Article 1. Subject matter

4 obligations

EU-DORA-1-04 Requirement

Conduct digital operational resilience testing

Financial entities must conduct digital operational resilience testing in accordance with the requirements specified in

EU-DORA-1-05 Requirement

Participate in information and intelligence sharing on cyber threats

Financial entities must engage in information and intelligence sharing in relation to cyber threats and vulnerabilities

EU-DORA-1-07 Requirement

Comply with contractual arrangement requirements for ICT services

Both ICT third-party service providers and financial entities must ensure their contractual arrangements comply with the

EU-DORA-1-08 Requirement

Comply with Oversight Framework for critical ICT third-party providers

Critical ICT third-party service providers must comply with the rules for the establishment and conduct of the Oversight

Article 2. Scope

2 obligations

EU-DORA-2-01 Requirement

Comply with DORA requirements (financial entities)

Financial entities listed in Article 2(1)(a) to (t) must comply with all requirements imposed by this Regulation on digi

EU-DORA-2-02 Requirement

Comply with DORA requirements (ICT third-party service providers)

ICT third-party service providers must comply with the specific requirements imposed by this Regulation applicable to th

Article 4. Proportionality principle

3 obligations

EU-DORA-4-01 Requirement

Implement Chapter II rules with proportionality

Financial entities must implement the rules laid down in Chapter II in accordance with the principle of proportionality,

EU-DORA-4-02 Requirement

Apply Chapters III, IV and V Section I proportionately

Financial entities must apply the provisions of Chapters III, IV and V, Section I in a manner proportionate to their siz

EU-DORA-4-03 Requirement

Consider proportionality principle in ICT risk management framework reviews

Competent authorities must consider the application of the proportionality principle by financial entities when reviewin

Article 5. Governance and organisation

25 obligations

EU-DORA-5-01 Requirement

Establish internal governance and control framework for ICT risk management

Financial entities must have in place an internal governance and control framework that ensures an effective and prudent

EU-DORA-5-02 Requirement

Management body must define ICT risk management framework

The management body of the financial entity must define all arrangements related to the ICT risk management framework re

EU-DORA-5-03 Requirement

Management body must approve ICT risk management framework

The management body of the financial entity must approve all arrangements related to the ICT risk management framework r

EU-DORA-5-05 Requirement

Management body responsibility for ICT risk management implementation

The management body of the financial entity must be responsible for the implementation of all arrangements related to th

EU-DORA-5-06 Requirement

Management body bears ultimate responsibility for managing ICT risk

The management body must bear the ultimate responsibility for managing the financial entity's ICT risk.

EU-DORA-5-11 Requirement

Set clear roles and responsibilities for ICT functions

The management body must set clear roles and responsibilities for all ICT-related functions.

EU-DORA-5-12 Requirement

Establish governance arrangements for ICT function coordination

The management body must establish appropriate governance arrangements to ensure effective and timely communication, coo

EU-DORA-5-13 Requirement

Set and approve digital operational resilience strategy

The management body must bear the overall responsibility for setting and approving the digital operational resilience st

EU-DORA-5-15 Requirement

Approve ICT business continuity policy

The management body must approve the financial entity's ICT business continuity policy referred to in Article 11(1).

EU-DORA-5-17 Requirement

Periodically review ICT business continuity policy implementation

The management body must periodically review the implementation of the financial entity's ICT business continuity policy

EU-DORA-5-18 Requirement

Approve ICT response and recovery plans

The management body must approve the financial entity's ICT response and recovery plans referred to in Article 11(3).

EU-DORA-5-20 Requirement

Periodically review ICT response and recovery plans implementation

The management body must periodically review the implementation of the financial entity's ICT response and recovery plan

EU-DORA-5-21 Requirement

Approve ICT internal audit plans

The management body must approve the financial entity's ICT internal audit plans.

EU-DORA-5-22 Requirement

Approve ICT audits

The management body must approve the financial entity's ICT audits.

EU-DORA-5-23 Requirement

Approve material modifications to ICT audit plans and audits

The management body must approve material modifications to the financial entity's ICT internal audit plans and ICT audit

EU-DORA-5-24 Requirement

Periodically review ICT internal audit plans

The management body must periodically review the financial entity's ICT internal audit plans.

EU-DORA-5-25 Requirement

Periodically review ICT audits

The management body must periodically review the financial entity's ICT audits.

EU-DORA-5-26 Requirement

Allocate appropriate budget for digital operational resilience

The management body must allocate appropriate budget to fulfill the financial entity's digital operational resilience ne

EU-DORA-5-27 Requirement

Periodically review budget for digital operational resilience

The management body must periodically review the appropriate budget to fulfill the financial entity's digital operationa

EU-DORA-5-28 Requirement

Approve policy on ICT third-party service provider arrangements

The management body must approve the financial entity's policy on arrangements regarding the use of ICT services provide

EU-DORA-5-29 Requirement

Periodically review policy on ICT third-party service provider arrangements

The management body must periodically review the financial entity's policy on arrangements regarding the use of ICT serv

EU-DORA-5-34 Requirement

Establish role to monitor ICT third-party service arrangements (non-microenterprises)

Financial entities, other than microenterprises, must establish a role in order to monitor the arrangements concluded wi

EU-DORA-5-35 Requirement

Designate senior management for ICT third-party risk oversight (non-microenterprises)

Financial entities, other than microenterprises, may designate a member of senior management as responsible for overseei

EU-DORA-5-36 Requirement

Management body members must maintain ICT risk knowledge and skills

Members of the management body of the financial entity must actively keep up to date with sufficient knowledge and skill

EU-DORA-5-37 Requirement

Management body members must follow regular ICT risk training

Members of the management body of the financial entity must follow specific training on a regular basis, commensurate to

Article 6. ICT risk management framework

15 obligations

EU-DORA-6-02 Requirement

Include minimum components in ICT risk management framework

The ICT risk management framework must include at least strategies, policies, procedures, ICT protocols and tools necess

EU-DORA-6-06 Requirement

Ensure segregation of ICT functions according to three lines of defence

Financial entities must ensure appropriate segregation and independence of ICT risk management functions, control functi

EU-DORA-6-08 Requirement

Continuously improve ICT risk management framework

The ICT risk management framework must be continuously improved based on lessons derived from implementation and monitor

EU-DORA-6-11 Requirement

Ensure auditors have sufficient ICT risk expertise and independence

Auditors conducting ICT risk management framework audits must possess sufficient knowledge, skills and expertise in ICT

EU-DORA-6-12 Requirement

Ensure ICT audit frequency is commensurate to ICT risk

The frequency and focus of ICT audits must be commensurate to the ICT risk of the financial entity.

EU-DORA-6-13 Requirement

Establish formal follow-up process for audit findings

Financial entities must establish a formal follow-up process based on internal audit review conclusions, including rules

EU-DORA-6-14 Requirement

Include digital operational resilience strategy in framework

The ICT risk management framework must include a digital operational resilience strategy setting out how the framework s

EU-DORA-6-15 Requirement

Explain framework support for business strategy and objectives

The digital operational resilience strategy must explain how the ICT risk management framework supports the financial en

EU-DORA-6-17 Requirement

Set clear information security objectives with KPIs and metrics

The digital operational resilience strategy must set out clear information security objectives, including key performanc

EU-DORA-6-18 Requirement

Explain ICT reference architecture and needed changes

The digital operational resilience strategy must explain the ICT reference architecture and any changes needed to reach

EU-DORA-6-19 Requirement

Outline ICT incident detection and protection mechanisms

The digital operational resilience strategy must outline the different mechanisms put in place to detect ICT-related inc

EU-DORA-6-20 Requirement

Evidence current digital operational resilience situation

The digital operational resilience strategy must evidence the current digital operational resilience situation based on

EU-DORA-6-21 Requirement

Implement digital operational resilience testing

The digital operational resilience strategy must implement digital operational resilience testing in accordance with Cha

EU-DORA-6-22 Requirement

Outline communication strategy for ICT incidents

The digital operational resilience strategy must outline a communication strategy in the event of ICT-related incidents

EU-DORA-6-23 Requirement

Maintain full responsibility when outsourcing ICT risk management verification

When financial entities outsource tasks of verifying compliance with ICT risk management requirements to intra-group or

Article 7. ICT systems, protocols and tools

4 obligations

EU-DORA-7-01 Requirement

Use and maintain updated ICT systems with appropriate magnitude

Financial entities must use and maintain updated ICT systems, protocols and tools that are appropriate to the magnitude

EU-DORA-7-02 Requirement

Use and maintain reliable ICT systems

Financial entities must use and maintain updated ICT systems, protocols and tools that are reliable.

