EU-DORA
Regulation (EU) 2022/2554 — Digital Operational Resilience Act
EU
Version 1.0
606 obligations
Requirement
349
Risk Management
51
Reporting
50
Transparency
50
Documentation
38
Monitoring
22
Conformity
19
Data Governance
15
Human Oversight
8
Registration
3
Prohibition
1
Reset
- Ch. I — General Provisions
- Art. 1. Subject matter (8)
- Art. 2. Scope (4)
- Art. 3. Definitions ref
- Art. 4. Proportionality principle (3)
- Ch. II — ICT Risk Management
- Art. 5. Governance and organisation (37)
- Art. 6. ICT risk management framework (23)
- Art. 7. ICT systems, protocols and tools (4)
- Art. 8. Identification (10)
- Art. 9. Protection and prevention (17)
- Art. 10. Detection (7)
- Art. 11. Response and recovery (23)
- Art. 12. Backup policies and procedures, restoration and recovery procedures and methods (19)
- Art. 13. Learning and evolving (16)
- Art. 14. Communication (4)
- Art. 15. Further harmonisation of ICT risk management tools, methods, processes and policies (10)
- Art. 16. Simplified ICT risk management framework (13)
- Ch. III — ICT-Related Incident Management, Classification and Reporting
- Art. 17. ICT-related incident management process (9)
- Art. 18. Classification of ICT-related incidents and cyber threats (7)
- Art. 19. Reporting of major ICT-related incidents and voluntary notification of significant cyber threats (18)
- Art. 20. Harmonisation of reporting content and templates (7)
- Art. 21. Centralisation of reporting of major ICT-related incidents (9)
- Art. 22. Supervisory feedback (6)
- Art. 23. Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions (2)
- Ch. IV — Digital Operational Resilience Testing
- Art. 24. General requirements for the performance of digital operational resilience testing (8)
- Art. 25. Testing of ICT tools and systems (3)
- Art. 26. Advanced testing of ICT tools, systems and processes based on TLPT (14)
- Art. 27. Requirements for testers for the carrying out of TLPT (9)
- Ch. V — Managing ICT Third-Party Risk
- Art. 28. General principles (26)
- Art. 29. Preliminary assessment of ICT concentration risk at entity level (7)
- Art. 30. Key contractual provisions (24)
- Art. 31. Designation of critical ICT third-party service providers (16)
- Art. 32. Structure of the Oversight Framework (11)
- Art. 33. Tasks of the Lead Overseer (18)
- Art. 34. Operational coordination between Lead Overseers (4)
- Art. 35. Powers of the Lead Overseer (19)
- Art. 36. Exercise of the powers of the Lead Overseer outside the Union (15)
- Art. 37. Request for information (15)
- Art. 38. General investigations (10)
- Art. 39. Inspections (8)
- Art. 40. Ongoing oversight (7)
- Art. 41. Harmonisation of conditions enabling the conduct of the oversight activities (5)
- Art. 42. Follow-up by competent authorities (14)
- Art. 43. Oversight fees (3)
- Art. 44. International cooperation (2)
- Ch. VI — Information-Sharing Arrangements
- Art. 45. Information-sharing arrangements on cyber threat information and intelligence (3)
- Ch. VII — Competent Authorities
- Art. 46. Competent authorities (17)
- Art. 47. Cooperation with structures and authorities established by Directive (EU) 2022/2555 (7)
- Art. 48. Cooperation between authorities (2)
- Art. 49. Financial cross-sector exercises, communication and cooperation (5)
- Art. 50. Administrative penalties and remedial measures (14)
- Art. 51. Exercise of the power to impose administrative penalties and remedial measures (9)
- Art. 52. Criminal penalties (2)
- Art. 53. Notification duties (2)
- Art. 54. Publication of administrative penalties (8)
- Art. 55. Professional secrecy (4)
- Art. 56. Data Protection (3)
- Ch. VIII — Delegated Acts
- Art. 57. Exercise of the delegation (3)
- Ch. IX — Transitional and Final Provisions
- Art. 58. Review clause (7)
- Art. 59. Amendments to Regulation (EC) No 1060/2009 (5)
- Art. 60. Amendments to Regulation (EU) No 648/2012 (7)
- Art. 61. Amendments to Regulation (EU) No 909/2014 (6)
- Art. 62. Amendments to Regulation (EU) No 600/2014 (3)
- Art. 63. Amendment to Regulation (EU) 2016/1011 (4)
- Art. 64. Entry into force and application (1)
Monitoring Obligations
22Chapter I — General Provisions
Chapter II — ICT Risk Management
Article 6. ICT risk management framework
1 obligation
Article 8. Identification
1 obligation
Article 9. Protection and prevention
1 obligation
Article 13. Learning and evolving
3 obligations
EU-DORA-13-10
Monitoring
Monitor Digital Operational Resilience Strategy Implementation
Financial entities must monitor the effectiveness of the implementation of their digital operational resilience strategy
EU-DORA-13-11
Monitoring
Map ICT Risk Evolution Over Time
Financial entities must map the evolution of ICT risk over time and analyze the frequency, types, magnitude and evolutio
EU-DORA-13-15
Monitoring
Monitor Technological Developments Continuously
Financial entities (except microenterprises) must continuously monitor relevant technological developments to understand
Article 16. Simplified ICT risk management framework
1 obligation
Chapter III — ICT-Related Incident Management, Classification and Reporting
Article 19. Reporting of major ICT-related incidents and voluntary notification of significant cyber threats
1 obligation
Article 22. Supervisory feedback
1 obligation
Chapter IV — Digital Operational Resilience Testing
Chapter V — Managing ICT Third-Party Risk
Article 28. General principles
2 obligations
EU-DORA-28-06
Monitoring
Management body regular risk review for critical/important functions
The management body must regularly review risks identified in respect to contractual arrangements on the use of ICT serv
EU-DORA-28-19
Monitoring
Pre-determine audit frequency and areas using risk-based approach
In exercising access, inspection and audit rights over ICT third-party service providers, financial entities must pre-de
Article 30. Key contractual provisions
2 obligations
EU-DORA-30-11
Monitoring
Include full service level descriptions for critical functions
For ICT services supporting critical or important functions, contracts must include full service level descriptions with
EU-DORA-30-15
Monitoring
Grant unrestricted access and inspection rights
For critical or important functions, contracts must grant unrestricted rights of access, inspection and audit by the fin
Article 31. Designation of critical ICT third-party service providers
1 obligation
Article 32. Structure of the Oversight Framework
1 obligation
Article 33. Tasks of the Lead Overseer
3 obligations
EU-DORA-33-01
Monitoring
Conduct oversight of assigned critical ICT third-party service providers
The Lead Overseer must conduct oversight activities for all critical ICT third-party service providers assigned to them
EU-DORA-33-10
Monitoring
Assess incident identification, monitoring and reporting mechanisms
The assessment must cover the identification, monitoring and prompt reporting of material ICT-related incidents to finan
EU-DORA-33-13
Monitoring
Assess ICT audits
The assessment must cover ICT audits conducted by the critical ICT third-party service provider.
Article 35. Powers of the Lead Overseer
1 obligation
Article 36. Exercise of the powers of the Lead Overseer outside the Union
1 obligation
Article 39. Inspections
1 obligation
Article 42. Follow-up by competent authorities
1 obligation