icon-grid
Better Regulation logo
Table of Contents

Table of Contents

Expand all headings Collapse all headings Expand side bar Collapse side bar
Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance) (Digital Operational Resilience Act (DORA) / Regulation on digital operational resilience for the financial sector)RecitalsChapter I General provisions (arts. 1-4)Article 1 Subject matterArticle 2 ScopeArticle 3 DefinitionsArticle 4 Proportionality principleChapter II ICT risk management (arts. 5-16)Section I (art. 5)Article 5 Governance and organisationSection II (arts. 6-16)Article 6 ICT risk management frameworkArticle 7 ICT systems, protocols and toolsArticle 8 IdentificationArticle 9 Protection and preventionArticle 10 DetectionArticle 11 Response and recoveryArticle 12 Backup policies and procedures, restoration and recovery procedures and methodsArticle 13 Learning and evolvingArticle 14 CommunicationArticle 15 Further harmonisation of ICT risk management tools, methods, processes and policiesArticle 16 Simplified ICT risk management frameworkChapter III ICT-related incident management, classification and reporting (arts. 17-23)Article 17 ICT-related incident management processArticle 18 Classification of ICT-related incidents and cyber threatsArticle 19 Reporting of major ICT-related incidents and voluntary notification of significant cyber threatsArticle 20 Harmonisation of reporting content and templatesArticle 21 Centralisation of reporting of major ICT-related incidentsArticle 22 Supervisory feedbackArticle 23 Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutionsChapter IV Digital operational resilience testing (arts. 24-27)Article 24 General requirements for the performance of digital operational resilience testingArticle 25 Testing of ICT tools and systemsArticle 26 Advanced testing of ICT tools, systems and processes based on TLPTArticle 27 Requirements for testers for the carrying out of TLPTChapter V Managing of ICT third-party risk (arts. 28-44)Section I Key principles for a sound management of ICT third-party risk (arts. 28-30)Article 28 General principlesArticle 29 Preliminary assessment of ICT concentration risk at entity levelArticle 30 Key contractual provisionsSection II Oversight Framework of critical ICT third-party service providers (arts. 31-44)Article 31 Designation of critical ICT third-party service providersArticle 32 Structure of the Oversight FrameworkArticle 33 Tasks of the Lead OverseerArticle 34 Operational coordination between Lead OverseersArticle 35 Powers of the Lead OverseerArticle 36 Exercise of the powers of the Lead Overseer outside the UnionArticle 37 Request for informationArticle 38 General investigationsArticle 39 InspectionsArticle 40 Ongoing oversightArticle 41 Harmonisation of conditions enabling the conduct of the oversight activitiesArticle 42 Follow-up by competent authoritiesArticle 43 Oversight feesArticle 44 International cooperationChapter VI Information-sharing arrangements (art. 45)Article 45 Information-sharing arrangements on cyber threat information and intelligenceChapter VII Competent authorities (arts. 46-56)Article 46 Competent authoritiesArticle 47 Cooperation with structures and authorities established by Directive (EU) 2022/2555Article 48 Cooperation between authoritiesArticle 49 Financial cross-sector exercises, communication and cooperationArticle 50 Administrative penalties and remedial measuresArticle 51 Exercise of the power to impose administrative penalties and remedial measuresArticle 52 Criminal penaltiesArticle 53 Notification dutiesArticle 54 Publication of administrative penaltiesArticle 55 Professional secrecyArticle 56 Data ProtectionChapter VIII Delegated acts (art. 57)Article 57 Exercise of the delegationChapter IX Transitional and final provisions (arts. 58-64)Section I (art. 58)Article 58 Review clauseSection II  Amendments (arts. 59-64)Article 59 Amendments to Regulation (EC) No 1060/2009Article 60 Amendments to Regulation (EU) No 648/2012Article 61 Amendments to Regulation (EU) No 909/2014Article 62 Amendments to Regulation (EU) No 600/2014Article 63 Amendment to Regulation (EU) 2016/1011Article 64 Entry into force and applicationDone at
Related
Tools
Set a date to view the document
Text comparison options
Full text - Date 1 vs Date 2 
Amendments requiring commencement - Current text vs Text requiring commencement
Draft proposed changes - Current text vs Text proposed by drafting documents
Recently generated comparisons
None generated
Print / Export options
Whole document
Selected pages
Consolidated PDF of the entire document as of 18th April 2026
Original PDF
Export
Export line by line
Export provision to provision
Report template
Create report template
Alert me to changes
Manage alerts
Bookmarks
This document
Manage bookmarks
Search within this document
View previous searches
Share
Original source link (1)
Original source link (2)
Get page link
Share via email application

AI Summary of Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance) (Digital Operational Resilience Act (DORA) / Regulation on digital operational resilience for the financial sector)

The Regulation (EU) 2022/2554 establishes a comprehensive framework for enhancing digital operational resilience within the financial sector across Europe. It outlines uniform requirements that financial entities must adhere to, encompassing ICT risk management, incident reporting, and the testing of digital operational resilience. Notably, the Regulation mandates that financial entities should carry out robust governance and ensure continuous monitoring of ICT systems, while also requiring cooperation with ICT third-party service providers. The emphasis is on maintaining high standards of service continuity and information security, addressing the interconnected risks that may arise from reliance on these providers.