EU-DORA-7-03 Requirement

Use ICT systems with sufficient data processing capacity

Financial entities must use and maintain updated ICT systems, protocols and tools equipped with sufficient capacity to a

EU-DORA-7-04 Requirement

Use technologically resilient ICT systems for stressed conditions

Financial entities must use and maintain updated ICT systems, protocols and tools that are technologically resilient in

Article 9. Protection and prevention

8 obligations

EU-DORA-9-03 Requirement

Design, procure and implement ICT security policies for resilience

Financial entities must design, procure and implement ICT security policies, procedures, protocols and tools that ensure

EU-DORA-9-05 Requirement

Use appropriate ICT solutions and processes per Article 4

Financial entities must use ICT solutions and processes that are appropriate in accordance with Article 4 to achieve sec

EU-DORA-9-06 Requirement

Ensure security of data transfer means

Financial entities must ensure the security of the means of transfer of data through their ICT solutions and processes.

EU-DORA-9-08 Requirement

Prevent availability loss, authenticity/integrity impairment and confidentiality breaches

Financial entities must prevent the lack of availability, the impairment of the authenticity and integrity, the breaches

EU-DORA-9-11 Requirement

Establish sound network and infrastructure management structure

Financial entities must establish a sound network and infrastructure management structure using appropriate techniques,

EU-DORA-9-12 Requirement

Design network connection infrastructure for instant severance/segmentation

Financial entities must design the network connection infrastructure in a way that allows it to be instantaneously sever

EU-DORA-9-13 Requirement

Implement policies limiting physical/logical access to assets

Financial entities must implement policies that limit the physical or logical access to information assets and ICT asset

EU-DORA-9-14 Requirement

Implement strong authentication mechanisms and cryptographic key protection

Financial entities must implement policies and protocols for strong authentication mechanisms based on relevant standard

Article 10. Detection

7 obligations

EU-DORA-10-01 Requirement

Implement anomaly detection mechanisms

Financial entities must establish and maintain mechanisms to promptly detect anomalous activities, ICT network performan

EU-DORA-10-02 Requirement

Regular testing of detection mechanisms

Financial entities must regularly test all detection mechanisms in accordance with Article 25.

EU-DORA-10-03 Requirement

Implement multiple layers of control in detection mechanisms

Detection mechanisms must enable multiple layers of control to provide comprehensive monitoring and detection capabiliti

EU-DORA-10-04 Requirement

Define alert thresholds and criteria

Financial entities must define alert thresholds and criteria to trigger and initiate ICT-related incident response proce

EU-DORA-10-05 Requirement

Implement automatic alert mechanisms

Detection mechanisms must include automatic alert mechanisms for relevant staff in charge of ICT-related incident respon

EU-DORA-10-06 Requirement

Devote sufficient resources for monitoring activities

Financial entities must allocate sufficient resources and capabilities to monitor user activity, ICT anomalies occurrenc

EU-DORA-10-07 Requirement

Implement trade report checking systems (data reporting service providers)

Data reporting service providers must have systems that can effectively check trade reports for completeness, identify o

Article 11. Response and recovery

19 obligations

EU-DORA-11-01 Requirement

Establish comprehensive ICT business continuity policy

Financial entities must put in place a comprehensive ICT business continuity policy as part of their ICT risk management

EU-DORA-11-03 Requirement

Ensure continuity of critical or important functions

Financial entities must implement arrangements that ensure the continuity of the financial entity's critical or importan

EU-DORA-11-04 Requirement

Establish ICT incident response and resolution procedures

Financial entities must implement arrangements to quickly, appropriately and effectively respond to, and resolve, all IC

EU-DORA-11-05 Requirement

Activate dedicated incident containment plans

Financial entities must implement arrangements to activate, without delay, dedicated plans that enable containment measu

EU-DORA-11-06 Requirement

Estimate preliminary impacts, damages and losses

Financial entities must implement arrangements to estimate preliminary impacts, damages and losses from ICT-related inci

EU-DORA-11-07 Requirement

Establish communication and crisis management actions

Financial entities must set out communication and crisis management actions that ensure updated information is transmitt

EU-DORA-11-08 Requirement

Implement ICT response and recovery plans

Financial entities must implement associated ICT response and recovery plans as part of the ICT risk management framewor

EU-DORA-11-09 Requirement

Subject ICT response and recovery plans to independent internal audit

Financial entities other than microenterprises must subject their ICT response and recovery plans to independent interna

EU-DORA-11-10 Requirement

Maintain and test ICT business continuity plans

Financial entities must put in place, maintain and periodically test appropriate ICT business continuity plans, notably

EU-DORA-11-11 Requirement

Conduct business impact analysis (BIA)

Financial entities must conduct a business impact analysis (BIA) of their exposures to severe business disruptions as pa

EU-DORA-11-12 Requirement

Assess potential impact using quantitative and qualitative criteria

Financial entities must assess the potential impact of severe business disruptions by means of quantitative and qualitat

EU-DORA-11-13 Requirement

Consider criticality and interdependencies in BIA

The BIA must consider the criticality of identified and mapped business functions, support processes, third-party depend

EU-DORA-11-14 Requirement

Ensure ICT assets alignment with BIA requirements

Financial entities must ensure that ICT assets and ICT services are designed and used in full alignment with the BIA, in

EU-DORA-11-15 Requirement

Test ICT business continuity and response plans annually

Financial entities must test the ICT business continuity plans and the ICT response and recovery plans in relation to IC

EU-DORA-11-16 Requirement

Test crisis communication plans

Financial entities must test the crisis communication plans established in accordance with Article 14.

EU-DORA-11-17 Requirement

Include cyber-attack scenarios and switchover testing

Financial entities other than microenterprises must include in the testing plans scenarios of cyber-attacks and switchov

EU-DORA-11-18 Requirement

Regularly review ICT business continuity policy and plans

Financial entities must regularly review their ICT business continuity policy and ICT response and recovery plans, takin

EU-DORA-11-19 Requirement

Establish crisis management function

Financial entities other than microenterprises must have a crisis management function, which, in the event of activation

EU-DORA-11-23 Requirement

ESAs to develop guidelines on cost and loss estimation

The ESAs, through the Joint Committee, must by 17 July 2024 develop common guidelines on the estimation of aggregated an

Article 12. Backup policies and procedures, restoration and recovery procedures and methods

17 obligations

EU-DORA-12-03 Requirement

Set up backup systems that can be activated according to documented procedures

Financial entities must set up backup systems that can be activated in accordance with their backup policies and procedu

EU-DORA-12-04 Requirement

Ensure backup system activation does not jeopardise security or data integrity

The activation of backup systems must not jeopardise the security of network and information systems or the availability

EU-DORA-12-05 Requirement

Periodically test backup, restoration and recovery procedures

Financial entities must undertake periodic testing of backup procedures and restoration and recovery procedures and meth

EU-DORA-12-06 Requirement

Use physically and logically segregated ICT systems for backup restoration

When restoring backup data using own systems, financial entities must use ICT systems that are physically and logically

EU-DORA-12-07 Requirement

Securely protect backup ICT systems from unauthorized access and corruption

Backup ICT systems must be securely protected from any unauthorised access or ICT corruption and allow for timely restor

EU-DORA-12-08 Requirement

Enable recovery of all transactions for central counterparties

For central counterparties, recovery plans must enable the recovery of all transactions at the time of disruption to all

EU-DORA-12-09 Requirement

Maintain adequate resources and backup facilities for data reporting services

Data reporting service providers must maintain adequate resources and have back-up and restoration facilities in place i

EU-DORA-12-10 Requirement

Maintain redundant ICT capacities (non-microenterprises)

Financial entities, other than microenterprises, must maintain redundant ICT capacities equipped with resources, capabil

EU-DORA-12-11 Requirement

Assess need for redundant ICT capacities (microenterprises)

Microenterprises must assess the need to maintain redundant ICT capacities based on their risk profile.

