Article 1. Subject matter

2 obligations

EU-DORA-1-01 Risk Management

Implement ICT risk management requirements

Financial entities must implement and maintain information and communication technology (ICT) risk management systems an

EU-DORA-1-06 Risk Management

Implement sound management of ICT third-party risk

Financial entities must implement measures for the sound management of ICT third-party risk in accordance with this Regu

Article 5. Governance and organisation

1 obligation

EU-DORA-5-14 Risk Management

Determine appropriate ICT risk tolerance level

The management body must determine the appropriate risk tolerance level of ICT risk of the financial entity, as referred

Article 6. ICT risk management framework

3 obligations

EU-DORA-6-01 Risk Management

Establish comprehensive ICT risk management framework

Financial entities must have a sound, comprehensive and well-documented ICT risk management framework as part of their o

EU-DORA-6-03 Risk Management

Deploy appropriate ICT risk mitigation measures

Financial entities must minimise the impact of ICT risk by deploying appropriate strategies, policies, procedures, ICT p

EU-DORA-6-16 Risk Management

Establish ICT risk tolerance level and analyze impact tolerance

The digital operational resilience strategy must establish the risk tolerance level for ICT risk in accordance with the

Article 8. Identification

4 obligations

EU-DORA-8-03 Risk Management

Continuously identify all sources of ICT risk

Financial entities must continuously identify all sources of ICT risk, particularly the risk exposure to and from other

EU-DORA-8-04 Risk Management

Review risk scenarios annually

Financial entities must review on a regular basis, and at least yearly, the risk scenarios impacting them.

EU-DORA-8-05 Risk Management

Perform risk assessment upon major changes (non-microenterprises)

Financial entities other than microenterprises must perform a risk assessment upon each major change in the network and

EU-DORA-8-10 Risk Management

Conduct annual ICT risk assessment on legacy systems (non-microenterprises)

Financial entities other than microenterprises must conduct on a regular basis, and at least yearly, a specific ICT risk

Article 9. Protection and prevention

2 obligations

EU-DORA-9-02 Risk Management

Minimize ICT risk impact through deployment of security measures

Financial entities must minimize the impact of ICT risk on ICT systems through the deployment of appropriate ICT securit

EU-DORA-9-07 Risk Management

Minimize risk of data corruption, loss, unauthorized access and technical flaws

Financial entities must minimize the risk of corruption or loss of data, unauthorized access and technical flaws that ma

Article 13. Learning and evolving

2 obligations

EU-DORA-13-08 Risk Management

Incorporate Lessons into ICT Risk Assessment Process

Financial entities must continuously incorporate lessons derived from digital operational resilience testing (Articles 2

EU-DORA-13-09 Risk Management

Review ICT Risk Management Framework Components

Financial entities must use findings from lessons learned to form the basis for appropriate reviews of relevant componen

Article 16. Simplified ICT risk management framework

5 obligations

EU-DORA-16-01 Risk Management

Implement documented ICT risk management framework

Put in place and maintain a sound and documented ICT risk management framework that details the mechanisms and measures

EU-DORA-16-03 Risk Management

Minimize ICT risk through sound, resilient systems

Minimize the impact of ICT risk through the use of sound, resilient and updated ICT systems, protocols and tools which a

EU-DORA-16-04 Risk Management

Enable prompt identification and handling of ICT risks and incidents

Allow sources of ICT risk and anomalies in the network and information systems to be promptly identified and detected an

EU-DORA-16-05 Risk Management

Identify key ICT third-party service provider dependencies

Identify key dependencies on ICT third-party service providers to understand and manage external risks.

EU-DORA-16-06 Risk Management

Ensure business continuity for critical or important functions

Ensure the continuity of critical or important functions, through business continuity plans and response and recovery me

Article 19. Reporting of major ICT-related incidents and voluntary notification of significant cyber threats

1 obligation

EU-DORA-19-15 Risk Management

Take measures to protect financial system stability

Based on notifications about major ICT-related incidents, competent authorities must take all necessary measures to prot

Article 21. Centralisation of reporting of major ICT-related incidents

1 obligation

EU-DORA-21-03 Risk Management

Include benefits, limitations and risks analysis in joint report

The joint report must comprise an analysis of benefits, limitations and risks, including risks associated with the high

Article 22. Supervisory feedback

1 obligation

EU-DORA-22-03 Risk Management

Maintain responsibility for ICT incident handling despite supervisory feedback

Financial entities must remain fully responsible for handling ICT-related incidents and their consequences, regardless o

Article 24. General requirements for the performance of digital operational resilience testing

1 obligation

EU-DORA-24-03 Risk Management

Follow risk-based approach in testing programme conduct

When conducting the digital operational resilience testing programme, financial entities (other than microenterprises) m

Article 26. Advanced testing of ICT tools, systems and processes based on TLPT

1 obligation

EU-DORA-26-06 Risk Management

Apply risk management controls during TLPT

Financial entities must apply effective risk management controls with cooperation of ICT third-parties and testers to mi

