DORA Digital operational resilience act
Welcome to dora-info.eu, this is a web version of the original legal text of the Digital Operational Resilience Act (DORA) regulation from EUR-Lex.
The regulation will apply from 17 January 2025 for relevant financial entities and ICT third-party service providers.
Of course, this text is provided as-is and should not be relied upon as an authoritative source. Instead consult the Official Journal of the European Union.
We will continue to improve these web pages to increase legibility and make navigation more efficient. Follow us on LinkedIn to get notified when we release new features and don't hesitate to let us know if you have questions or suggestions, reach out to dora@springflod.se.
Table of Contents
Preamble
1 – 106
Recitals
Chapter I
General provisions
Article 1
Subject matter
Article 2
Scope
Article 3
Definitions
Article 4
Proportionality principle
Chapter II
ICT risk management
Section I
Article 5
Governance and organisation
Section II
Article 6
ICT risk management framework
Article 7
ICT systems, protocols and tools
Article 8
Identification
Article 9
Protection and prevention
Article 10
Detection
Article 11
Response and recovery
Article 12
Backup policies and procedures, restoration and recovery procedures and methods
Article 13
Learning and evolving
Article 14
Communication
Article 15
Further harmonisation of ICT risk management tools, methods, processes and policies
Article 16
Simplified ICT risk management framework
Chapter III
ICT-related incident management, classification and reporting
Article 17
ICT-related incident management process
Article 18
Classification of ICT-related incidents and cyber threats
Article 19
Reporting of major ICT-related incidents and voluntary notification of significant cyber threats
Article 20
Harmonisation of reporting content and templates
Article 21
Centralisation of reporting of major ICT-related incidents
Article 22
Supervisory feedback
Article 23
Operational or security payment-related incidents concerning credit institutions, payment institutions
Chapter IV
Digital operational resilience testing
Article 24
General requirements for the performance of digital operational resilience testing
Article 25
Testing of ICT tools and systems
Article 26
Advanced testing of ICT tools, systems and processes based on TLPT
Article 27
Requirements for testers for the carrying out of TLPT
Chapter V
Managing of ICT third-party risk
Section I
Key principles for a sound management of ICT third-party risk
Article 28
General principles
Article 29
Preliminary assessment of ICT concentration risk at entity level
Article 30
Key contractual provisions
Section II
Oversight framework of critical ICT third-party service providers
Article 31
Designation of critical ICT third-party service providers
Article 32
Structure of the Oversight Framework
Article 33
Tasks of the Lead Overseer
Article 34
Operational coordination between Lead Overseers
Article 35
Powers of the Lead Overseer
Article 36
Exercise of the powers of the Lead Overseer outside the Union
Article 37
Request for information
Article 38
General investigations
Article 39
Inspections
Article 40
Ongoing oversight
Article 41
Harmonisation of conditions enabling the conduct of the oversight activities
Article 42
Follow-up by competent authorities
Article 43
Oversight fees
Article 44
International cooperation
Chapter VI
Information-sharing arrangements
Article 45
Information-sharing arrangements on cyber threat information and intelligence
Chapter VII
Competent authorities
Article 46
Competent authorities
Article 47
Cooperation with structures and authorities established by Directive (EU) 2022/2555
Article 48
Cooperation between authorities
Article 49
Financial cross-sector exercises, communication and cooperation
Article 50
Administrative penalties and remedial measures
Article 51
Exercise of the power to impose administrative penalties and remedial measures
Article 52
Criminal penalties
Article 53
Notification duties
Article 54
Publication of administrative penalties
Article 55
Professional secrecy
Article 56
Data Protection
Chapter VIII
Delegated acts
Article 57
Exercise of the delegation
Chapter IX
Transitional and final provisions
Section I
Article 58
Review clause
Section II
Amendments
Article 59
Amendments to Regulation (EC) No 1060/2009
Article 60
Amendments to Regulation (EU) No 648/2012
Article 61
Amendments to Regulation (EU) No 909/2014
Article 62
Amendments to Regulation (EU) No 600/2014
Article 63
Amendment to Regulation (EU) 2016/1011
Article 64
Entry into force and application