EU-DORA-12-12 Requirement

Maintain at least one secondary processing site (CSDs)

Central securities depositories must maintain at least one secondary processing site endowed with adequate resources, ca

EU-DORA-12-13 Requirement

Ensure geographical distance of secondary processing site

The secondary processing site must be located at a geographical distance from the primary processing site to ensure that

EU-DORA-12-14 Requirement

Ensure secondary site can maintain continuity of critical functions

The secondary processing site must be capable of ensuring the continuity of critical or important functions identically

EU-DORA-12-15 Requirement

Ensure immediate accessibility of secondary processing site

The secondary processing site must be immediately accessible to the financial entity's staff to ensure continuity of cri

EU-DORA-12-16 Requirement

Determine recovery time and recovery point objectives based on function criticality

Financial entities must determine recovery time and recovery point objectives for each function, taking into account whe

EU-DORA-12-17 Requirement

Ensure time objectives meet agreed service levels in extreme scenarios

Recovery time objectives must ensure that, in extreme scenarios, the agreed service levels are met.

EU-DORA-12-18 Requirement

Perform necessary checks to ensure data integrity during recovery

When recovering from an ICT-related incident, financial entities must perform necessary checks, including any multiple c

EU-DORA-12-19 Requirement

Perform checks when reconstructing data from external stakeholders

Financial entities must perform checks when reconstructing data from external stakeholders, in order to ensure that all

Article 13. Learning and evolving

9 obligations

EU-DORA-13-01 Requirement

Establish Threat Intelligence Capabilities

Financial entities must establish and maintain capabilities and staff to gather information on vulnerabilities and cyber

EU-DORA-13-02 Requirement

Conduct Post-Incident Reviews After Major ICT Incidents

Financial entities must implement post ICT-related incident reviews after any major ICT-related incident that disrupts t

EU-DORA-13-04 Requirement

Evaluate Response Promptness in Post-Incident Reviews

Post ICT-related incident reviews must determine whether established procedures were followed and actions were effective

EU-DORA-13-05 Requirement

Evaluate Forensic Analysis Quality in Post-Incident Reviews

Post ICT-related incident reviews must assess the quality and speed of performing forensic analysis, where deemed approp

EU-DORA-13-06 Requirement

Evaluate Internal Incident Escalation Effectiveness

Post ICT-related incident reviews must assess the effectiveness of incident escalation within the financial entity.

EU-DORA-13-07 Requirement

Evaluate Communication Effectiveness in Post-Incident Reviews

Post ICT-related incident reviews must assess the effectiveness of both internal and external communication during incid

EU-DORA-13-13 Requirement

Develop ICT Security Awareness Programmes

Financial entities must develop ICT security awareness programmes and digital operational resilience training as compuls

EU-DORA-13-14 Requirement

Include Third-Party Service Providers in Training Schemes

Financial entities must, where appropriate, include ICT third-party service providers in their relevant training schemes

EU-DORA-13-16 Requirement

Keep Updated with Latest ICT Risk Management Processes

Financial entities (except microenterprises) must keep up-to-date with the latest ICT risk management processes to effec

Article 15. Further harmonisation of ICT risk management tools, methods, processes and policies

10 obligations

EU-DORA-15-01 Requirement

Develop draft RTS for ICT security policies harmonisation

The ESAs must, through the Joint Committee and in consultation with ENISA, develop common draft regulatory technical sta

EU-DORA-15-02 Requirement

Develop draft RTS for access management rights controls

The ESAs must develop common draft regulatory technical standards for further components of access management rights con

EU-DORA-15-03 Requirement

Develop draft RTS for anomalous activity detection mechanisms

The ESAs must develop common draft regulatory technical standards to further develop the mechanisms specified in Article

EU-DORA-15-04 Requirement

Develop draft RTS for ICT business continuity policy components

The ESAs must develop common draft regulatory technical standards to specify further the components of the ICT business

EU-DORA-15-05 Requirement

Develop draft RTS for ICT business continuity plan testing

The ESAs must develop common draft regulatory technical standards to specify further the testing of ICT business continu

EU-DORA-15-06 Requirement

Develop draft RTS for ICT response and recovery plan components

The ESAs must develop common draft regulatory technical standards to specify further the components of the ICT response

EU-DORA-15-07 Requirement

Develop draft RTS for ICT risk management framework review report format

The ESAs must develop common draft regulatory technical standards to specify further the content and format of the repor

EU-DORA-15-08 Requirement

Consider proportionality factors when developing draft RTS

When developing draft regulatory technical standards, the ESAs must take into account the size and overall risk profile

EU-DORA-15-09 Requirement

Submit draft RTS to Commission by deadline

The ESAs must submit the draft regulatory technical standards to the Commission by 17 January 2024.

EU-DORA-15-10 Requirement

Commission power to adopt regulatory technical standards

Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referr

Article 16. Simplified ICT risk management framework

5 obligations

EU-DORA-16-07 Requirement

Regularly test business continuity plans and control effectiveness

Test, on a regular basis, the plans and measures referred to in business continuity, as well as the effectiveness of the

EU-DORA-16-08 Requirement

Implement operational conclusions from testing and incidents

Implement, as appropriate, relevant operational conclusions resulting from the tests and from post-incident analysis int

EU-DORA-16-10 Requirement

Continuously improve ICT risk management framework

The ICT risk management framework shall be continuously improved on the basis of lessons derived from implementation and

EU-DORA-16-12 Requirement

ESAs develop regulatory technical standards for simplified framework

The ESAs shall, through the Joint Committee, in consultation with the ENISA, develop common draft regulatory technical s

EU-DORA-16-13 Requirement

ESAs submit draft standards to Commission by deadline

The ESAs shall submit the draft regulatory technical standards to the Commission by 17 January 2024.

Article 17. ICT-related incident management process

7 obligations

EU-DORA-17-01 Requirement

Define, establish and implement ICT-related incident management process

Financial entities must define, establish and implement an ICT-related incident management process to detect, manage and

EU-DORA-17-03 Requirement

Establish procedures for consistent monitoring, handling and follow-up

Financial entities must establish appropriate procedures and processes to ensure consistent and integrated monitoring, h

EU-DORA-17-04 Requirement

Put in place early warning indicators

The ICT-related incident management process must include early warning indicators.