Article 28. General principles

4 obligations

EU-DORA-28-01 Risk Management

Manage ICT third-party risk as integral component of ICT risk management

Financial entities must manage ICT third-party risk as an integral component of ICT risk within their ICT risk managemen

EU-DORA-28-03 Risk Management

Implement ICT third-party risk management proportionally

Financial entities must implement ICT third-party risk management in accordance with the principle of proportionality, c

EU-DORA-28-14 Risk Management

Identify and assess all relevant risks including concentration risk

Before entering into contractual arrangements for ICT services, financial entities must identify and assess all relevant

EU-DORA-28-16 Risk Management

Identify and assess conflicts of interest from contractual arrangement

Before entering into contractual arrangements for ICT services, financial entities must identify and assess conflicts of

Article 29. Preliminary assessment of ICT concentration risk at entity level

7 obligations

EU-DORA-29-01 Risk Management

Assess non-substitutable ICT provider risk

When performing identification and assessment of risks under Article 28(4)(c), financial entities must consider whether

EU-DORA-29-02 Risk Management

Assess concentration risk from multiple arrangements

When performing identification and assessment of risks under Article 28(4)(c), financial entities must consider whether

EU-DORA-29-03 Risk Management

Weigh benefits and costs of alternative solutions

Financial entities must weigh the benefits and costs of alternative solutions, such as using different ICT third-party s

EU-DORA-29-04 Risk Management

Assess subcontracting benefits and risks

Where contractual arrangements for ICT services supporting critical or important functions include the possibility that

EU-DORA-29-05 Risk Management

Consider insolvency law provisions and data recovery constraints

Where contractual arrangements concern ICT services supporting critical or important functions, financial entities must

EU-DORA-29-06 Risk Management

Consider data protection compliance and law enforcement for third country providers

Where contractual arrangements for ICT services supporting critical or important functions are concluded with an ICT thi

EU-DORA-29-07 Risk Management

Assess impact of subcontracting chains on monitoring and supervision

Where contractual arrangements for ICT services supporting critical or important functions provide for subcontracting, f

Article 30. Key contractual provisions

2 obligations

EU-DORA-30-13 Risk Management

Require business contingency plans and ICT security measures

For critical or important functions, contracts must require the ICT third-party service provider to implement and test b

EU-DORA-30-19 Risk Management

Establish exit strategies with mandatory transition period

For critical or important functions, contracts must include exit strategies with a mandatory adequate transition period

Article 33. Tasks of the Lead Overseer

8 obligations

EU-DORA-33-03 Risk Management

Assess risk management rules and procedures of critical ICT third-party providers

The Lead Overseer must assess whether each critical ICT third-party service provider has comprehensive, sound and effect

EU-DORA-33-04 Risk Management

Focus assessment on ICT services supporting critical or important functions

The assessment must primarily focus on ICT services provided by the critical ICT third-party service provider that suppo

EU-DORA-33-05 Risk Management

Extend assessment to non-critical functions when necessary

When necessary to address all relevant risks, the assessment must be extended to ICT services supporting functions other

EU-DORA-33-06 Risk Management

Assess ICT requirements for service security and quality

The assessment must cover ICT requirements to ensure security, availability, continuity, scalability and quality of serv

EU-DORA-33-07 Risk Management

Assess physical security measures

The assessment must cover physical security contributing to ICT security, including security of premises, facilities, an

EU-DORA-33-08 Risk Management

Assess risk management processes

The assessment must cover risk management processes, including ICT risk management policies, ICT business continuity pol

EU-DORA-33-09 Risk Management

Assess governance arrangements

The assessment must cover governance arrangements, including organizational structure with clear, transparent and consis

EU-DORA-33-12 Risk Management

Assess ICT systems testing

The assessment must cover the testing of ICT systems, infrastructure and controls.

Article 42. Follow-up by competent authorities

1 obligation

EU-DORA-42-06 Risk Management

Take risks into account when managing ICT third-party risk

Financial entities shall take into account the risks identified in recommendations when managing ICT third-party risk.

Article 59. Amendments to Regulation (EC) No 1060/2009

1 obligation

EU-DORA-59-04 Risk Management

Credit rating agencies must implement effective risk assessment procedures

Credit rating agencies shall have effective procedures for risk assessment as part of their operational framework under

Article 60. Amendments to Regulation (EU) No 648/2012

1 obligation

EU-DORA-60-05 Risk Management

Trade Repository Operational Risk Management

Trade repositories must identify sources of operational risk and minimise them through development of appropriate system

Article 61. Amendments to Regulation (EU) No 909/2014

2 obligations

EU-DORA-61-01 Risk Management

ICT operational risk identification and minimization

A CSD shall identify sources of operational risk, both internal and external, and minimise their impact through deployme

EU-DORA-61-04 Risk Management

Third-party risk identification and management

A CSD shall identify, monitor and manage the risks that key participants in the securities settlement systems it operate

Article 63. Amendment to Regulation (EU) 2016/1011

1 obligation

EU-DORA-63-03 Risk Management

Effective Risk Assessment Procedures for Critical Benchmarks

Administrators of critical benchmarks must establish and maintain effective procedures for conducting risk assessments o