DORA
Digital Operational Resilience Act (EU 2022/2554)
The EU regulation harmonising digital operational resilience for the financial sector. It mandates an ICT risk-management framework, incident management and reporting, resilience testing, and oversight of ICT third-party risk.
Who it applies to
Financial entities in the EU — banks, insurers, investment firms, payment and e-money institutions, crypto-asset service providers and more — and the critical ICT third-party providers that serve them.
Chapter II — ICT risk management
- Art. 6 ICT risk management framework16 mapped
Maintain a sound, comprehensive and well-documented ICT risk-management framework as part of the overall risk-management system.
- Art. 9 Protection and prevention27 mapped
Implement policies and tools to protect ICT systems, including access control and cryptographic protection of data at rest, in use and in transit.
- Art. 10 Detection9 mapped
Deploy mechanisms to promptly detect anomalous activities, ICT incidents and potential single points of failure.
- Art. 12 Backup policies and recovery procedures6 mapped
Establish backup policies and restoration and recovery procedures, with redundancy sufficient to ensure continuity.
Chapter III — ICT incidents
- Art. 17 ICT-related incident management process10 mapped
Define and implement a process to detect, manage, log and classify ICT-related incidents.
- Art. 19 Reporting of major ICT-related incidents10 mapped
Report major ICT-related incidents to the relevant competent authority within the defined timelines.