EU-DORA-17-05 Requirement

Establish incident identification and classification procedures

The incident management process must establish procedures to identify, track, log, categorise and classify ICT-related i

EU-DORA-17-06 Requirement

Assign roles and responsibilities for different incident types

The incident management process must assign roles and responsibilities that need to be activated for different ICT-relat

EU-DORA-17-07 Requirement

Set out communication plans for incidents

The incident management process must set out plans for communication to staff, external stakeholders and media in accord

EU-DORA-17-09 Requirement

Establish incident response procedures

The incident management process must establish ICT-related incident response procedures to mitigate impacts and ensure t

Article 18. Classification of ICT-related incidents and cyber threats

7 obligations

EU-DORA-18-01 Requirement

Classify ICT-related incidents based on specified criteria

Financial entities must classify ICT-related incidents and determine their impact using the six specified criteria: numb

EU-DORA-18-02 Requirement

Classify cyber threats as significant based on specified criteria

Financial entities must classify cyber threats as significant based on the criticality of services at risk (including tr

EU-DORA-18-03 Requirement

Develop draft regulatory technical standards for incident classification criteria

The ESAs must, through the Joint Committee and in consultation with the ECB and ENISA, develop common draft regulatory t

EU-DORA-18-04 Requirement

Develop draft regulatory technical standards for competent authority assessment criteria

The ESAs must develop common draft regulatory technical standards specifying criteria for competent authorities to asses

EU-DORA-18-05 Requirement

Develop draft regulatory technical standards for cyber threat classification criteria

The ESAs must develop common draft regulatory technical standards specifying criteria for classifying cyber threats, inc

EU-DORA-18-06 Requirement

Consider specific criteria when developing regulatory technical standards

When developing the regulatory technical standards, the ESAs must take into account Article 4(2) criteria, international

EU-DORA-18-07 Requirement

Submit draft regulatory technical standards by specified deadline

The ESAs must submit the common draft regulatory technical standards to the Commission by 17 January 2024.

Article 19. Reporting of major ICT-related incidents and voluntary notification of significant cyber threats

3 obligations

EU-DORA-19-04 Requirement

Use alternative notification means when template submission impossible

When technical impossibility prevents submission of initial notification using the template, financial entities must not

EU-DORA-19-11 Requirement

Remain responsible for reporting when outsourcing to third party

When financial entities outsource reporting obligations to a third-party service provider, they must remain fully respon

EU-DORA-19-17 Requirement

Designate single competent authority for multi-supervised entities

Member States must designate a single competent authority responsible for incident reporting functions when a financial

Article 20. Harmonisation of reporting content and templates

6 obligations

EU-DORA-20-01 Requirement

Develop regulatory technical standards for major ICT incident reporting content

The ESAs must develop common draft regulatory technical standards to establish the content of reports for major ICT-rela

EU-DORA-20-02 Requirement

Determine time limits for ICT incident notifications and reports

The ESAs must develop common draft regulatory technical standards to determine the time limits for the initial notificat

EU-DORA-20-03 Requirement

Establish content standards for significant cyber threat notifications

The ESAs must develop common draft regulatory technical standards to establish the content of notifications for signific

EU-DORA-20-04 Requirement

Consider entity characteristics in developing technical standards

When developing regulatory technical standards, the ESAs must take into account the size and overall risk profile of fin

EU-DORA-20-06 Requirement

Develop implementing technical standards for reporting forms and procedures

The ESAs must develop common draft implementing technical standards to establish the standard forms, templates and proce

EU-DORA-20-07 Requirement

Submit technical standards to Commission by deadline

The ESAs must submit the common draft regulatory technical standards and common draft implementing technical standards t

Article 23. Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions

2 obligations

EU-DORA-23-01 Requirement

Apply Chapter requirements to operational payment-related incidents

Credit institutions, payment institutions, account information service providers, and electronic money institutions must

EU-DORA-23-02 Requirement

Apply Chapter requirements to major operational payment-related incidents

Credit institutions, payment institutions, account information service providers, and electronic money institutions must

Article 24. General requirements for the performance of digital operational resilience testing

7 obligations

EU-DORA-24-01 Requirement

Establish comprehensive digital operational resilience testing programme

Financial entities (other than microenterprises) must establish, maintain and review a sound and comprehensive digital o

EU-DORA-24-02 Requirement

Include range of assessments and tools in testing programme

The digital operational resilience testing programme must include a range of assessments, tests, methodologies, practice

EU-DORA-24-04 Requirement

Ensure tests are undertaken by independent parties

Financial entities (other than microenterprises) must ensure that tests are undertaken by independent parties, whether i

EU-DORA-24-05 Requirement

Dedicate sufficient resources and avoid conflicts of interest for internal testing

Where tests are undertaken by an internal tester, financial entities must dedicate sufficient resources and ensure that

EU-DORA-24-06 Requirement

Establish procedures to prioritise, classify and remedy test issues

Financial entities (other than microenterprises) must establish procedures and policies to prioritise, classify and reme

EU-DORA-24-07 Requirement

Establish internal validation methodologies for identified weaknesses

Financial entities (other than microenterprises) must establish internal validation methodologies to ascertain that all

EU-DORA-24-08 Requirement

Conduct yearly tests on critical and important function systems

Financial entities (other than microenterprises) must ensure, at least yearly, that appropriate tests are conducted on a

Article 25. Testing of ICT tools and systems

3 obligations

EU-DORA-25-01 Requirement

Execute appropriate ICT testing programme tests

Execute appropriate tests as part of the digital operational resilience testing programme, including vulnerability asses

EU-DORA-25-02 Requirement

Perform vulnerability assessments before deployment - CSDs and CCPs

Perform vulnerability assessments before any deployment or redeployment of new or existing applications and infrastructu

EU-DORA-25-03 Requirement

Apply risk-based approach to ICT testing - microenterprises

Perform the tests specified in paragraph 1 by combining a risk-based approach with strategic planning of ICT testing, co

Article 26. Advanced testing of ICT tools, systems and processes based on TLPT

11 obligations

EU-DORA-26-01 Requirement

Conduct TLPT every 3 years

Financial entities (excluding Article 16(1) entities and microenterprises) identified by competent authorities must carr

EU-DORA-26-02 Requirement

Cover critical/important functions in TLPT

Each threat-led penetration test must cover several or all critical or important functions of the financial entity and b

EU-DORA-26-03 Requirement

Identify underlying ICT systems for TLPT

Financial entities must identify all relevant underlying ICT systems, processes and technologies supporting critical or

EU-DORA-26-04 Requirement

Assess TLPT scope and obtain validation

Financial entities must assess which critical or important functions need to be covered by TLPT, determine the precise s

EU-DORA-26-05 Requirement

Ensure ICT third-party participation in TLPT

When ICT third-party service providers are included in TLPT scope, financial entities must take necessary measures to en

EU-DORA-26-09 Requirement

Contract appropriate testers for TLPT

Financial entities must contract testers in accordance with Article 27. When using internal testers, they must contract

EU-DORA-26-10 Requirement

Use only external testers (significant credit institutions)

Credit institutions classified as significant under Article 6(4) of Regulation (EU) No 1024/2013 must only use external

EU-DORA-26-11 Requirement

Identify financial entities for TLPT requirement

Competent authorities must identify financial entities required to perform TLPT based on Article 4(2) criteria and asses

EU-DORA-26-12 Requirement

Provide TLPT attestation to financial entities

Designated authorities must provide financial entities with attestation confirming TLPT was performed according to requi

EU-DORA-26-13 Requirement

Develop joint regulatory technical standards

ESAs must develop joint draft regulatory technical standards with ECB agreement according to TIBER-EU framework, specify

EU-DORA-26-14 Requirement

Submit regulatory technical standards by deadline

ESAs must submit the draft regulatory technical standards to the Commission by 17 July 2024.

Article 27. Requirements for testers for the carrying out of TLPT

8 obligations

EU-DORA-27-01 Requirement

Use only qualified testers for TLPT - highest suitability and reputability

Financial entities must ensure that testers used for carrying out TLPT are of the highest suitability and reputability.

