented, distinguishing between those that cover ICT services supporti
EU-DORA-28-24
Documentation
Maintain comprehensive, documented, tested and reviewed exit plans
Exit plans must be comprehensive, documented and, in accordance with Article 4(2) criteria, sufficiently tested and revi
Article 30. Key contractual provisions
3 obligations
EU-DORA-30-01
Documentation
Written documentation of rights and obligations
Rights and obligations of the financial entity and ICT third-party service provider must be clearly allocated and set ou
EU-DORA-30-02
Documentation
Include clear description of ICT services and functions
Contractual arrangements must include a clear and complete description of all functions and ICT services to be provided
EU-DORA-30-06
Documentation
Include service level descriptions
Contracts must include service level descriptions, including updates and revisions thereof.
Article 33. Tasks of the Lead Overseer
1 obligation
Article 34. Operational coordination between Lead Overseers
1 obligation
Article 36. Exercise of the powers of the Lead Overseer outside the Union
1 obligation
Article 38. General investigations
1 obligation
Article 39. Inspections
1 obligation
Chapter VI — Information-Sharing Arrangements
Chapter VII — Competent Authorities
Article 47. Cooperation with structures and authorities established by Directive (EU) 2022/2555
1 obligation