Furthermore, the Regulation introduces a robust oversight framework for critical ICT third-party service providers, which includes requirements for designation and ongoing monitoring by designated authorities. The aim is to mitigate systemic risk within the financial systems, ensuring that all entities can adequately prepare for and respond to potential ICT-related incidents. This proactive approach is vital for maintaining trust and stability in the financial sector.

Next
Version status: Applicable | Document consolidation status: No known changes
Published date: 27 December 2022

Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance) (Digital Operational Resilience Act (DORA) / Regulation on digital operational resilience for the financial sector)

Future version Draft proposed change
Recitals
Chapter I General provisions (arts. 1-4)
Article 1 Subject matter
Article 2 Scope
Article 3 Definitions
Article 4 Proportionality principle
Chapter II ICT risk management (arts. 5-16)
Section I (art. 5)
Article 5 Governance and organisation
Section II (arts. 6-16)
Article 6 ICT risk management framework
Article 7 ICT systems, protocols and tools
Article 8 Identification
Article 9 Protection and prevention
Article 10 Detection
Article 11 Response and recovery
Article 12 Backup policies and procedures, restoration and recovery procedures and methods
Article 13 Learning and evolving
Article 14 Communication
Article 15 Further harmonisation of ICT risk management tools, methods, processes and policies
Article 16 Simplified ICT risk management framework
Chapter III ICT-related incident management, classification and reporting (arts. 17-23)
Article 17 ICT-related incident management process
Article 18 Classification of ICT-related incidents and cyber threats
Article 19 Reporting of major ICT-related incidents and voluntary notification of significant cyber threats
Article 20 Harmonisation of reporting content and templates
Article 21 Centralisation of reporting of major ICT-related incidents
Article 22 Supervisory feedback
Article 23 Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions
Chapter IV Digital operational resilience testing (arts. 24-27)
Article 24 General requirements for the performance of digital operational resilience testing
Article 25 Testing of ICT tools and systems
Article 26 Advanced testing of ICT tools, systems and processes based on TLPT
Article 27 Requirements for testers for the carrying out of TLPT
Chapter V Managing of ICT third-party risk (arts. 28-44)
Section I Key principles for a sound management of ICT third-party risk (arts. 28-30)
Article 28 General principles
Article 29 Preliminary assessment of ICT concentration risk at entity level
Article 30 Key contractual provisions
Section II Oversight Framework of critical ICT third-party service providers (arts. 31-44)
Article 31 Designation of critical ICT third-party service providers
Article 32 Structure of the Oversight Framework
Article 33 Tasks of the Lead Overseer
Article 34 Operational coordination between Lead Overseers
Article 35 Powers of the Lead Overseer
Article 36 Exercise of the powers of the Lead Overseer outside the Union
Article 37 Request for information
Article 38 General investigations
Article 39 Inspections
Article 40 Ongoing oversight
Article 41 Harmonisation of conditions enabling the conduct of the oversight activities
Article 42 Follow-up by competent authorities
Article 43 Oversight fees
Article 44 International cooperation
Chapter VI Information-sharing arrangements (art. 45)
Article 45 Information-sharing arrangements on cyber threat information and intelligence
Chapter VII Competent authorities (arts. 46-56)
Article 46 Competent authorities
Article 47 Cooperation with structures and authorities established by Directive (EU) 2022/2555
Article 48 Cooperation between authorities
Article 49 Financial cross-sector exercises, communication and cooperation
Article 50 Administrative penalties and remedial measures
Article 51 Exercise of the power to impose administrative penalties and remedial measures
Article 52 Criminal penalties
Article 53 Notification duties
Article 54 Publication of administrative penalties
Article 55 Professional secrecy
Article 56 Data Protection
Chapter VIII Delegated acts (art. 57)
Article 57 Exercise of the delegation
Chapter IX Transitional and final provisions (arts. 58-64)
Section I (art. 58)
Article 58 Review clause
Section II  Amendments (arts. 59-64)
Article 59 Amendments to Regulation (EC) No 1060/2009
Article 60 Amendments to Regulation (EU) No 648/2012
Article 61 Amendments to Regulation (EU) No 909/2014
Article 62 Amendments to Regulation (EU) No 600/2014
Article 63 Amendment to Regulation (EU) 2016/1011
Article 64 Entry into force and application
Done at
Next