EU-DORA-27-02 Requirement

Use only testers with technical and organizational capabilities

Financial entities must ensure that testers possess technical and organisational capabilities and demonstrate specific e

EU-DORA-27-03 Requirement

Use only certified or code-compliant testers

Financial entities must ensure that testers are certified by an accreditation body in a Member State or adhere to formal

EU-DORA-27-04 Requirement

Require independent assurance from testers

Financial entities must ensure that testers provide an independent assurance, or an audit report, in relation to the sou

EU-DORA-27-05 Requirement

Use only testers with professional indemnity insurance

Financial entities must ensure that testers are duly and fully covered by relevant professional indemnity insurances, in

EU-DORA-27-06 Requirement

Obtain authority approval for internal testers

When using internal testers, financial entities must ensure that such use has been approved by the relevant competent au

EU-DORA-27-07 Requirement

Ensure authority verification of resources and conflict avoidance for internal testers

When using internal testers, financial entities must ensure that the relevant competent authority has verified that the

EU-DORA-27-08 Requirement

Use external threat intelligence provider when using internal testers

When using internal testers, financial entities must ensure that the threat intelligence provider is external to the fin

Article 28. General principles

13 obligations

EU-DORA-28-02 Requirement

Remain fully responsible for compliance despite third-party arrangements

Financial entities that have contractual arrangements for the use of ICT services must remain fully responsible for comp

EU-DORA-28-04 Requirement

Adopt and regularly review ICT third-party risk strategy

Financial entities (excluding Article 16(1) first subparagraph entities and microenterprises) must adopt and regularly r

EU-DORA-28-12 Requirement

Assess if contractual arrangement covers critical/important function

Before entering into contractual arrangements for ICT services, financial entities must assess whether the arrangement c

EU-DORA-28-13 Requirement

Assess if supervisory conditions for contracting are met

Before entering into contractual arrangements for ICT services, financial entities must assess if supervisory conditions

EU-DORA-28-15 Requirement

Undertake due diligence on prospective ICT third-party service providers

Before entering into contractual arrangements for ICT services, financial entities must undertake all due diligence on p

EU-DORA-28-17 Requirement

Only contract with providers complying with appropriate information security standards

Financial entities may only enter into contractual arrangements with ICT third-party service providers that comply with

EU-DORA-28-18 Requirement

Consider highest quality security standards for critical/important functions

For contractual arrangements concerning critical or important functions, financial entities must take due consideration

EU-DORA-28-20 Requirement

Verify auditor skills for technically complex arrangements

For contractual arrangements with high technical complexity, financial entities must verify that auditors (internal, ext

EU-DORA-28-21 Requirement

Ensure contractual arrangements may be terminated in specified circumstances

Financial entities must ensure that contractual arrangements on the use of ICT services may be terminated in circumstanc

EU-DORA-28-22 Requirement

Put in place exit strategies for critical/important functions

For ICT services supporting critical or important functions, financial entities must put in place exit strategies that t

EU-DORA-28-23 Requirement

Ensure ability to exit without disruption, compliance limitation, or service detriment

Financial entities must ensure they can exit contractual arrangements without disruption to business activities, limitin

EU-DORA-28-25 Requirement

Identify alternative solutions and develop transition plans

Financial entities must identify alternative solutions and develop transition plans enabling them to remove contracted I

EU-DORA-28-26 Requirement

Have appropriate contingency measures for business continuity

Financial entities must have appropriate contingency measures in place to maintain business continuity in the event of c

Article 30. Key contractual provisions

12 obligations

EU-DORA-30-07 Requirement

Include ICT incident assistance obligation

Contracts must include the obligation of the ICT third-party service provider to provide assistance to the financial ent

EU-DORA-30-08 Requirement

Include cooperation obligation with authorities

Contracts must include the obligation of the ICT third-party service provider to fully cooperate with the competent auth

EU-DORA-30-09 Requirement

Include termination rights and notice periods

Contracts must include termination rights and related minimum notice periods for the termination of contractual arrangem

EU-DORA-30-10 Requirement

Include security training participation conditions

Contracts must include conditions for the participation of ICT third-party service providers in the financial entities'

EU-DORA-30-14 Requirement

Obligate participation in TLPT

For critical or important functions, contracts must include the obligation of the ICT third-party service provider to pa

EU-DORA-30-16 Requirement

Allow alternative assurance levels agreement

For critical or important functions, contracts must include the right to agree on alternative assurance levels if other

EU-DORA-30-17 Requirement

Obligate cooperation during inspections and audits

For critical or important functions, contracts must include the obligation of the ICT third-party service provider to fu

EU-DORA-30-20 Requirement

Allow migration to alternative solutions

For critical or important functions, exit strategies must allow the financial entity to migrate to another ICT third-par

EU-DORA-30-21 Requirement

Allow delegation of audit rights for microenterprises

For microenterprises, the ICT third-party service provider and financial entity may agree that the financial entity's ri

EU-DORA-30-22 Requirement

Consider use of standard contractual clauses

When negotiating contractual arrangements, financial entities and ICT third-party service providers shall consider the u

EU-DORA-30-23 Requirement

ESAs develop regulatory technical standards for subcontracting

The ESAs shall, through the Joint Committee, develop draft regulatory technical standards to specify further the element

EU-DORA-30-24 Requirement

ESAs submit RTS to Commission by deadline

The ESAs shall submit the draft regulatory technical standards to the Commission by 17 July 2024.

Article 31. Designation of critical ICT third-party service providers

5 obligations

EU-DORA-31-03 Requirement

Designate coordination point for group critical ICT service providers

Critical ICT third-party service providers which are part of a group must designate one legal person as a coordination p

EU-DORA-31-06 Requirement

Consider reasoned statement and may request additional information

The Lead Overseer must consider the reasoned statement submitted by ICT third-party service provider and may request add

EU-DORA-31-09 Requirement

Adopt delegated act specifying criteria by July 17, 2024

The Commission must adopt a delegated act in accordance with Article 57 to supplement this Regulation by specifying furt

EU-DORA-31-14 Requirement

Decide on voluntary critical designation application within 6 months

EBA, ESMA or EIOPA, through the Joint Committee, must decide whether to designate an ICT third-party service provider as

EU-DORA-31-15 Requirement

Establish subsidiary in Union within 12 months for third country providers

Critical ICT third-party service providers established in a third country must establish a subsidiary in the Union withi

Article 32. Structure of the Oversight Framework

6 obligations

EU-DORA-32-01 Requirement

Establish Oversight Forum as sub-committee

The Joint Committee must establish the Oversight Forum as a sub-committee to support the work of the Joint Committee and

EU-DORA-32-02 Requirement

Prepare draft joint positions and common acts

The Oversight Forum must prepare the draft joint positions and the draft common acts of the Joint Committee in the area

EU-DORA-32-05 Requirement

Promote coordination measures for digital operational resilience

The Oversight Forum must promote coordination measures to increase the digital operational resilience of financial entit

EU-DORA-32-07 Requirement

Designate high-level representative for Oversight Forum

Each Member State must designate the relevant competent authority whose staff member shall be the high-level representat

EU-DORA-32-09 Requirement

Appoint independent experts through transparent process

The Oversight Forum must appoint independent experts from a pool of experts selected following a public and transparent

EU-DORA-32-10 Requirement

Issue guidelines on cooperation by 17 July 2024

The ESAs must issue guidelines by 17 July 2024 on the cooperation between the ESAs and the competent authorities coverin

Article 34. Operational coordination between Lead Overseers

3 obligations

EU-DORA-34-01 Requirement

Establish Joint Oversight Network (JON)

The three Lead Overseers must set up a Joint Oversight Network (JON) to coordinate among themselves in preparatory stage

EU-DORA-34-02 Requirement

Ensure consistent oversight approach

Lead Overseers must ensure a consistent approach to oversight activities to enable coordinated general oversight strateg

EU-DORA-34-04 Requirement

Periodically revise oversight protocol

Lead Overseers must periodically revise the common oversight protocol to reflect operational needs, particularly the evo

Article 35. Powers of the Lead Overseer

11 obligations

EU-DORA-35-05 Requirement

Cooperate in good faith with Lead Overseer

Critical ICT third-party service providers must cooperate in good faith with the Lead Overseer and assist it in the fulf

EU-DORA-35-07 Requirement

Lead Overseer must ensure regular coordination within JON

The Lead Overseer must ensure regular coordination within the Joint Oversight Network (JON) and seek consistent approach

