Article 1. Subject matter

2 obligations

EU-DORA-1-02 Reporting

Report major ICT-related incidents to competent authorities

Financial entities must report major ICT-related incidents to the competent authorities as specified in this Regulation.

EU-DORA-1-03 Reporting

Report major operational or security payment-related incidents

Financial entities referred to in Article 2(1), points (a) to (d) must report major operational or security payment-rela

Article 5. Governance and organisation

4 obligations

EU-DORA-5-30 Reporting

Establish reporting channels for ICT third-party arrangements

The management body must put in place, at corporate level, reporting channels enabling it to be duly informed of arrange

EU-DORA-5-31 Reporting

Establish reporting channels for planned ICT third-party changes

The management body must put in place, at corporate level, reporting channels enabling it to be duly informed of any rel

EU-DORA-5-32 Reporting

Establish reporting channels for impact assessment of ICT third-party changes

The management body must put in place, at corporate level, reporting channels enabling it to be duly informed of the pot

EU-DORA-5-33 Reporting

Establish reporting channels for major ICT-related incidents

The management body must put in place, at corporate level, reporting channels enabling it to be duly informed of at leas

Article 6. ICT risk management framework

1 obligation

EU-DORA-6-09 Reporting

Submit framework review report to competent authority upon request

Financial entities must submit a report on the review of the ICT risk management framework to the competent authority wh

Article 11. Response and recovery

2 obligations

EU-DORA-11-21 Reporting

Provide ICT business continuity test results to authorities (CSDs)

Central securities depositories must provide the competent authorities with copies of the results of the ICT business co

EU-DORA-11-22 Reporting

Report aggregated annual costs and losses upon request

Financial entities other than microenterprises must report to the competent authorities, upon their request, an estimati

Article 13. Learning and evolving

2 obligations

EU-DORA-13-03 Reporting

Report Post-Incident Review Changes to Authorities

Financial entities (except microenterprises) must communicate to competent authorities, upon request, the changes implem

EU-DORA-13-12 Reporting

Senior ICT Staff Annual Reporting to Management Body

Senior ICT staff must report at least yearly to the management body on the findings from lessons learned incorporation (

Article 16. Simplified ICT risk management framework

1 obligation

EU-DORA-16-11 Reporting

Submit framework review report to competent authority upon request

Submit a report on the review of the ICT risk management framework to the competent authority upon its request.

Article 17. ICT-related incident management process

1 obligation

EU-DORA-17-08 Reporting

Report major incidents to senior management

The incident management process must ensure that at least major ICT-related incidents are reported to relevant senior ma

Article 19. Reporting of major ICT-related incidents and voluntary notification of significant cyber threats

9 obligations

EU-DORA-19-01 Reporting

Report major ICT-related incidents to competent authority

Financial entities must report major ICT-related incidents to the relevant competent authority as specified in Article 4

EU-DORA-19-02 Reporting

Report major ICT incidents to ECB (significant credit institutions)

Credit institutions classified as significant must report major ICT-related incidents to the relevant national competent

EU-DORA-19-08 Reporting

Submit initial notification within prescribed time limits

Financial entities must submit an initial notification to the relevant competent authority within the time limits specif

EU-DORA-19-09 Reporting

Submit intermediate reports upon status changes

Financial entities must submit intermediate reports after the initial notification when the incident status changes sign

EU-DORA-19-10 Reporting

Submit final report after root cause analysis completion

Financial entities must submit a final report when root cause analysis is completed (regardless of mitigation implementa

EU-DORA-19-12 Reporting

Provide incident details to specified recipients timely

Competent authorities must timely provide details of major ICT-related incidents to EBA/ESMA/EIOPA, ECB, CSIRTs, resolut

EU-DORA-19-14 Reporting

Notify European System of Central Banks on payment system issues

The ECB must notify members of the European System of Central Banks on issues relevant to the payment system.

EU-DORA-19-16 Reporting

Urgently transmit CSD incident details to host Member State

Competent authorities must urgently transmit details of major ICT-related incidents to relevant authorities in host Memb

EU-DORA-19-18 Reporting

Immediately transmit reports to ECB (national authorities)

National competent authorities designated under Directive 2013/36/EU must immediately transmit major ICT-related inciden

Article 21. Centralisation of reporting of major ICT-related incidents

2 obligations

EU-DORA-21-01 Reporting

Prepare joint report on centralized ICT incident reporting feasibility

The ESAs, through the Joint Committee, and in consultation with the ECB and ENISA, must prepare a joint report assessing

EU-DORA-21-09 Reporting

Submit joint report by deadline

The ESAs must submit the joint report on centralized ICT incident reporting to the European Parliament, to the Council a

Article 22. Supervisory feedback

3 obligations

EU-DORA-22-01 Reporting

Acknowledge receipt of incident notifications and reports

Competent authorities must acknowledge receipt of initial notifications and reports submitted under Article 19(4) regard

EU-DORA-22-04 Reporting

Provide incident details to ESAs for annual reporting

Competent authorities must provide details of major ICT-related incidents to the ESAs in accordance with Article 19(6) t

