The DORA Regulation, article by article
Last updated: 2 authoritative sourcesDORA Auditor Editorial Team
DORA, Regulation (EU) 2022/2554, runs to 64 articles across nine chapters. Below are plain-English summaries of the articles that matter most for compliance, grouped by chapter and linked to the relevant pillar. Each summary links to the official text on EUR-Lex.
Chapter I, General provisions
- Art. 1Subject matterArticle 1 sets out that DORA lays down uniform requirements for the security of network and information systems supporting the business processes of financial entities, covering ICT risk management, incident reporting, resilience testing, third-party risk, and information sharing..
- Art. 2ScopeArticle 2 lists the financial entities to which DORA applies, around 20 categories including credit institutions, payment and e-money institutions, investment firms, insurers, and crypto-asset service providers, and the ICT third-party service providers serving them.
- Art. 3DefinitionsArticle 3 defines the key terms used throughout DORA, including 'ICT risk', 'ICT-related incident', 'critical or important function', and, at Article 3(21), 'ICT third-party service provider'.
Chapter II, ICT risk management
- Art. 5Governance and organisationArticle 5 places ultimate responsibility for managing ICT risk on the management body of the financial entity.
- Art. 6ICT risk management frameworkArticle 6 requires each financial entity to maintain a sound, comprehensive, and well-documented ICT risk-management framework to identify, protect against, detect, respond to, and recover from ICT-related risk.
Chapter III, ICT-related incident management
- Art. 17ICT-related incident management processArticle 17 requires financial entities to define, establish, and implement an ICT-related incident management process to detect, manage, and notify ICT-related incidents, and to record all incidents and significant cyber threats..
- Art. 18Classification of ICT-related incidents and cyber threatsArticle 18 requires entities to classify ICT-related incidents and determine their impact against criteria such as the number of clients affected, duration, geographical spread, data losses, and economic impact, determining whether an incident is 'major' and therefore reportable..
- Art. 19Reporting of major ICT-related incidentsArticle 19 requires financial entities to report major ICT-related incidents to the relevant competent authority through a harmonised process: an initial notification, an intermediate report, and a final report, on deadlines set in the technical standards..
- Art. 20Harmonisation of reporting content and templatesArticle 20 mandates the development of common reporting templates, forms, and procedures for major ICT-related incident reporting, delivered through regulatory and implementing technical standards developed by the European Supervisory Authorities..
Chapter IV, Digital operational resilience testing
- Art. 24General requirements for resilience testingArticle 24 requires financial entities to establish, maintain, and review a sound and comprehensive digital operational resilience testing programme as an integral part of the ICT risk-management framework, proportionate to size and risk profile..
- Art. 25Testing of ICT tools and systemsArticle 25 sets out the range of tests entities must apply, from vulnerability assessments and scans to scenario-based and penetration testing, with critical ICT systems tested at least yearly..
- Art. 26Advanced testing based on threat-led penetration testing (TLPT)Article 26 requires financial entities identified as significant to carry out threat-led penetration testing (TLPT) at least every three years, testing live production systems and covering critical or important functions, aligned to the TIBER-EU framework..
- Art. 27Requirements for testers for TLPTArticle 27 sets requirements for the internal or external testers who conduct TLPT, covering suitability, reputation, technical capabilities, and, where external, professional indemnity insurance..
Chapter V, Managing of ICT third-party risk
- Art. 28General principles for sound management of ICT third-party riskArticle 28 sets the general principles for managing ICT third-party risk, requiring entities to manage it as an integral part of the ICT risk framework and to maintain a register of information on all contractual arrangements for the use of ICT services..
- Art. 29Preliminary assessment of ICT concentration riskArticle 29 requires entities to assess ICT concentration risk before entering contractual arrangements, including where a provider is not easily substitutable, or where multiple arrangements exist with the same or connected providers..
- Art. 30Key contractual provisionsArticle 30 specifies the mandatory contractual provisions for ICT service arrangements, including clear service descriptions, data location, access and audit rights, security requirements, sub-outsourcing conditions, and exit strategies..
- Art. 31Designation of critical ICT third-party service providersArticle 31 establishes the criteria and process for designating critical ICT third-party service providers, based on systemic impact, importance of the financial entities relying on them, and substitutability, bringing them under the EU oversight framework..
- Art. 32Structure of the Oversight FrameworkArticle 32 establishes the structure of the oversight framework for critical ICT third-party providers, including the Lead Overseer role and the joint oversight arrangements among the European Supervisory Authorities..
- Art. 33Tasks of the Lead OverseerArticle 33 sets out the tasks of the Lead Overseer, including assessing whether each critical provider has comprehensive, sound, and effective rules and controls to manage the ICT risk it may pose to financial entities..
- Art. 35Powers of the Lead OverseerArticle 35 grants the Lead Overseer powers over critical ICT third-party providers, including requesting information, conducting investigations and inspections, issuing recommendations, and imposing periodic penalty payments of up to 1% of average daily worldwide turnover..
Chapter VI, Information-sharing arrangements
Read the full consolidated text on EUR-Lex. These summaries are editorial and do not substitute for the regulation.