EU-DORA-35-08 Requirement

Lead Overseer must account for NIS2 Directive framework

The Lead Overseer must take due account of the framework established by Directive (EU) 2022/2555 and consult relevant co

EU-DORA-35-09 Requirement

Lead Overseer must minimize disruption to out-of-scope customers

The Lead Overseer must seek to minimize, to the extent possible, the risk of disruption to services provided by critical

EU-DORA-35-10 Requirement

Lead Overseer must consult Oversight Forum before exercising powers

The Lead Overseer must consult the Oversight Forum before exercising the powers referred to in paragraph 1 of Article 35

EU-DORA-35-13 Requirement

Lead Overseer must impose periodic penalty payments for non-compliance

The Lead Overseer must adopt a decision imposing periodic penalty payments to compel compliance when critical ICT third-

EU-DORA-35-14 Requirement

Lead Overseer must limit penalty payment duration

The Lead Overseer must impose periodic penalty payments on a daily basis until compliance is achieved and for no more th

EU-DORA-35-15 Requirement

Lead Overseer must calculate penalty payments within prescribed limits

The Lead Overseer must calculate penalty payments up to 1% of average daily worldwide turnover of the critical ICT third

EU-DORA-35-16 Requirement

Lead Overseer must consult JON for penalty consistency

The Lead Overseer must engage in consultation within the Joint Oversight Network (JON) to ensure a consistent approach w

EU-DORA-35-18 Requirement

Lead Overseer must provide opportunity to be heard before penalties

The Lead Overseer must give representatives of critical ICT third-party service providers the opportunity to be heard on

EU-DORA-35-19 Requirement

Lead Overseer must respect defence rights and provide file access

The Lead Overseer must fully respect the rights of defence of persons subject to proceedings and provide access to the f

Article 36. Exercise of the powers of the Lead Overseer outside the Union

13 obligations

EU-DORA-36-02 Requirement

Ensure inspection necessity for third-country oversight

Lead Overseer must deem the conduct of an inspection in a third-country necessary to allow it to fully and effectively p

EU-DORA-36-03 Requirement

Verify direct relation to Union ICT services provision

Lead Overseer must ensure that the inspection in a third-country is directly related to the provision of ICT services to

EU-DORA-36-04 Requirement

Obtain critical ICT provider consent for third-country inspection

Lead Overseer must obtain consent from the critical ICT third-party service provider concerned before conducting an insp

EU-DORA-36-05 Requirement

Provide consent for third-country inspections

Critical ICT third-party service providers must provide consent when requested by the Lead Overseer for the conduct of i

EU-DORA-36-06 Requirement

Officially notify third-country authority before inspection

Lead Overseer must officially notify the relevant authority of the third-country concerned and ensure they have raised n

EU-DORA-36-07 Requirement

Conclude administrative cooperation arrangements with third countries

EBA, ESMA or EIOPA shall conclude administrative cooperation arrangements with relevant third-country authorities to ena

EU-DORA-36-08 Requirement

Include coordination procedures in cooperation arrangements

Cooperation arrangements must specify procedures for coordinating oversight activities under this Regulation and analogo

EU-DORA-36-09 Requirement

Establish information transmission mechanisms in cooperation arrangements

Cooperation arrangements must specify mechanisms for transmission of relevant information between ESAs and third-country

EU-DORA-36-10 Requirement

Include infringement notification mechanisms in cooperation arrangements

Cooperation arrangements must specify mechanisms for prompt notification by third-country authorities to ESAs when criti

EU-DORA-36-11 Requirement

Establish regular regulatory update transmission in cooperation arrangements

Cooperation arrangements must provide for regular transmission of updates on regulatory or supervisory developments conc

EU-DORA-36-12 Requirement

Include third-country authority participation details in cooperation arrangements

Cooperation arrangements must specify details for allowing participation of one representative of the relevant third-cou

EU-DORA-36-13 Requirement

Exercise powers based on available facts when unable to conduct third-country oversight

When the Lead Overseer cannot conduct oversight activities outside the Union, it must exercise its powers under Article

EU-DORA-36-15 Requirement

Consider third-country oversight limitations in recommendations

Lead Overseer must take into consideration the potential consequences of its inability to conduct third-country oversigh

Article 37. Request for information

14 obligations

EU-DORA-37-02 Requirement

Lead Overseer must refer to legal basis in simple requests

When sending a simple request for information, the Lead Overseer shall refer to this Article as the legal basis of the r

EU-DORA-37-03 Requirement

Lead Overseer must state purpose in simple requests

When sending a simple request for information, the Lead Overseer shall state the purpose of the request.

EU-DORA-37-04 Requirement

Lead Overseer must specify required information in simple requests

When sending a simple request for information, the Lead Overseer shall specify what information is required.

EU-DORA-37-05 Requirement

Lead Overseer must set time limit in simple requests

When sending a simple request for information, the Lead Overseer shall set a time limit within which the information is

EU-DORA-37-06 Requirement

Lead Overseer must inform about voluntary nature in simple requests

When sending a simple request for information, the Lead Overseer shall inform the representative that they are not oblig

EU-DORA-37-07 Requirement

Lead Overseer must refer to legal basis in decisions

When requiring by decision to supply information, the Lead Overseer shall refer to this Article as the legal basis of th

EU-DORA-37-08 Requirement

Lead Overseer must state purpose in decisions

When requiring by decision to supply information, the Lead Overseer shall state the purpose of the request.

EU-DORA-37-09 Requirement

Lead Overseer must specify required information in decisions

When requiring by decision to supply information, the Lead Overseer shall specify what information is required.

EU-DORA-37-10 Requirement

Lead Overseer must set time limit in decisions

When requiring by decision to supply information, the Lead Overseer shall set a time limit within which the information

EU-DORA-37-11 Requirement

Lead Overseer must indicate periodic penalties in decisions

When requiring by decision to supply information, the Lead Overseer shall indicate the periodic penalty payments provide

EU-DORA-37-12 Requirement

Lead Overseer must indicate appeal rights in decisions

When requiring by decision to supply information, the Lead Overseer shall indicate the right to appeal the decision to E

EU-DORA-37-13 Requirement

Representatives must supply requested information

Representatives of critical ICT third-party service providers shall supply the information requested by the Lead Oversee

EU-DORA-37-14 Requirement

Provider remains responsible for lawyer-supplied information

When lawyers supply information on behalf of their clients, the critical ICT third-party service provider shall remain f

EU-DORA-37-15 Requirement

Lead Overseer must transmit decision copies to authorities

The Lead Overseer shall, without delay, transmit a copy of the decision to supply information to the competent authoriti

Article 38. General investigations

1 obligation

EU-DORA-38-01 Requirement

Submit to investigations by Lead Overseer

Critical ICT third-party service providers must submit to investigations conducted by the Lead Overseer based on a decis

Article 39. Inspections

4 obligations

EU-DORA-39-02 Requirement

Consult JON before exercising inspection powers

The Lead Overseer must consult the JON (Joint Oversight Network) before exercising inspection powers on ICT third-party

EU-DORA-39-03 Requirement

Exercise inspection powers with written authorization

Officials and persons authorized by the Lead Overseer must exercise their inspection powers only upon production of writ

EU-DORA-39-05 Requirement

Provide reasonable notice for planned on-site inspections

The Lead Overseer must give reasonable notice to critical ICT third-party service providers before any planned on-site i

EU-DORA-39-06 Requirement

Submit to on-site inspections ordered by Lead Overseer

Critical ICT third-party service providers must submit to on-site inspections ordered by decision of the Lead Overseer.

Article 40. Ongoing oversight

7 obligations

EU-DORA-40-01 Requirement

Lead Overseer must establish joint examination teams for critical ICT providers

When conducting oversight activities, particularly general investigations or inspections, the Lead Overseer shall be ass

EU-DORA-40-02 Requirement

Joint examination team composition requirements

The joint examination team must be composed of staff members from the ESAs, relevant competent authorities supervising f

EU-DORA-40-03 Requirement

Joint examination team member expertise requirements

Members of the joint examination team shall have expertise in ICT matters and in operational risk.

