English EN

All Tools

Updated 11/05/2025

Metadata

In force since 16/01/2023

Initial Legal Act

Level 2 legal acts in relation to DORA

Search for legal acts

Legislative procedure

Procedure 2020/0266/COD

Search within this legal act

Synchronised with EUR-Lex on 11/05/2025

DORA Tool Digital Operational Resilience Act (DORA)

Digital Operational Resilience Act (DORA)

Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance)

CHAPTER I - General provisions (Article 1-4)Article 1 - Subject matter Q&A Article 2 - Scope Q&A Article 3 - Definitions Q&A Article 4 - Proportionality principle

CHAPTER II - ICT risk management (Article 5-16)

Section I (Article 5)Article 5 - Governance and organisation Q&A

Section II (Article 6-16)Article 6 - ICT risk management framework RTSQ&A Article 7 - ICT systems, protocols and tools Q&A Article 8 - Identification Q&A Article 9 - Protection and prevention RTSQ&A Article 10 - Detection RTSQ&A Article 11 - Response and recovery RTSQ&AGL Article 12 - Backup policies and procedures, restoration and recovery procedures and methods Q&A Article 13 - Learning and evolving Q&A Article 14 - Communication RTSQ&A Article 15 - Further harmonisation of ICT risk management tools, methods, processes and policies RTSQ&A Article 16 - Simplified ICT risk management framework RTSQ&AGL

CHAPTER III - ICT-related incident management, classification and reporting (Article 17-23)Article 17 - ICT-related incident management process Article 18 - Classification of ICT-related incidents and cyber threats RTSQ&A Article 19 - Reporting of major ICT-related incidents and voluntary notification of significant cyber threats ITSRTSQ&A Article 20 - Harmonisation of reporting content and templates ITSRTS Article 21 - Centralisation of reporting of major ICT-related incidents Q&A Article 22 - Supervisory feedback Q&A Article 23 - Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions

CHAPTER IV - Digital operational resilience testing (Article 24-27)Article 24 - General requirements for the performance of digital operational resilience testing Q&A Article 25 - Testing of ICT tools and systems Q&A Article 26 - Advanced testing of ICT tools, systems and processes based on TLPT RTSQ&A Article 27 - Requirements for testers for the carrying out of TLPT Q&A

CHAPTER V - Managing of ICT third-party risk (Article 28-44)

Section I - Key principles for a sound management of ICT third-party risk (Article 28-30)Article 28 - General principles ITSRTSQ&A Article 29 - Preliminary assessment of ICT concentration risk at entity level Q&A Article 30 - Key contractual provisions RTSQ&A

Section II - Oversight Framework of critical ICT third-party service providers (Article 31-44)Article 31 - Designation of critical ICT third-party service providers RTSDAQ&AGL Article 32 - Structure of the Oversight Framework Q&AGL Article 33 - Tasks of the Lead Overseer Q&A Article 34 - Operational coordination between Lead Overseers Q&A Article 35 - Powers of the Lead Overseer RTSQ&AGL Article 36 - Exercise of the powers of the Lead Overseer outside the Union Q&AGL Article 37 - Request for information Q&A Article 38 - General investigations Q&AGL Article 39 - Inspections Q&AGL Article 40 - Ongoing oversight RTSQ&AGL Article 41 - Harmonisation of conditions enabling the conduct of the oversight activities RTSQ&A Article 42 - Follow-up by competent authorities RTSQ&AGL Article 43 - Oversight fees DAQ&A Article 44 - International cooperation Q&A

CHAPTER VI - Information-sharing arrangements (Article 45)Article 45 - Information-sharing arrangements on cyber threat information and intelligence Q&A

CHAPTER VII - Competent authorities (Article 46-56)Article 46 - Competent authorities Article 47 - Cooperation with structures and authorities established by Directive (EU) 2022/2555 Article 48 - Cooperation between authorities Article 49 - Financial cross-sector exercises, communication and cooperation Q&A Article 50 - Administrative penalties and remedial measures Article 51 - Exercise of the power to impose administrative penalties and remedial measures Article 52 - Criminal penalties Article 53 - Notification duties Article 54 - Publication of administrative penalties Q&A Article 55 - Professional secrecy Article 56 - Data Protection

CHAPTER VIII - Delegated acts (Article 57)Article 57 - Exercise of the delegation

CHAPTER IX - Transitional and final provisions (Article 58-64)

Section I (Article 58)Article 58 - Review clause

Section II - Amendments (Article 59-64)Article 59 - Amendments to Regulation (EC) No 1060/2009 Article 60 - Amendments to Regulation (EU) No 648/2012 Article 61 - Amendments to Regulation (EU) No 909/2014 Article 62 - Amendments to Regulation (EU) No 600/2014 Article 63 - Amendment to Regulation (EU) 2016/1011 Q&A Article 64 - Entry into force and application Q&A

contact@judict.eu

© All rights reserved. Made with

❤️

in Berlin.

About FAQ Give Feedback Privacy Notice Legal Notice

Subscribe to our newsletter

*Subscribe to our newsletter to receive updates,
offers, product information and custom content.