Digital Operational Resilience Act (DORA)

Welcome to digital-operational-resilience.net. Here you will find Regulation (EU) 2022/2554 on digital operational resilience in the financial sector, also known as the „Digital Operational Resilience Act (DORA),“ presented in a clear and concise manner. The current version includes the text originally published in the Official Journal of the European Union. All articles of the Regulation on digital operational resilience in the financial sector are linked to the relevant recitals.

„Digital operational resilience“ refers to the ability of a financial institution to establish, maintain, and verify its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by third-party ICT providers, the full range of ICT-related capabilities required to guarantee the security of the network and information systems used by a financial institution and to support the continuous delivery and quality of financial services, including during disruptions.

Chapters Digital Operational Resilience Act (DORA)

CHAPTERS OF DORA
CHAPTER I - General provisions
CHAPTER II - ICT risk management
CHAPTER III - ICT-related incident management, classification and reporting
CHAPTER IV - Digital operational resilience testing
CHAPTER V - Managing of ICT third-party risk
CHAPTER VI - Information-sharing arrangements
CHAPTER VII - Competent authorities
CHAPTER VIII - Delegated acts
CHAPTER IX - Transitional and final provisions

Contents Digital Operational Resilience Act (DORA)

ARTICLES OF DORA
CHAPTER I - General provisions
Article 1 DORA – Subject matter
Article 2 DORA – Scope
Article 3 DORA – Definitions
Article 4 DORA – Proportionality principle
CHAPTER II - ICT risk management
Section I
Article 5 DORA – Governance and organisation
Section II
Article 6 DORA – ICT risk management framework
Article 7 DORA – ICT systems, protocols and tools
Article 8 DORA – Identification
Article 9 DORA – Protection and prevention
Article 10 DORA – Detection
Article 11 DORA – Response and recovery
Article 12 DORA – Backup policies and procedures, restoration and recovery procedures and methods
Article 13 DORA – Learning and evolving
Article 14 DORA – Communication
Article 15 DORA – Further harmonisation of ICT risk management tools, methods, processes and policies
Article 16 DORA – Simplified ICT risk management framework
CHAPTER III - ICT-related incident management, classification and reporting
Article 17 DORA – ICT-related incident management process
Article 18 DORA – Classification of ICT-related incidents and cyber threats
Article 19 DORA – Reporting of major ICT-related incidents and voluntary notification of significant cyber threats
Article 20 DORA – Harmonisation of reporting content and templates
Article 21 DORA – Centralisation of reporting of major ICT-related incidents
Article 22 DORA – Supervisory feedback
Article 23 DORA – Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions
CHAPTER IV - Digital operational resilience testing
Article 24 DORA – General requirements for the performance of digital operational resilience testing
Article 25 DORA – Testing of ICT tools and systems
Article 26 DORA – Advanced testing of ICT tools, systems and processes based on TLPT
Article 27 DORA – Requirements for testers for the carrying out of TLPT
CHAPTER V - Managing of ICT third-party risk
Section I - Key principles for a sound management of ICT third-party risk
Article 28 DORA – General principles
Article 29 DORA – Preliminary assessment of ICT concentration risk at entity level
Article 30 DORA – Key contractual provisions
Section II - Oversight Framework of critical ICT third-party service providers
Article 31 DORA – Designation of critical ICT third-party service providers
Article 32 DORA – Structure of the Oversight Framework
Article 33 DORA – Tasks of the Lead Overseer
Article 34 DORA – Operational coordination between Lead Overseers
Article 35 DORA – Powers of the Lead Overseer
Article 36 DORA – Exercise of the powers of the Lead Overseer outside the Union
Article 37 DORA – Request for information
Article 38 DORA – General investigations
Article 39 DORA – Inspections
Article 40 DORA – Ongoing oversight
Article 41 DORA – Harmonisation of conditions enabling the conduct of the oversight activities
Article 42 DORA – Follow-up by competent authorities
Article 43 DORA – Oversight fees
Article 44 DORA – International cooperation
CHAPTER VI - Information-sharing arrangements
Article 45 DORA – Information-sharing arrangements on cyber threat information and intelligence
CHAPTER VII - Competent authorities
Article 46 DORA – Competent authorities
Article 47 DORA – Cooperation with structures and authorities established by Directive (EU) 2022/2555
Article 48 DORA – Cooperation between authorities
Article 49 DORA – Financial cross-sector exercises, communication and cooperation
Article 50 DORA – Administrative penalties and remedial measures
Article 51 DORA – Exercise of the power to impose administrative penalties and remedial measures
Article 52 DORA – Criminal penalties
Article 53 DORA – Notification duties
Article 54 DORA – Publication of administrative penalties
Article 55 DORA – Professional secrecy
Article 56 DORA – Data Protection
CHAPTER VIII - Delegated acts
Article 57 DORA – Exercise of the delegation
CHAPTER IX - Transitional and final provisions
Section I
Article 58 DORA – Review clause
Section II - Amendments
Article 59 DORA – Amendments to Regulation (EC) No 1060/2009
Article 60 DORA – Amendments to Regulation (EU) No 648/2012
Article 61 DORA – Amendments to Regulation (EU) No 909/2014
Article 62 DORA – Amendments to Regulation (EU) No 600/2014
Article 63 DORA – Amendment to Regulation (EU) 2016/1011
Article 64 DORA – Entry into force and application