EU-DORA-40-04 Requirement

Joint examination team coordination under Lead Overseer coordinator

The joint examination team shall work under the coordination of a designated Lead Overseer staff member (the 'Lead Overs

EU-DORA-40-05 Requirement

Lead Overseer must adopt recommendations within 3 months after investigation completion

Within 3 months of the completion of an investigation or inspection, the Lead Overseer, after consulting the Oversight F

EU-DORA-40-06 Requirement

Lead Overseer must immediately communicate recommendations to critical ICT provider

The recommendations shall be immediately communicated to the critical ICT third-party service provider.

EU-DORA-40-07 Requirement

Lead Overseer must immediately communicate recommendations to competent authorities

The recommendations shall be immediately communicated to the competent authorities of the financial entities to which th

Article 41. Harmonisation of conditions enabling the conduct of the oversight activities

5 obligations

EU-DORA-41-01 Requirement

Develop draft RTS for voluntary critical ICT third-party service provider designation

The ESAs must, through the Joint Committee, develop draft regulatory technical standards to specify the information to b

EU-DORA-41-02 Requirement

Develop draft RTS for ICT third-party service provider information submission

The ESAs must, through the Joint Committee, develop draft regulatory technical standards to specify the content, structu

EU-DORA-41-03 Requirement

Develop draft RTS for joint examination team criteria and arrangements

The ESAs must, through the Joint Committee, develop draft regulatory technical standards to specify the criteria for det

EU-DORA-41-04 Requirement

Develop draft RTS for competent authorities' assessment details

The ESAs must, through the Joint Committee, develop draft regulatory technical standards to specify the details of the c

EU-DORA-41-05 Requirement

Submit draft regulatory technical standards by deadline

The ESAs must submit the draft regulatory technical standards specified in paragraph 1 to the Commission by 17 July 2024

Article 42. Follow-up by competent authorities

4 obligations

EU-DORA-42-08 Requirement

Consider suspension or termination of ICT provider arrangements

Competent authorities may, as a measure of last resort, require financial entities to temporarily suspend or completely

EU-DORA-42-10 Requirement

Apply specified criteria when making suspension decisions

Competent authorities shall take into account specific criteria including gravity and duration of non-compliance, proced

EU-DORA-42-11 Requirement

Grant financial entities adjustment period for contractual arrangements

Competent authorities shall grant financial entities the necessary period of time to enable them to adjust contractual a

EU-DORA-42-13 Requirement

Cooperate with impacted financial entities during suspension/termination

Critical ICT third-party service providers affected by suspension decisions shall fully cooperate with the financial ent

Article 43. Oversight fees

3 obligations

EU-DORA-43-01 Requirement

Pay oversight fees to Lead Overseer

Critical ICT third-party service providers must pay fees charged by the Lead Overseer that fully cover the Lead Overseer

EU-DORA-43-02 Requirement

Charge oversight fees to critical ICT third-party service providers

The Lead Overseer shall charge critical ICT third-party service providers fees in accordance with the delegated act that

EU-DORA-43-03 Requirement

Adopt delegated act on fee determination

The Commission is empowered to adopt a delegated act in accordance with Article 57 to supplement this Regulation by dete

Article 44. International cooperation

1 obligation

EU-DORA-44-01 Requirement

International cooperation arrangements for ICT third-party risk

European Supervisory Authorities (EBA, ESMA, EIOPA) may conclude administrative arrangements with third-country regulato

Article 45. Information-sharing arrangements on cyber threat information and intelligence

2 obligations

EU-DORA-45-01 Requirement

Comply with information-sharing arrangement conditions for cyber threat intelligence

Financial entities must ensure that when they exchange cyber threat information and intelligence, such sharing: (a) aims

EU-DORA-45-02 Requirement

Define participation conditions in information-sharing arrangements

Information-sharing arrangements must define the conditions for participation and, where appropriate, set out details on

Article 47. Cooperation with structures and authorities established by Directive (EU) 2022/2555

4 obligations

EU-DORA-47-01 Requirement

ESAs and competent authorities may participate in Cooperation Group activities

ESAs and competent authorities may participate in the activities of the Cooperation Group established by Article 14 of D

EU-DORA-47-02 Requirement

Request invitation to Cooperation Group for critical ICT third-party providers

ESAs and competent authorities may request to be invited to participate in Cooperation Group activities for matters rela

EU-DORA-47-04 Requirement

Request technical advice and assistance from NIS2 competent authorities

Competent authorities may request relevant technical advice and assistance from the competent authorities designated or

EU-DORA-47-05 Requirement

Establish cooperation arrangements with NIS2 authorities

Competent authorities may establish cooperation arrangements to allow effective and fast-response coordination mechanism

Article 48. Cooperation between authorities

1 obligation

EU-DORA-48-01 Requirement

Close cooperation between competent authorities and Lead Overseer

Competent authorities must cooperate closely among themselves and, where applicable, with the Lead Overseer in carrying

Article 49. Financial cross-sector exercises, communication and cooperation

5 obligations

EU-DORA-49-01 Requirement

Cross-sector practices sharing mechanism establishment

ESAs, through the Joint Committee and in collaboration with specified authorities, may establish mechanisms to enable th

EU-DORA-49-02 Requirement

Crisis management and contingency exercises development

ESAs and collaborating authorities may develop crisis management and contingency exercises involving cyber-attack scenar

EU-DORA-49-03 Requirement

Cross-sector dependency testing in exercises

Crisis management and contingency exercises may, as appropriate, also test the financial sector's dependencies on other

EU-DORA-49-04 Requirement

Close cooperation and information exchange duty

Competent authorities, ESAs and the ECB shall cooperate closely with each other and exchange information to carry out th

EU-DORA-49-05 Requirement

Close supervision coordination requirement

Competent authorities, ESAs and the ECB shall closely coordinate their supervision in order to identify and remedy breac

Article 50. Administrative penalties and remedial measures

14 obligations

EU-DORA-50-01 Requirement

Grant necessary supervisory, investigatory and sanctioning powers

Competent authorities must be granted all supervisory, investigatory and sanctioning powers necessary to fulfil their du

EU-DORA-50-02 Requirement

Grant document and data access powers

Competent authorities must be granted the power to have access to any document or data held in any form that they consid

EU-DORA-50-03 Requirement

Grant on-site inspection powers including summoning representatives

Competent authorities must be granted the power to carry out on-site inspections or investigations, including summoning

EU-DORA-50-04 Requirement

Grant interview powers for information collection

Competent authorities must be granted the power to interview any other natural or legal person who consents to be interv

EU-DORA-50-05 Requirement

Grant corrective and remedial measures powers

Competent authorities must be granted the power to require corrective and remedial measures for breaches of the requirem

EU-DORA-50-06 Requirement

Establish administrative penalties and remedial measures rules

Member States must lay down rules establishing appropriate administrative penalties and remedial measures for breaches o

EU-DORA-50-07 Requirement

Ensure penalties are effective, proportionate and dissuasive

Administrative penalties and measures must be effective, proportionate and dissuasive.

