DORA | Regulation 2022/2554 | judict

Updated 26/09/2023

Metadata

In force since 16/01/2023

Initial Legal Act

Level 2 legal acts in relation to DORA

Search for legal acts

Legislative procedure

Procedure 2020/0266/COD

Search within this legal act

German

Synchronised with EUR-Lex on 26/09/2023

DORA Tool Digital Operational Resilience Act (DORA)

Digital Operational Resilience Act (DORA)

Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance)

CHAPTER I - General provisions (Article 1-4)Article 1 - Subject matter Article 2 - Scope Article 3 - Definitions Article 4 - Proportionality principle

CHAPTER II - ICT risk management (Article 5-16)

Section I (Article 5)Article 5 - Governance and organisation

Section II (Article 6-16)Article 6 - ICT risk management framework RTS Article 7 - ICT systems, protocols and tools Article 8 - Identification Article 9 - Protection and prevention Article 10 - Detection Article 11 - Response and recovery Article 12 - Backup policies and procedures, restoration and recovery procedures and methods Article 13 - Learning and evolving Article 14 - Communication Article 15 - Further harmonisation of ICT risk management tools, methods, processes and policies RTS Article 16 - Simplified ICT risk management framework RTS

CHAPTER III - ICT-related incident management, classification and reporting (Article 17-23)Article 17 - ICT-related incident management process Article 18 - Classification of ICT-related incidents and cyber threats RTS Article 19 - Reporting of major ICT-related incidents and voluntary notification of significant cyber threats RTS Article 20 - Harmonisation of reporting content and templates Article 21 - Centralisation of reporting of major ICT-related incidents Article 22 - Supervisory feedback Article 23 - Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions

CHAPTER IV - Digital operational resilience testing (Article 24-27)Article 24 - General requirements for the performance of digital operational resilience testing Article 25 - Testing of ICT tools and systems Article 26 - Advanced testing of ICT tools, systems and processes based on TLPT Article 27 - Requirements for testers for the carrying out of TLPT

CHAPTER V - Managing of ICT third-party risk (Article 28-44)

Section I - Key principles for a sound management of ICT third-party risk (Article 28-30)Article 28 - General principles ITSRTS Article 29 - Preliminary assessment of ICT concentration risk at entity level Article 30 - Key contractual provisions

Section II - Oversight Framework of critical ICT third-party service providers (Article 31-44)Article 31 - Designation of critical ICT third-party service providers Article 32 - Structure of the Oversight Framework Article 33 - Tasks of the Lead Overseer Article 34 - Operational coordination between Lead Overseers Article 35 - Powers of the Lead Overseer Article 36 - Exercise of the powers of the Lead Overseer outside the Union Article 37 - Request for information Article 38 - General investigations Article 39 - Inspections Article 40 - Ongoing oversight Article 41 - Harmonisation of conditions enabling the conduct of the oversight activities Article 42 - Follow-up by competent authorities Article 43 - Oversight fees Article 44 - International cooperation

CHAPTER VI - Information-sharing arrangements (Article 45)Article 45 - Information-sharing arrangements on cyber threat information and intelligence

CHAPTER VII - Competent authorities (Article 46-56)Article 46 - Competent authorities Article 47 - Cooperation with structures and authorities established by Directive (EU) 2022/2555 Article 48 - Cooperation between authorities Article 49 - Financial cross-sector exercises, communication and cooperation Article 50 - Administrative penalties and remedial measures Article 51 - Exercise of the power to impose administrative penalties and remedial measures Article 52 - Criminal penalties Article 53 - Notification duties Article 54 - Publication of administrative penalties Article 55 - Professional secrecy Article 56 - Data Protection

CHAPTER VIII - Delegated acts (Article 57)Article 57 - Exercise of the delegation

CHAPTER IX - Transitional and final provisions (Article 58-64)

Section I (Article 58)Article 58 - Review clause

Section II - Amendments (Article 59-64)Article 59 - Amendments to Regulation (EC) No 1060/2009 Article 60 - Amendments to Regulation (EU) No 648/2012 Article 61 - Amendments to Regulation (EU) No 909/2014 Article 62 - Amendments to Regulation (EU) No 600/2014 Article 63 - Amendment to Regulation (EU) 2016/1011 Article 64 - Entry into force and application

contact@judict.eu

© All rights reserved. Made with ❤️ in Berlin.

Regulation (EU) 575/2013 (CRR)Implementing Regulation (EU) 2021/451Implementing Regulation (EU) 2021/453Implementing Regulation (EU) 680/2014Implementing Regulation (EU) 2016/100

AboutHelp Center

Give Feedback

Legal Notice Privacy Notice

Subscribe to our newsletter

*Subscribe to our newsletter to receive updates,
offers, product information and custom content.