EU-DORA-22-05 Reporting

Produce annual aggregated report on major ICT incidents

The ESAs must, through the Joint Committee, produce yearly reports on major ICT-related incidents on an anonymised and a

Article 26. Advanced testing of ICT tools, systems and processes based on TLPT

2 obligations

EU-DORA-26-07 Reporting

Provide TLPT summary and remediation plans

After TLPT completion, financial entities and external testers must provide designated authority with summary of finding

EU-DORA-26-08 Reporting

Notify competent authority of TLPT attestation

Financial entities must notify their relevant competent authority of the attestation received, the summary of findings,

Article 28. General principles

1 obligation

EU-DORA-28-09 Reporting

Report yearly on new ICT service arrangements

Financial entities must report at least yearly to competent authorities on the number of new arrangements on the use of

Article 30. Key contractual provisions

1 obligation

EU-DORA-30-12 Reporting

Include notice periods and reporting obligations for critical functions

For critical or important functions, contracts must include notice periods and reporting obligations of the ICT third-pa

Article 31. Designation of critical ICT third-party service providers

1 obligation

EU-DORA-31-11 Reporting

Transmit reports to Oversight Forum yearly

Competent authorities must, on a yearly and aggregated basis, transmit the reports referred to in Article 28(3), third s

Article 32. Structure of the Oversight Framework

3 obligations

EU-DORA-32-04 Reporting

Conduct yearly collective assessment of oversight activities

The Oversight Forum must undertake a collective assessment on a yearly basis of the results and findings of the oversigh

EU-DORA-32-06 Reporting

Submit comprehensive benchmarks for critical ICT third-party service providers

The Oversight Forum must submit comprehensive benchmarks for critical ICT third-party service providers to be adopted by

EU-DORA-32-11 Reporting

Submit yearly report on application of oversight framework

The ESAs, through the Joint Committee and based on preparatory work conducted by the Oversight Forum, must submit a repo

Article 35. Powers of the Lead Overseer

4 obligations

EU-DORA-35-03 Reporting

Provide reports on remedial actions and implementations

Critical ICT third-party service providers must provide reports specifying the actions taken or remedies implemented in

EU-DORA-35-04 Reporting

Transmit subcontracting information using specified template

ICT third-party service providers must transmit information regarding subcontracting to the Lead Overseer using the temp

EU-DORA-35-11 Reporting

Lead Overseer must inform JON of power exercise outcomes

The Lead Overseer must inform the Joint Oversight Network (JON) of the outcome of exercising powers related to informati

EU-DORA-35-12 Reporting

Lead Overseer must transmit remedial action reports

The Lead Overseer must, without undue delay, transmit reports on remedial actions to the JON and to competent authoritie

Article 42. Follow-up by competent authorities

1 obligation

EU-DORA-42-14 Reporting

Regularly inform Lead Overseer on supervisory approaches and measures

Competent authorities shall regularly inform the Lead Overseer on the approaches and measures taken in their supervisory

Article 44. International cooperation

1 obligation

EU-DORA-44-02 Reporting

Five-year joint confidential reporting on international cooperation

The European Supervisory Authorities must submit every five years a joint confidential report to the European Parliament

Article 45. Information-sharing arrangements on cyber threat information and intelligence

1 obligation

EU-DORA-45-03 Reporting

Notify competent authorities of information-sharing arrangement participation

Financial entities must notify their competent authorities when they begin participation in information-sharing arrangem

Article 53. Notification duties

2 obligations

EU-DORA-53-01 Reporting

Initial notification of implementing laws by 17 January 2025

Member States must notify the Commission, ESMA, EBA and EIOPA of all laws, regulations and administrative provisions imp

EU-DORA-53-02 Reporting

Ongoing notification of amendments to implementing laws

Member States must notify the Commission, ESMA, EBA and EIOPA without undue delay of any subsequent amendments to their

Article 57. Exercise of the delegation

2 obligations

EU-DORA-57-01 Reporting

Commission delegation report requirement

The Commission must draw up a report regarding the delegation of power not later than nine months before the end of the

EU-DORA-57-03 Reporting

Simultaneous notification requirement for delegated acts

As soon as it adopts a delegated act, the Commission must notify it simultaneously to the European Parliament and to the

Article 58. Review clause

3 obligations

EU-DORA-58-01 Reporting

Commission review and report on DORA by January 2028

The Commission must carry out a comprehensive review of specific aspects of DORA and submit a report to the European Par

EU-DORA-58-03 Reporting

Commission assessment of payment systems cyber resilience by July 2023

The Commission must assess the need for increased cyber resilience of payment systems and payment-processing activities

EU-DORA-58-06 Reporting

Commission review of auditor digital resilience requirements by January 2026

The Commission must carry out a review on the appropriateness of strengthened requirements for statutory auditors and au

Article 61. Amendments to Regulation (EU) No 909/2014

1 obligation

EU-DORA-61-06 Reporting

Non-ICT operational incident reporting

A CSD shall inform the competent authority and relevant authorities without delay of any operational incidents, other th