EU-DORA-50-08 Requirement

Grant power to issue cease and desist orders

Member States must confer on competent authorities the power to issue an order requiring the natural or legal person to

EU-DORA-50-09 Requirement

Grant power to require cessation of contrary practices

Member States must confer on competent authorities the power to require the temporary or permanent cessation of any prac

EU-DORA-50-10 Requirement

Grant power to adopt compliance measures including pecuniary

Member States must confer on competent authorities the power to adopt any type of measure, including of pecuniary nature

EU-DORA-50-11 Requirement

Grant power to require telecommunication traffic records

Member States must confer on competent authorities the power to require, insofar as permitted by national law, existing

EU-DORA-50-12 Requirement

Grant power to issue public notices and statements

Member States must confer on competent authorities the power to issue public notices, including public statements indica

EU-DORA-50-13 Requirement

Grant power to apply penalties to management and responsible individuals

Where administrative penalties and remedial measures apply to legal persons, Member States must confer on competent auth

EU-DORA-50-14 Requirement

Ensure reasoned decisions and appeal rights for penalties

Member States must ensure that any decision imposing administrative penalties or remedial measures is properly reasoned

Article 51. Exercise of the power to impose administrative penalties and remedial measures

9 obligations

EU-DORA-51-01 Requirement

Exercise administrative penalty powers in accordance with national frameworks

Competent authorities must exercise their powers to impose administrative penalties and remedial measures (as specified

EU-DORA-51-02 Requirement

Consider intentionality and negligence in penalty determination

Competent authorities must take into account the extent to which a breach is intentional or results from negligence when

EU-DORA-51-03 Requirement

Consider materiality, gravity and duration of breach

Competent authorities must consider the materiality, gravity and duration of the breach when determining administrative

EU-DORA-51-04 Requirement

Consider degree of responsibility in penalty determination

Competent authorities must consider the degree of responsibility of the natural or legal person responsible for the brea

EU-DORA-51-05 Requirement

Consider financial strength in penalty determination

Competent authorities must consider the financial strength of the responsible natural or legal person when determining a

EU-DORA-51-06 Requirement

Consider profits gained or losses avoided in penalty determination

Competent authorities must consider the importance of profits gained or losses avoided by the responsible natural or leg

EU-DORA-51-07 Requirement

Consider losses to third parties in penalty determination

Competent authorities must consider the losses for third parties caused by the breach, insofar as they can be determined

EU-DORA-51-08 Requirement

Consider level of cooperation in penalty determination

Competent authorities must consider the level of cooperation of the responsible natural or legal person with the compete

EU-DORA-51-09 Requirement

Consider previous breaches in penalty determination

Competent authorities must consider previous breaches by the responsible natural or legal person when determining the ty

Article 52. Criminal penalties

2 obligations

EU-DORA-52-01 Requirement

Establish liaison powers for competent authorities in criminal penalty regimes

Where Member States have chosen to lay down criminal penalties for breaches of this Regulation, they must ensure that ap

EU-DORA-52-02 Requirement

Establish powers to provide criminal investigation information to other authorities

Where Member States have chosen to lay down criminal penalties for breaches of this Regulation, they must ensure that co

Article 54. Publication of administrative penalties

4 obligations

EU-DORA-54-03 Requirement

Conduct case-by-case assessment for publication decisions

Competent authorities must conduct a case-by-case assessment to determine if publication of identity would be disproport

EU-DORA-54-04 Requirement

Adopt alternative publication solutions when appropriate

When case-by-case assessment shows publication would be disproportionate, competent authorities must adopt one of three

EU-DORA-54-05 Requirement

May postpone anonymous publication data

In cases where administrative penalties are published anonymously, competent authorities may postpone the publication of

EU-DORA-54-08 Requirement

Limit publication duration to maximum five years

Competent authorities must ensure that publications of administrative penalties remain on their official website only fo

Article 55. Professional secrecy

1 obligation

EU-DORA-55-02 Requirement

Maintain professional secrecy obligation for current and former personnel

The obligation of professional secrecy must be applied to all persons who work, or who have worked, for competent author

Article 57. Exercise of the delegation

1 obligation

EU-DORA-57-02 Requirement

Expert consultation requirement for delegated acts

Before adopting a delegated act, the Commission must consult experts designated by each Member State in accordance with

Article 58. Review clause

4 obligations

EU-DORA-58-02 Requirement

ESAs and ESRB consultation participation for 2028 review

ESAs and ESRB must participate in consultations with the Commission regarding the comprehensive review of DORA provision

EU-DORA-58-04 Requirement

Commission consultation with ESAs, ECB and ESRB for payment systems proposal

If submitting a legislative proposal regarding payment systems and payment-processing activities oversight, the Commissi

EU-DORA-58-05 Requirement

ESAs, ECB and ESRB consultation participation for payment systems review

ESAs, ECB and ESRB must participate in consultations with the Commission regarding potential legislative proposals on pa

EU-DORA-58-07 Requirement

ESAs and auditing oversight bodies consultation for auditor review

ESAs and the Committee of European Auditing Oversight Bodies must participate in consultations with the Commission regar

Article 59. Amendments to Regulation (EC) No 1060/2009

4 obligations

EU-DORA-59-01 Requirement

Credit rating agencies must have effective ICT control and safeguard arrangements

Credit rating agencies shall have effective control and safeguard arrangements for managing ICT systems in accordance wi

EU-DORA-59-02 Requirement

Credit rating agencies must maintain sound administrative and accounting procedures

Credit rating agencies shall have sound administrative and accounting procedures as part of their operational requiremen

EU-DORA-59-03 Requirement

Credit rating agencies must establish internal control mechanisms

Credit rating agencies shall establish and maintain internal control mechanisms as required by the amended regulation.

EU-DORA-59-05 Requirement

Credit rating agencies must implement decision-making procedures and organizational structures

Credit rating agencies must implement and maintain decision-making procedures and organizational structures as required

Article 60. Amendments to Regulation (EU) No 648/2012

6 obligations

EU-DORA-60-01 Requirement

CCP ICT Systems Management Compliance

Central Counterparties (CCPs) must manage their ICT systems in accordance with Regulation (EU) 2022/2554 as part of main

EU-DORA-60-02 Requirement

CCP Organizational Structure Maintenance

Central Counterparties must maintain and operate an organisational structure that ensures continuity and orderly functio

EU-DORA-60-03 Requirement

CCP ICT Business Continuity Policy Implementation

Central Counterparties must establish, implement and maintain ICT business continuity policy and ICT response and recove

EU-DORA-60-04 Requirement

CCP Business Continuity Objective Achievement

Central Counterparties must ensure their business continuity policy and disaster recovery plan aims to preserve function

EU-DORA-60-06 Requirement

Trade Repository ICT Business Continuity Implementation

Trade repositories must establish, implement and maintain ICT business continuity policy and ICT response and recovery p

EU-DORA-60-07 Requirement

Trade Repository Business Continuity Objective Achievement

Trade repositories must ensure their business continuity policy and disaster recovery plan aims to maintain functions, e

Article 61. Amendments to Regulation (EU) No 909/2014

2 obligations

EU-DORA-61-02 Requirement

Business continuity and disaster recovery plan establishment

For services that it provides as well as for each securities settlement system that it operates, a CSD shall establish,

EU-DORA-61-03 Requirement

Transaction and position recovery capability

The disaster recovery plan shall provide for the recovery of all transactions and participants' positions at the time of

Article 62. Amendments to Regulation (EU) No 600/2014

3 obligations

EU-DORA-62-01 Requirement

APA compliance with DORA security requirements

Approved Publication Arrangements (APAs) must comply with all requirements concerning the security of network and inform

EU-DORA-62-02 Requirement

CTP compliance with DORA security requirements

Consolidated Tape Providers (CTPs) must comply with all requirements concerning the security of network and information

EU-DORA-62-03 Requirement

ARM compliance with DORA security requirements

Approved Reporting Mechanisms (ARMs) must comply with all requirements concerning the security of network and informatio

Article 63. Amendment to Regulation (EU) 2016/1011

3 obligations

EU-DORA-63-01 Requirement

Sound Administrative and Accounting Procedures for Critical Benchmarks

Administrators of critical benchmarks must establish and maintain sound administrative and accounting procedures as part

EU-DORA-63-02 Requirement

Internal Control Mechanisms for Critical Benchmarks

Administrators of critical benchmarks must implement internal control mechanisms to ensure proper governance and oversig

EU-DORA-63-04 Requirement

ICT Systems Control and Safeguard Arrangements for Critical Benchmarks

Administrators of critical benchmarks must implement effective control and safeguard arrangements for managing ICT syste